Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1254
Views
5
Helpful
6
Replies

IPsec tunnel acl

Go to solution
smolz
Level 4
Level 4

‎04-29-2008 06:57 AM - edited ‎02-21-2020 03:42 PM

If I create a crypto map there is the command match addres (acl). My question is; Is this acl defining the only traffic that will be allowed down the tunnel or will other traffic be allowed down the tunnel and just not encrypted.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Istvan_Rabai
Level 7
Level 7
In response to dbaumgart

‎04-29-2008 10:37 AM

Hi Chris and Daniel,

All traffic permitted by the crypto acl will be directed through the IPSec tunnel.

The rest of the traffic will not use the tunnel, but will be transmitted over the link.

"permit ip any any" is allowed on crypto acls like on any other acls. Its use is dependent on how you want to define your interesting traffic.

Cheers:

Istvan

View solution in original post

0 Helpful
6 Replies 6

Go to solution
acomiskey
Level 10
Level 10

‎04-29-2008 07:15 AM

It defines the traffic to be encrypted over the tunnel. Therefore, any traffic not defined will not enter the tunnel.

Go to solution
dbaumgart
Level 1
Level 1
In response to acomiskey

‎04-29-2008 09:57 AM

is permit ip any any valid for a crypto acl if more than 1 lan to lan is configured?

0 Helpful

Go to solution
Istvan_Rabai
Level 7
Level 7
In response to dbaumgart

‎04-29-2008 10:37 AM

Hi Chris and Daniel,

All traffic permitted by the crypto acl will be directed through the IPSec tunnel.

The rest of the traffic will not use the tunnel, but will be transmitted over the link.

"permit ip any any" is allowed on crypto acls like on any other acls. Its use is dependent on how you want to define your interesting traffic.

Cheers:

Istvan

0 Helpful

Go to solution
dbaumgart
Level 1
Level 1
In response to Istvan_Rabai

‎04-30-2008 08:42 AM

if I have crypto acl's like this:

*************

acl A permit host 1.1.1.1 host 2.2.2.2

acl B permit ip any any

*************

All the traffic will get put on the tunnel that acl B is applied and no traffic will go across the A tunnel - correct?

0 Helpful

Go to solution
Istvan_Rabai
Level 7
Level 7
In response to dbaumgart

‎05-01-2008 12:24 AM

Hi Daniel,

If you apply acl B to the crypto map than acl B will allow all ip traffic through the IPSec tunnel, according to this configuration.

If you apply acl A to the crypto map than acl A will allow traffic from host 1.1.1.1 to host 2.2.2.2 through the IPSec tunnel. All other traffic will go through the link but not through the IPSec tunnel (will not be protected).

One addition: acl A should be

acl A permit ip host 1.1.1.1 host 2.2.2.2 (an extended ip acl)

Within one crypto map there can be only 1 acl (though this 1 acl can have multiple acl entries).

Cheers:

Istvan

0 Helpful

Go to solution
Istvan_Rabai
Level 7
Level 7
In response to Istvan_Rabai

‎05-01-2008 06:11 AM

Just to correct my wording:

Within one crypto map STATEMENT there can be only 1 acl.

If you have several statements within your crypto map, you can have several different acls within each statement, but all these statements refer to different IPSec tunnels.

You can use this type of configuration if you have a headend router with several remote branches needing different IPSec tunnels.

Cheers:

Istvan

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents