Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

tunneling options on PIX


I have a PIX 506 with a 3DES tunnel to a PIX 501. I would like VoIP traffic to tunnel without encryption or at least less encryption.

I was thinking about using tunnel interfaces(i've created 'int tunnel 0' on 2600/1700 routers in the past) because I thought I these could tunnel w/out encrypting data, but is this possible to create tunnel interfaces on PIX's? Also, which ACLs get processed first, IPSec tranform set ACL or tunnel interface ACL?

If the above is not possible can I create a second instance of my 3DES crypto map using a different transform set that has just DES or no encryption associated with them? For that second instance of the crypto map I would obvoiusly just be matching VoIP traffic/hosts on it's transform set's ACL.

Please give me some direction.




Re: tunneling options on PIX

It is possible to tunnel voice traffic without encryption. You will need to configure the crypto access list such that packets with ports used by voice traffic are considered not_interesting. Now voice packets will not qualify as interesting traffic for ipsec and will be passed through unencrypted. Typically can be done by denying TCP ports 1718 through 1720. However, the port numbers used might vary in some vendor implementations. A note of caution though. I dont remember coming across too many configurations of this nature.