Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
766
Views
17
Helpful
5
Replies

deny statement in interesting traffic ACL

r.perera
Level 1
Level 1

‎09-24-2006 09:14 PM

Hi, I know that allow statement in a interesting traffic ACL will send matching traffic to VPN tunnel.

What happen if I adda deny statement to the same ACL. Will the traffic still go through the tunnel but not encrypted.

Regards

Labels:
0 Helpful
5 Replies 5

puagarwa
Level 1
Level 1

‎09-24-2006 09:51 PM

if you add a deby statement the traffic will not be sent via the tunnel!!!

r.perera
Level 1
Level 1
In response to puagarwa

‎09-25-2006 03:28 PM

that means, there is no point having deny statement in the ACL other than for logging purposes

0 Helpful

puagarwa
Level 1
Level 1
In response to r.perera

‎09-26-2006 10:37 AM

absolutely right!!!!

please rate the post if it helped answer your question!!

Richard Burts
Hall of Fame
Hall of Fame
In response to puagarwa

‎09-29-2006 12:08 PM

The first part of this discussion I understand and agree with: traffic that matches a permit in the ACL will be encrypted and sent through the tunnel and traffic that is denied will not be encrypted and not sent through the tunnel. (Note that this does not necessarily mean that traffic that is denied will not be sent - it just means that it will not be sent through the VPN tunnel.)

I do not understand or agree with the second part of the discussion which asserts that there is no purpose for deny statements other than logging. I have a situation at a customer site where there is a VPN tunnel between routerA and routerB. Certain clients on routerA need to communicate with a server on routerB and due to the sensitivity of the data it is required to be encrypted. So the access list has permit for the traffic from these clients to this server. There is other traffic from other end stations on these routers which is also sent between the routers. There is no need to encrypt this other traffic. So there is a deny in the ACL which denies this other traffic. The other traffic is still routed between routerA and routerB but it is not sent through the tunnel it is sent on the normal links. In this situation there is very much a need for the deny statements.

HTH

Rick

HTH

Rick

sbandaka
Level 1
Level 1
In response to Richard Burts

‎10-06-2006 08:31 AM

I had the scenario where I was using 10.0.0.0/8 for one site and I had to use 10.250.0.0 /16 for another site.( I had no control on IP addressing) .So I had to deny 10.250.0.0 /16 on first tunnel and permit 10.0.0.0/8 and on second tunnel just permit 10.250.0.0/16. But the problem with this is on the second tunnel where I had 10.250.0.0/16 I couldn't initiate the traffic from my side to 10.250.0.0/16.. however if some one initiated traffic from 10.250.0.0 /16 tunnel would come up and then traffic flow was bidirectional.

I had some discussions with TAC and they said when you have deny statements that's one of the expected behavior. So my options were

take out permit 10.0.0.0/8 &deny 10.250.0.0 /16 line and add 100 lines of specific permits

or just configure one of the machine on far end to initiate a ping every one hour.

So there is some value for deny lines but depends on how you use them

0 Helpful
Customers Also Viewed These Support Documents