07-17-2002 01:22 AM - edited 02-20-2020 09:18 PM
I would want to exclude some traffic from encryption, but I am not sure that a deny would work in a crypto map ACL.
Each ACL permit entry creates an IPSec SA :
local ident (addr/mask/prot/port): (<IP address>/mask/0/0)
remote ident (addr/mask/prot/port): (<IP address>/mask/0/0)
But what about a deny?
For example:
access-list 120 deny udp 150.150.10.0 0.0.0.255 range 16384 32767 150.150.0.0 0.0.255.255 range 16384 32767
access-list 120 deny ip 150.150.10.0 0.0.0.255 150.150.41.0 0.0.0.255
access-list 120 permit ip 150.150.10.0 0.0.0.255 150.150.0.0 0.0.255.255
Would voice traffic or traffic with 150.150.41.0 destination be excluded from the tunnel?
07-17-2002 02:49 AM
The ACL for the crypto match address will be processing from the top to bottom untill find a match entry. (Same as the normal access-list.)
In your example, voice and destination to 150.150.150.41 will not be encryted.
The rest traffic belong to 150.150.10.0/24 to 150.150.0.0/16 will go through the IPSEC VPN tunnel.
Best Regards,
07-17-2002 04:48 AM
What I have noticed is that, when testing VoIP, there are no matches on deny ACL entries. I have no other way to test that voice is not encrypted. Is there any explanation for this lack of matches?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide