Re: IPSEC and input acl on the same inbound interface

m-menozzi · ‎06-03-2002

Could you confirm me that when an input acl is enabled together with IPSec on the same inbound interface the acl is checked twice before and after decryption ?

I would enable a filter that allows only encrypted packet but if acl is checked twice I need to add also end-to-end IP Packet. Well in this last case every one also not encrypted source could try to get in (DoS).

Thanks for any feedback

Marco

b.mason · ‎06-04-2002

This was resolved around end of 2001 so later images will not re-inject the packet back through the acl once it has been decrypted. Check bug ID: CSCdu58486

m-menozzi · ‎06-07-2002

Thanks. But I have red also the bug description. It's not clear if the double check of the access-list is correct or not since it seems from there that acl that occurs only once is wrong....

It seems that testing 12.1(4) was correct instead of testing 12.2(1). Infact the bug is solved in 12.2(4). But what's the bug ?

Marco

JOSH GANT · ‎06-10-2002

You guys might want to take a look at this Bug: CSCdt94387

It doesn't look like it has been fixed yet.

m-menozzi · ‎06-14-2002

It seems much more close to the issue.

Marco

m-menozzi · ‎10-10-2002

I have opened a case about this issue and it seems there is another bug on which Cisco is still working on (CSCdm01118).

Thanks to everybody for the feedback.

Marco