Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Crypto ACL

I would want to exclude some traffic from encryption, but I am not sure that a deny would work in a crypto map ACL.

Each ACL permit entry creates an IPSec SA :

local ident (addr/mask/prot/port): (<IP address>/mask/0/0)

remote ident (addr/mask/prot/port): (<IP address>/mask/0/0)

But what about a deny?

For example:

access-list 120 deny udp range 16384 32767 range 16384 32767

access-list 120 deny ip

access-list 120 permit ip

Would voice traffic or traffic with destination be excluded from the tunnel?

New Member

Re: Crypto ACL

The ACL for the crypto match address will be processing from the top to bottom untill find a match entry. (Same as the normal access-list.)

In your example, voice and destination to will not be encryted.

The rest traffic belong to to will go through the IPSEC VPN tunnel.

Best Regards,

New Member

Re: Crypto ACL

What I have noticed is that, when testing VoIP, there are no matches on deny ACL entries. I have no other way to test that voice is not encrypted. Is there any explanation for this lack of matches?

CreatePlease to create content