Which is processed first?

enikk · ‎10-07-2002

I have a router to router VPN and i am using IPSEC and tunneling from one network to the other. When sending data from one network to the other which happens first, the processing of encapsulation/de-encapsulation or the access list processing?

Thanks

steve.barlow · ‎10-07-2002

When sending packets - access-list processing is done first, then encryption. The acls decide whether the packet is allowed in the interface, whether the packet should be encrypted to begin with, and an acl checks whether the packet is allowed out the interface. Then the packet is encrypted (last thing done).

When receiving - the first thing done is check the decryption acl.

See link: http://www.cisco.com/warp/public/556/5.html

Hope it helps.

Steve

enikk · ‎10-08-2002

Thanks for the reply.

So if i am creating an encrypted tunnel between 2 locations and want to block/control traffic coming into one of the networks, will i use the public or private address's in the acls to filter traffic?

thanks

Tony

stephen.barlow · ‎10-08-2002

.

steve.barlow · ‎10-08-2002

Old account above:)

Your acl applied inbound will look something like this:

access-list 118 permit esp host x.x.x.x host y.y.y.y (where x.x.x.x is your remote ipsec peer and y.y.y.y is your local peer)

access-list 118 permit udp host x.x.x.x host y.y.y.y eq isakmp

So your filter will be based on the ipsec peer IP. Your crypto acls (which allows what will get encrypted) must match in reverse at each end of the tunnel and will be based on your private IPs.

Steve

enikk · ‎10-08-2002

Thanks alot!!

Tony