Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Invalid Proxies - Asymmetric Crypto Access Lists

Hi all,

I`m currently after my CCIE Security certification, but have no access (yet) to lab equipment, so i could not figure this one out myself. Here it goes.

What would happen if i have asymmetric crypto access lists (wich i`ve searched and found that it could be called invalid proxies too) were configured in IPSec peers ?

1) Would this SA come up ?

2) If it comes up, if i have a situation where

a - "permit 4.4.4.0 2.2.2.0"

a - "permit 4.4.4.0 1.1.1.0"

b - "permit 1.1.1.0 4.4.4.0"

will the traffic sourced from 2.2.2.0 destined for the 4.4.4.0 network or vice versa will get to it`s destination ? i`m asking this question because the path that this traffic would have to go is through a interface wich has the crypto acl applied. Will this traffic flow unencrypted or will it be dropped ?

Thanks !!

1 REPLY

Re: Invalid Proxies - Asymmetric Crypto Access Lists

Hi,

Q: Would this SA come up ?

A:Yes, if all required crypto & isakmp (phase I & II) are configured.

Q: If it comes up, if i have a situation where

a - "permit 4.4.4.0 2.2.2.0"

A: NO, traffic will not flow between 4.4.4.0 & 2.2.2.0 as no interested & destination IP (to 4.4.4.0) is defined in 2.2.2.0. This is because when encrypted traffic from 4.4.4.0 reach 2.2.2.0, the return traffic from 2.2.2.0 will not get into the tunnel (and encrypted).

Both end must have symmetric ACL pointing to each other.

Q: a - "permit 4.4.4.0 1.1.1.0"

b - "permit 1.1.1.0 4.4.4.0"

A: Yes, traffic will flow between the devices (with proper crypto & isakmp (phase I & II), and symmetric ACL).

Q: Will the traffic sourced from 2.2.2.0 destined for the 4.4.4.0 network or vice versa will get to it`s destination ?

A: Refer to Question #2.

Q: i`m asking this question because the path that this traffic would have to go is through a interface wich has the crypto acl applied. Will this traffic flow unencrypted or will it be dropped ?

A: ACL is used to define interesting traffic and will be encrypted before it reach remote peer. Same goes to remote peer when it tries to send traffic via VPN tunnel. This is call symmetric ACL.

With ACL allowing 4.4.4.0 to reach 2.2.2.0, traffic to 2.2.2.0 will be encrypted. But when 2.2.2.0 tries to reach 4.4.4.0 via tunnel, traffic will not be encrypted as no ACL defined. It will not be dropped, instead it will be sent through the interface unencrypted and eventually ‘lost’ in the internet.

Hope this helps.

Rgds,

AK

134
Views
0
Helpful
1
Replies
CreatePlease login to create content