Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Crypto ACL

I would want to exclude some traffic from encryption, but I am not sure that a deny would work in a crypto map ACL.

Each ACL permit entry creates an IPSec SA :

local ident (addr/mask/prot/port): (<IP address>/mask/0/0)

remote ident (addr/mask/prot/port): (<IP address>/mask/0/0)

But what about a deny?

For example:

access-list 120 deny udp 150.150.10.0 0.0.0.255 range 16384 32767 150.150.0.0 0.0.255.255 range 16384 32767

access-list 120 deny ip 150.150.10.0 0.0.0.255 150.150.41.0 0.0.0.255

access-list 120 permit ip 150.150.10.0 0.0.0.255 150.150.0.0 0.0.255.255

Would voice traffic or traffic with 150.150.41.0 destination be excluded from the tunnel?

2 REPLIES
New Member

Re: Crypto ACL

The ACL for the crypto match address will be processing from the top to bottom untill find a match entry. (Same as the normal access-list.)

In your example, voice and destination to 150.150.150.41 will not be encryted.

The rest traffic belong to 150.150.10.0/24 to 150.150.0.0/16 will go through the IPSEC VPN tunnel.

Best Regards,

New Member

Re: Crypto ACL

What I have noticed is that, when testing VoIP, there are no matches on deny ACL entries. I have no other way to test that voice is not encrypted. Is there any explanation for this lack of matches?

106
Views
0
Helpful
2
Replies
CreatePlease to create content