Crypto ACL

matigil · ‎07-17-2002

I would want to exclude some traffic from encryption, but I am not sure that a deny would work in a crypto map ACL.

Each ACL permit entry creates an IPSec SA :

local ident (addr/mask/prot/port): (<IP address>/mask/0/0)

remote ident (addr/mask/prot/port): (<IP address>/mask/0/0)

But what about a deny?

For example:

access-list 120 deny udp 150.150.10.0 0.0.0.255 range 16384 32767 150.150.0.0 0.0.255.255 range 16384 32767

access-list 120 deny ip 150.150.10.0 0.0.0.255 150.150.41.0 0.0.0.255

access-list 120 permit ip 150.150.10.0 0.0.0.255 150.150.0.0 0.0.255.255

Would voice traffic or traffic with 150.150.41.0 destination be excluded from the tunnel?

paqiu · ‎07-17-2002

The ACL for the crypto match address will be processing from the top to bottom untill find a match entry. (Same as the normal access-list.)

In your example, voice and destination to 150.150.150.41 will not be encryted.

The rest traffic belong to 150.150.10.0/24 to 150.150.0.0/16 will go through the IPSEC VPN tunnel.

Best Regards,

matigil · ‎07-17-2002

What I have noticed is that, when testing VoIP, there are no matches on deny ACL entries. I have no other way to test that voice is not encrypted. Is there any explanation for this lack of matches?