Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
456
Views
0
Helpful
2
Replies

What is the ACL process flow regarding IPSec?

jkrawczyk
Level 1
Level 1

‎05-23-2005 05:21 AM - edited ‎02-21-2020 01:47 PM

Can anyone supply me with the order of operation of ingress access lists, specifically regarding IPSec?

I realize that the first thing that is done is the IPSec (isakmp / esp) packet is checked against the ACL (ip access-group 120 in). Then this packet is decrypted and the encapsulated packet is once again checked against this ACL, in my case 120.

Why I need to fully understand this process is because I am not including the encapsulated RFC 1918 addresses in my ACL 120 statement, but my remote site has no problems accessing my network through this VPN.

Regards

Jeff

Labels:
0 Helpful
2 Replies 2

paddyxdoyle
Level 6
Level 6

‎05-23-2005 08:04 AM

Jeff,

Have a look at the following link.

Although its for NAT it does show IPSEC and it also proves that your findings above are correct.

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml

HTH

Paddy

0 Helpful

a.alekseev
Level 7
Level 7

‎05-24-2005 01:26 AM

inbound acl is checked twice for a router

For PIX if we have "sysopt connection permit ipsec"

inbound acl isn't checked.

if we have "no sysopt connection permit ipsec"

inbound acl is checked for decrypted traffic.

0 Helpful
Customers Also Viewed These Support Documents