Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

deny statement in interesting traffic ACL

Hi, I know that allow statement in a interesting traffic ACL will send matching traffic to VPN tunnel.

What happen if I adda deny statement to the same ACL. Will the traffic still go through the tunnel but not encrypted.

Regards

5 REPLIES
New Member

Re: deny statement in interesting traffic ACL

if you add a deby statement the traffic will not be sent via the tunnel!!!

New Member

Re: deny statement in interesting traffic ACL

that means, there is no point having deny statement in the ACL other than for logging purposes

New Member

Re: deny statement in interesting traffic ACL

absolutely right!!!!

please rate the post if it helped answer your question!!

Hall of Fame Super Silver

Re: deny statement in interesting traffic ACL

The first part of this discussion I understand and agree with: traffic that matches a permit in the ACL will be encrypted and sent through the tunnel and traffic that is denied will not be encrypted and not sent through the tunnel. (Note that this does not necessarily mean that traffic that is denied will not be sent - it just means that it will not be sent through the VPN tunnel.)

I do not understand or agree with the second part of the discussion which asserts that there is no purpose for deny statements other than logging. I have a situation at a customer site where there is a VPN tunnel between routerA and routerB. Certain clients on routerA need to communicate with a server on routerB and due to the sensitivity of the data it is required to be encrypted. So the access list has permit for the traffic from these clients to this server. There is other traffic from other end stations on these routers which is also sent between the routers. There is no need to encrypt this other traffic. So there is a deny in the ACL which denies this other traffic. The other traffic is still routed between routerA and routerB but it is not sent through the tunnel it is sent on the normal links. In this situation there is very much a need for the deny statements.

HTH

Rick

New Member

Re: deny statement in interesting traffic ACL

I had the scenario where I was using 10.0.0.0/8 for one site and I had to use 10.250.0.0 /16 for another site.( I had no control on IP addressing) .So I had to deny 10.250.0.0 /16 on first tunnel and permit 10.0.0.0/8 and on second tunnel just permit 10.250.0.0/16. But the problem with this is on the second tunnel where I had 10.250.0.0/16 I couldn't initiate the traffic from my side to 10.250.0.0/16.. however if some one initiated traffic from 10.250.0.0 /16 tunnel would come up and then traffic flow was bidirectional.

I had some discussions with TAC and they said when you have deny statements that's one of the expected behavior. So my options were

take out permit 10.0.0.0/8 &deny 10.250.0.0 /16 line and add 100 lines of specific permits

or just configure one of the machine on far end to initiate a ping every one hour.

So there is some value for deny lines but depends on how you use them

300
Views
17
Helpful
5
Replies