07-17-2002 01:22 AM - edited 02-20-2020 09:18 PM
I would want to exclude some traffic from encryption, but I am not sure that a deny would work in a crypto map ACL.
Each ACL permit entry creates an IPSec SA :
local ident (addr/mask/prot/port): (<IP address>/mask/0/0)
remote ident (addr/mask/prot/port): (<IP address>/mask/0/0)
But what about a deny?
For example:
access-list 120 deny udp 150.150.10.0 0.0.0.255 range 16384 32767 150.150.0.0 0.0.255.255 range 16384 32767
access-list 120 deny ip 150.150.10.0 0.0.0.255 150.150.41.0 0.0.0.255
access-list 120 permit ip 150.150.10.0 0.0.0.255 150.150.0.0 0.0.255.255
Would voice traffic or traffic with 150.150.41.0 destination be excluded from the tunnel?
07-17-2002 02:49 AM
The ACL for the crypto match address will be processing from the top to bottom untill find a match entry. (Same as the normal access-list.)
In your example, voice and destination to 150.150.150.41 will not be encryted.
The rest traffic belong to 150.150.10.0/24 to 150.150.0.0/16 will go through the IPSEC VPN tunnel.
Best Regards,
07-17-2002 04:48 AM
What I have noticed is that, when testing VoIP, there are no matches on deny ACL entries. I have no other way to test that voice is not encrypted. Is there any explanation for this lack of matches?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: