From: asadovnikov (asadovnikov@comcast.net)
Date: Fri Dec 12 2003 - 01:56:26 GMT-3
Not really. Incoming traffic is actually compared to a security ACL twice -
once before decryption, and then again after decryption. So both encrypted
(isakmp + esp) and decrypted traffic needs to be permitted by the ACL.
Best regards,
Alexei
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Steven A Ridder
Sent: Wednesday, December 10, 2003 2:03 PM
To: Vazman@aol.com
Cc: ccielab@groupstudy.com
Subject: RE: Site-to-Site VPN - ACL question
Correct. If I remember correctly, the ACL's act first, then decryption.
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Vazman@aol.com
Sent: Tuesday, December 09, 2003 4:44 PM
To: ccielab@groupstudy.com
Subject: Site-to-Site VPN - ACL question
Hello,
I have a question..
10.100.10.0/24--Router1--INTERNET--Router2--10.100.20.0/24
We have a site-to-site VPN over the Internet between two Cisco routers and
are using private addressing on the ethernet. An inbound ACL is applied on
the serial interface of both routers. On R1 do we need to permit the
ethernet segment of R2? I was almost positive that we dont have to..as I
would imagine that all traffic between the two LANs goes through the VPN
tunnel.
Thanks
This archive was generated by hypermail 2.1.4 : Sat Jan 03 2004 - 08:25:39 GMT-3