Re: IPSec - confused about inbound ACLs

From: Hai Minh (minhlth@ipmac.com.vn)
Date: Fri Oct 28 2005 - 02:33:35 GMT-3

• Next message: Pierre-Alex GUANEL: "Re: Dialer Watch - and Interesting Traffic"
• Previous message: Victor Cappuccio: "Simple OSPF Authentication.."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Thank Scott for answer me so fast :-)

For clear out my mind, I'll take an example and could you please check it
for me.

    I configured IPSec on R1 and R2, encrypt Telnet traffic from R1 to R2. I
creat a crypto ACL on both routers like this "permit tcp host R1 host R2 eq
23". I know the crypto ACL refers to oubound ACL. As that book wrote, so I
don't need to put an inbound ACL (like "deny tcp host R1 host R2 eq 23") on
incoming inteface of R2 to drop clear-text Telnet traffic. Am I right ?

TIA
Hai Minh

P/S : I tried but this ACL, "deny tcp host R1 host R2 eq 23", blocked both
clear-text and encrypted Telnet traffic.

----- Original Message -----
From: "Scott Morris" <swm@emanon.com>
To: "'Hai Minh'" <minhlth@ipmac.com.vn>; <ccielab@groupstudy.com>
Sent: Friday, October 28, 2005 12:10 PM
Subject: RE: IPSec - confused about inbound ACLs

> I believe it's referring to your interesting traffic ACL called in the
> crypto map.
>
> If the router receives something unencrypted (plain text) that it believes
> should have been encrypted, it'll drop it.
> Likewise, if it receives something encrypted that it believes should not
> have been, it'll drop it as well.
>
> Cheers,
>
> Scott
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Hai
> Minh
> Sent: Friday, October 28, 2005 1:01 AM
> To: ccielab@groupstudy.com
> Subject: OT: IPSec - confused about inbound ACLs
>
> Hi group
>
> I'm doing with IPSec and I'm confused about the inbound ACL. In the
> SECUR Exam Certification Guide, they said that "if traffic comes in as
clear
> text and should be encrypted, the router drops the traffic". Does it mean
> the router will drop clear-text traffic automatically or should I use an
> inbound ACL to drop it?
>
> Thanks
> Hai Minh
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Pierre-Alex GUANEL: "Re: Dialer Watch - and Interesting Traffic"
• Previous message: Victor Cappuccio: "Simple OSPF Authentication.."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Nov 06 2005 - 22:00:54 GMT-3