Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

ipsec pl-compatible like command for IOS

hi,

is there a command in IOS that allows encrypted traffic to bypass the external access-list of a router. I only want the ipsec ports in the external ACL - I do not really want to list the remote and local encryption domain in the acl.

Thanks in advance.

Ger

2 REPLIES
Cisco Employee

Re: ipsec pl-compatible like command for IOS

No, there is no equivalent IOS command. Good news is that if you're referring to bug CSCdz54626 (http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCdz54626&Submit=Search), where the ACL is processed twice on the incoming interface, this has finally need resolved.

I haven't personally tested it yet (because the code isn't available), but the fix is supposedly in the 4th release of the 12.3T train, so that'd be the next release after 12.3(7)T. It may or may not be 12.3(8)T, depends on the timing of the next release, but if you upgrade to this when it becomes available you should be able to remove the local/remote networks from your ACL.

Community Member

Re: ipsec pl-compatible like command for IOS

Hey Glenn,

I am not sure that this is a good thing ;)

Do you know if it will be possible to still use ACL's as a filter for the VPN traffic by somehow disabling this "fix" in 12.3 code?

148
Views
0
Helpful
2
Replies
CreatePlease to create content