Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

approriate filters on ext interface regarding encrypted traffic


I have sinlge DES encryped tunnel between a 2621 and 1710 each network being private NAT'ed, etc (similar to article titled 'Configuring IPSec Router-to-Router,Pre-Shared,NAT Overload Between Private Networks') The connection comes up QM_IDLE fine and works.

On my external interfaces I have filters on inbound traffic acting as a firewall. I was under the impression that any traffic that was encryped did not have to be allowed through the inbound filters on the opposite router but rather all encryped trafic by-passed that filter. It appears that is not true and that I must allow my private net traffic through those inbound filters(for practical purposes all ip traffic from that private net).

The security issue I see with this is if my private numbering on one of my networks(netA) is the same as another companies network that shares a subnet on a high speed ISP on another network of mine(netB) then in theory my inbound filter on netB will allow not only all IP encrypted netA traffic but also all IP traffic from the other company utilizing the same ISP.

-Is my understanding correct?

-Is there a better way to setup permits on my external interfaces' inbound filters(than just to all all of the other nets' IP traffic)?

-Are there any articles explaining the most secure way to setup these filters to work with the crypto tunnels?

-If I allow all encrpted IP traffic through my external filters how do i know it's even encrpted?



Cisco Employee

Re: approriate filters on ext interface regarding encrypted traf

The traffic would go through the access-list once while it is encrypted thus you must allow the appropriate protocol eg, ah or esp. Then after decryption, it would go through the same acl again.

Thus the need to allow the private net on the other side of the vpn. If someone on the net, actually passes you traffic, with same source address as the

private net of your vpn, the traffic would actually be dropped since your crypto acl defines that this traffic should be encrypted and it is not.

You would know if you are getting encrypted traffic

on the router, if you want to see the stats with a show command do:

show crypto engine connections active

If you want to see an encrypted traffic, put a sniffer and you would only see a data payload encrypted using esp or ah.