Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

IPSEC and input acl on the same inbound interface

Could you confirm me that when an input acl is enabled together with IPSec on the same inbound interface the acl is checked twice before and after decryption ?

I would enable a filter that allows only encrypted packet but if acl is checked twice I need to add also end-to-end IP Packet. Well in this last case every one also not encrypted source could try to get in (DoS).

Thanks for any feedback

Marco

5 REPLIES
New Member

Re: IPSEC and input acl on the same inbound interface

This was resolved around end of 2001 so later images will not re-inject the packet back through the acl once it has been decrypted. Check bug ID: CSCdu58486

New Member

Re: IPSEC and input acl on the same inbound interface

Thanks. But I have red also the bug description. It's not clear if the double check of the access-list is correct or not since it seems from there that acl that occurs only once is wrong....

It seems that testing 12.1(4) was correct instead of testing 12.2(1). Infact the bug is solved in 12.2(4). But what's the bug ?

Marco

New Member

Re: IPSEC and input acl on the same inbound interface

You guys might want to take a look at this Bug: CSCdt94387

It doesn't look like it has been fixed yet.

New Member

Re: IPSEC and input acl on the same inbound interface

It seems much more close to the issue.

Marco

New Member

Re: IPSEC and input acl on the same inbound interface

I have opened a case about this issue and it seems there is another bug on which Cisco is still working on (CSCdm01118).

Thanks to everybody for the feedback.

Marco

108
Views
0
Helpful
5
Replies