Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
473
Views
0
Helpful
2
Replies

Crypto ACL

matigil
Level 1
Level 1

‎07-17-2002 01:22 AM - edited ‎02-20-2020 09:18 PM

I would want to exclude some traffic from encryption, but I am not sure that a deny would work in a crypto map ACL.

Each ACL permit entry creates an IPSec SA :

local ident (addr/mask/prot/port): (<IP address>/mask/0/0)

remote ident (addr/mask/prot/port): (<IP address>/mask/0/0)

But what about a deny?

For example:

access-list 120 deny udp 150.150.10.0 0.0.0.255 range 16384 32767 150.150.0.0 0.0.255.255 range 16384 32767

access-list 120 deny ip 150.150.10.0 0.0.0.255 150.150.41.0 0.0.0.255

access-list 120 permit ip 150.150.10.0 0.0.0.255 150.150.0.0 0.0.255.255

Would voice traffic or traffic with 150.150.41.0 destination be excluded from the tunnel?

Labels:
0 Helpful
2 Replies 2

paqiu
Level 1
Level 1

‎07-17-2002 02:49 AM

The ACL for the crypto match address will be processing from the top to bottom untill find a match entry. (Same as the normal access-list.)

In your example, voice and destination to 150.150.150.41 will not be encryted.

The rest traffic belong to 150.150.10.0/24 to 150.150.0.0/16 will go through the IPSEC VPN tunnel.

Best Regards,

0 Helpful

matigil
Level 1
Level 1
In response to paqiu

‎07-17-2002 04:48 AM

What I have noticed is that, when testing VoIP, there are no matches on deny ACL entries. I have no other way to test that voice is not encrypted. Is there any explanation for this lack of matches?

0 Helpful
Customers Also Viewed These Support Documents