ipsec pl-compatible like command for IOS

ger.kirby · ‎03-22-2004

hi,

is there a command in IOS that allows encrypted traffic to bypass the external access-list of a router. I only want the ipsec ports in the external ACL - I do not really want to list the remote and local encryption domain in the acl.

Thanks in advance.

Ger

gfullage · ‎03-22-2004

No, there is no equivalent IOS command. Good news is that if you're referring to bug CSCdz54626 (http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCdz54626&Submit=Search), where the ACL is processed twice on the incoming interface, this has finally need resolved.

I haven't personally tested it yet (because the code isn't available), but the fix is supposedly in the 4th release of the 12.3T train, so that'd be the next release after 12.3(7)T. It may or may not be 12.3(8)T, depends on the timing of the next release, but if you upgrade to this when it becomes available you should be able to remove the local/remote networks from your ACL.

jasobrown · ‎03-23-2004

Hey Glenn,

I am not sure that this is a good thing ;)

Do you know if it will be possible to still use ACL's as a filter for the VPN traffic by somehow disabling this "fix" in 12.3 code?