From: Ahmed Mamoor Amimi (mamoor@xxxxxxxx)
Date: Tue Mar 05 2002 - 02:19:22 GMT-3
ur right ...
that is the only access-list that u have to apply and IPSec will take care
of the traffic that is returning or coming in to that
match the access-list.... by saying MATCH the ACCESS-LIST means that IPSec
will try to match the destination of the
packet with the source of the access-list if they match and data unprotected
then IPSec will drop the packet considering it
as not from the same sender that i have send to ....
That is way CISCO recommecdeds that when making access-list on both side
make sure that they are identical so both side could send protected data.
-Mamoor
----- Original Message -----
From: Lab Candidate <labccie@yahoo.com>
To: <ccielab@groupstudy.com>
Sent: Tuesday, March 05, 2002 9:58 AM
Subject: IPSec question
> IPSec inbound traffic is processed against the crypto map entries, if an
unprotected packet
> matches a permit entry in a particular access list associated with an
IPSec crypto map entry, that
> packet is dropped.
> But on a second thought, the ACL is defined for outgoing traffic only,
checking inbound traffic
> against it is backwards. My question is does the IOS software reverse the
ACL order while checking
> on incoming traffic like it was going outbound? I don't believe that you
need to define separate
> lines in ACL for incoming traffic, only the lines pertaining to outbound
traffic are used for
> checkup. Please confirm my understanding. TIA...
>
> ---
>
>
>
>
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:56:53 GMT-3