processing order of encryption and ACLs
Hi people,
I am preparing to a test lab and have the following scenario:
R6---172.16.50/24---PIX---172.16.10/24--R1
R6 I have two interfaces:
lo0 6.6.6.6/24
FA0/1 172.16.50.50/24
R1 two int:
lo0 1.1.1.1/24
E0 172.16.10.1/24
I want to protect all traffic between the 6.6.6.0 and network 1.1.1.0 with IPSec. I use ESP to protect traffic.
Another condition is that I want to put an ACL to e0 allowing IPSec traffic.
I created an ACL named ACL_E0_IN that is applied on e0 for inbound traffic.
R1 #sh of access lists
Expand the IP ACL_E0_IN access list
esp permits 172.16.50.50 host 172.16.10.1 (15 matches)
permit udp host 172.16.50.50 host 172.16.10.1 eq isakmp (116 matches)
refuse the log host 1.1.1.1 icmp host 6.6.6.6 (5 matches)
Ping of R6 R1 does not work:
R6 #p 1.1.1.1 source lo 0
Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes of 1.1.1.1, time-out is 2 seconds:
Packet sent with the address source 6.6.6.6
.....
Success rate is 0% (0/5)
R6 #.
On the R1, I get the following message:
* 8 Mar 03:58:37.917: % s-6-IPACCESSLOGDP: ACL_E0_IN denied icmp 6.6.6.6 - list
> 1.1.1.1 (8/0), 4 packs
This scenario works ONLY when I allow ICMP of R6 and ESP traffic.
I wonder why the decrypted packets are denied by the ACL. I expect that the ACL is processed BEFORE the packet is decrypted. When I look at the meter on the hit of the ACL, it seems that the ACL is checked twice.
Someone at - it an idea on the exact order of encryption and the treatment of the ACL?
Thank you
Michael
Attached you will find the configs of the R1 and R6
Michael
I recently saw an explanation of encryption and ACLs that indicates there has recently been a change in behavior. In most versions of IOS, the behavior is as you describe, the package is evaluated by the ACL twice. The explanation is that the package is evaluated first in his State encrypted to check that it was something that must be dealt with. After the package has been decrypted, the IOS necessary to assess the package decrypted to see if things like the quality of Service necessary to apply. So basically the decrypted packet passed through the interface again and the ACL again. In recent versions of the code (12.3 (4) T, if memory serves) a change has been made and the package will now go through the ACL only once.
HTH
Rick
Tags: Cisco Security
Similar Questions
-
Hello
I want to set up a VPN from a site of headquarters to remote locations ('connected' by ADSL). His intended to put in place a list of access inbound on the remote site on the same interface is used as the endpoint of the VPN tunnel. What is curious is the processing order - how outgoing VPN traffic interacts with the access list? I thought it would be a matter of straight forward, but I can't find an answer to it.
Thanks in advance
That's what you might find
-
Packages that do not receive encryption and decrypt IPSEC
Hello world
I have 2691 conencted to the Internet router and it does NAT.
This connects to the 3550A shift that has the connection to the router 1811W.
I have VPN installation between 1811W and 3550.
3550 has connection to 2691 via ospf.
OSPF is running between 1811w and 3550.
1811
1811w # sh crypto isakmp his
IPv4 Crypto ISAKMP Security Association
DST CBC conn-State id
192.168.99.2 192.168.99.1 QM_IDLE 2005 ASSETS
IPv6 Crypto ISAKMP Security Association
1811w # sh crypto ipsec his
Interface: FastEthernet0
Tag crypto map: VPN_MAP, local addr 192.168.99.1
protégé of the vrf: (none)
local ident (addr, mask, prot, port): (192.168.0.0/255.255.0.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.99.0/255.255.255.0/0/0)
current_peer 192.168.99.2 port 500
LICENCE, flags is {origin_is_acl},
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
#send 30, #recv errors 0
local crypto endpt. : 192.168.99.1, remote Start crypto. : 192.168.99.2
Path mtu 1500, mtu 1500 ip, ip mtu IDB FastEthernet0
current outbound SPI: 0x0 (0)
PFS (Y/N): N, Diffie-Hellman group: no
SAS of the esp on arrival:
the arrival ah sas:
SAS of the CFP on arrival:
outgoing esp sas:
outgoing ah sas:
outgoing CFP sas:
3550A
3550SMIA # sh crypto isakmp his
IPv4 Crypto ISAKMP Security Association
status of DST CBC State conn-id slot
192.168.99.2 192.168.99.1 QM_IDLE 1001 ACTIVE
IPv6 Crypto ISAKMP Security Association
3550SMIA #sh cry
3550SMIA #sh crypto ipsec his
Interface: FastEthernet0/8
Tag crypto map: VPN_MAP, local addr 192.168.99.2
protégé of the vrf: (none)
local ident (addr, mask, prot, port): (192.168.0.0/255.255.0.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.99.0/255.255.255.0/0/0)
current_peer 192.168.99.1 port 500
LICENCE, flags is {origin_is_acl},
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
#send 15, #recv errors 0
local crypto endpt. : 192.168.99.2, remote Start crypto. : 192.168.99.1
Path mtu 1500, ip mtu 1500
current outbound SPI: 0x0 (0)
SAS of the esp on arrival:
the arrival ah sas:
SAS of the CFP on arrival:
outgoing esp sas:
As we have seen more top packets are not encrypted between 1811w and 3550.
I used the same ACLs on 1811W and 3550A
INTERESTING_TRAFFIC extended IP access list
IP 192.168.0.0 allow 0.0.255.255 192.168.99.0 0.0.0.255 connect
Reasons why packages do not encrypt and decrypt?
Thank you
MAhesh
Hello
Access-list for interesting traffic should be mirrored.
Best regards
Eugene
-
I need to know the process to implement encryption for Windows 8, on a HP Pavilion
Original title:
Encryption
There is a choice in my control panel to set up encryption, but I have to go through the TPM module to be able to put in place, and my PC is not safe and has never been, I need to know the process to implement encryption for Windows 8, on a HP Pavilion
Hello
Protect your files with the encryption device
http://Windows.Microsoft.com/en-us/Windows-8/using-device-encryptionProtect your files using BitLocker Drive encryption
http://Windows.Microsoft.com/en-us/Windows/protect-files-BitLocker-Drive-Encryption#1TC=Windows-8I hope this helps.
Rob Brown - Microsoft MVP<- profile="" -="" windows="" expert="" -="" consumer="" :="" bicycle="" -="" mark="" twain="" said="" it="">
-
Use to encrypt and decrypt in Scenerio
Hello
I'm new to ODI Env.I just need to clarify a thing of ODI Scenerio is that what is the use of Encrypt and decrypt when we right click on the generated Scenrio recently? If I encrypt also I can able to run and remove the scenario and what ever.please suggest me and so I have can use this concept in my Production.Hello
Encrypt a script/procedure/KM helps protect the valuable code.
An encrypted script or KM or a procedure cannot be read or modified if it is not decrypted. Orders generated in the newspaper by a scenario Encrypted KM or procedure are unreadable.
Oracle Data Integrator uses a personal encryption key-based encryption algorithm. This key can be saved in a file and reused to perform encryption or decryption operations.
P.S:there is impossible to decipher a procedure without the encryption key or encrypted KM. Therefore, it is strongly recommended to keep this key in a safe place. It is also advisable to use a unique key for all developments.
Thank you
Guru -
Question of the order of events and functions
Hello
Sorry for the stupid question, but I'm working on something big and I would hate a small rock to thow me off in the end.
So here it is:
I not know how to operate the functions-> if you have:
function function1() {}
function3();
}
function function2() {}
}
function function3() {}
}
function1();
function2();
First runs function1 and function2 and function3. Is simple baptisms the function1 + everything it has nested functions again from the top to the bottom, then function2 etc.
OK, so now I have this situation:
If you have an INTERNAL component that is in the MAIN component. If you addEventListener (FlexEvent.CREATION_COMPLETE, test) inside of the INSIDE (class of the function of construction in my case) and also add the same event listener once again inside but the MAIN ingredient such as:
public void main_creationCompleteHandler(event:FlexEvent):void {}
inner.addEventListener (FlexEvent.CREATION_COMPLETE, test);
addElement (inner);
}
Then you will have 2 event for the same event listeners. First one written to the INNER component will run, and then it will run in the MAIN component.
Now if I set many many functions in INNER creationCompleteHandler, will all 100% complete before the creationCompleteHandler to HAND work?
As I tested it, it looks like each treatment must be 100% made to the INNER creationCompleteHandler before it passes to the creationCompleteHandler of HAND.
Can someone confirm that flash/flex works like that? Thank you!
FM_Flame wrote:
Hi Alex, guys,.
so, I would like to summarize the question and if we can just say Yes or I guided even what is Yes, then there is no confusion
Here are 2 scenarios:
1) 2 headphones are added to the same same thing e.g. CREATION_COMPLETE - one for the component and the other to the container.
It works like this:
un) pane-> creationCompleteHandler starts to perform its functions/activities
b) containing-> creationCompleteHandler starts to perform its functions/activities
The question here is: will a) be 100% full before before flash moves to b) or b) could happen sometimes some time one) is running?
Note: Yes this means a) will be 100% complete bofore b) occurs.
2) for the second scenario allows to take 2 different events INITIALIZE and the FlexEvent CREATION_COMPLETE and add the listener both in the component only this time, so we do not complicate things.
It works like this:
un) pane-> initializeHandler starts to perform its functions/activities
b) pane-> creationCompleteHandler starts to perform its functions/activities
The question here is the same: will a) be 100% full before before flash moves to b) or b) could happen sometimes some time one) is running?
Note: Yes this means a) will be 100% complete bofore b) occurs.
Thank you very much
(1) flash is currently single-threaded, so a Manager will end before the end of another Manager for the event itself. The processing order is not guaranteed and since your handlers are listening for the event attached to the same object, that it is imprudent to write code that depends on the order in which these handlers are called. Adobe are working to multi-threading the flash plugin, in the future any order that may now exist differrent in the future and any treatment that depends on a single completion handler until the other is called can also fail in the future because a multi-threaded player could activate the two managers simultaneously.
It's nice to have answers Yes/No, but only if you want to write poor code that can work, by accident, until something changes that you have no control over.
Do not write code that depends on the order this event handler is called for the same event.
(2) initialize occurs before the complete creation. The answer is Yes.
-
Universal Clipboard is encrypted and how the data is stored in iCloud
Hello
You need a deep understanding of the works of the new, universal Clipboard feature safety? The feature is nice, but do you copy your password by company store system administrator password... This password is moving all over the world and also through Apple servers... Don't make me happy.
Who can guarantee that the communication is encrypted and the data stored in iCloud are not used for other purpose?
Thanks and greetings
Security and privacy - Apple Support Overview iCloud
Although not listed here, all data transmitted to the Apple servers is encrypted in transit and on the server.
I can't offer any advice on the question of whether your transmissions could be intercepted and decoded.
They say they also unequivocally that they never provide encryption keys to any third party. Which has been further strengthened with their recent dealings with the FBI.
You'll have to decide for yourself if you agree with what Apple says.
-
Encrypted and signed e-mail are not displayed correctly
Hello
I managed to install a certificate from encryption of electronic mail on my Mac running OS X 10.11.4 but when I get an encrypted email and I open it in Mail it does not display security status, so there is no way of knowing that it is actually an encrypted email. Enamel appears encrypted and signed icon on my iPhone and iPad with the installed certificates. What configuration change I'm supposed to do to make this work/display correctly on Mac.
If I delete the certificates then I get an e-mail with the attachment smile.p7m.
I tried a bunch of different searches on the internet without a little luck to find how to fix.
Thank you!
Duane
S/MIME support seems to be broken in the current version of mail. I don't know of a workaround and I don't know when it will be fixed.
-
Within the last week so bone, iTunes began alphabetical order my albums and playlists. It ruins the continuity of the albums, as Dark Side of the Moon, for example. How can I get it changed? I don't want my music in alphabetical order.
In songs or other views of lists sorted on the column of the album. This should albums in the correct order. If this isn't the question could you please provide a few details.
TT2
-
Hello I have a macbook pro 2011 and in a few days I had my swelling of the battery and after that I ordered a new and only for a day, it uses my new battery began to swell again, what could be the problem? Help me, I am a student that I can't do it by new
is it because of power problems?
Take it back to the Apple Store and ask them to check it out. It should be under warranty. Bring the MBP along too. It sounds like there might be a problem with it.
-
15 - r036tu: pci encryption and decryption hp 15-r038tu
Dear Sir
I parchase a new laptop model number is 15-r036tu I got this laptop with window 8.1 after using a few months I failed to ease with the 8.1 that I HAVE LOW grade of 8.1 for Windows 7 (32 bit) now my all software are missing, but I can downlode my software all except pci encryption and decryption I try this software downlode by going to computer management and make a right click, but fails to update driver please give me any advice or links to how software downlode.Thank you
Og2Hello:
You need the driver for this device...
Intel driver execution of the trust Interface Version: -
Encrypt and decrypt the algorithm for visual basic 6
I would like to know a code complex algorithm in Visual Basic 6 to encrypt and decrypt ini files to encrypt credentials
Kindly help.
Hello
I suggest you to ask your question in the below link:
-
Host process has Sopped working and Windows will close the program...
I get errors on the host process has stopped working and will end the program... when I open Windows Media Center on my laptop Acer 6930 G. Also I get error messages whenever I lose a web page, IE Internet Explorer closes and the problem lies...
Hello
Try it it will help u.
http://www.online-tech-tips.com/computer-tips/host-process-for-Windows-services-stopped-working/
-
host process no longer works and removes my default printer
Host process no longer works and removes my default printer. I need to reinstall my printer software for vista down a few hours later.
Hello
-First check with the printer manufacturer for updated drivers and problems as well as their forums (if any).
Download - SAVE - go to where you put them - click on - RUN AS ADMIN
If this did not help.
I would REBOOT and when the computer stabilizes after a few minutes, and then remove the printer.
Then REBOOT again and go through this troubleshooting and only after he re - install the
printer. Be sure to install the latest drivers.Add or remove a printer
http://Windows.Microsoft.com/en-us/Windows-Vista/add-or-remove-a-printer===============================================================
What is rundll32.exe and why it works?
http://www.howtogeek.com/HOWTO/Windows-Vista/what-is-rundll32exe-and-why-is-it-running/What is the suspicious Rundll32.exe process?
http://WindowsXP.MVPs.org/Rundll32.htm-----------------------------------------------------
Follow these steps to remove corruption and missing/damaged file system repair or replacement.
Run DiskCleanup - start - all programs - Accessories - System Tools - Disk Cleanup
Start - type in the search box - find command top - RIGHT CLICK – RUN AS ADMIN
sfc/scannow
How to analyze the log file entries that the Microsoft Windows Resource Checker (SFC.exe) program
generates in Windows Vista cbs.log
http://support.Microsoft.com/kb/928228Then, run checkdisk - schedule it to run at next boot, then apply OK your way out, then restart.
How to run the check disk at startup in Vista
http://www.Vistax64.com/tutorials/67612-check-disk-Chkdsk.html-----------------------------------------------------
If no joy trying to determine what is the cause:
How to troubleshoot a problem by performing a clean boot in Windows Vista
http://support.Microsoft.com/kb/929135
How to troubleshoot performance issues in Windows Vista
http://support.Microsoft.com/kb/950685Optimize the performance of Microsoft Windows Vista
http://support.Microsoft.com/kb/959062
To see everything that is in charge of startup - wait a few minutes with nothing to do - then right-click
Taskbar - the Task Manager process - take a look at stored by - Services - this is a quick way
reference (if you have a small box at the bottom left - show for all users, then check that).How to check and change Vista startup programs
http://www.Vistax64.com/tutorials/79612-startup-programs-enable-disable.htmlA quick check to see who are loading is method 2 - using MSCONFIG, then post a list
of these here.--------------------------------------------------------------------
Tools that should help you:
Process Explorer - free - find out what are the files, registry keys and other objects processes have
Open, which DLLs they have loaded and more. This exceptionally effective utility will show same
you who owns each process.
http://TechNet.Microsoft.com/en-us/Sysinternals/bb896653.aspxAutoruns - free - see what programs are configured so that it starts automatically when your system
boots and you login. Autoruns shows you the full list of registry and file locations where
applications can configure Auto-start settings.
http://TechNet.Microsoft.com/en-us/sysinternals/bb963902.aspx
Process Monitor - Free - monitor the system files, registry, process, thread and DLL real-time activity.
http://TechNet.Microsoft.com/en-us/Sysinternals/bb896645.aspxThere are many excellent free tools from Sysinternals
http://TechNet.Microsoft.com/en-us/Sysinternals/default.aspx-Free - WhatsInStartUP this utility displays the list of all applications that are loaded automatically
When Windows starts. For each request, the following information is displayed: Startup Type
(Registry/Startup folder), Command - Line String, the product name, file Version, company name,.
Location in the registry or the file system and more. It allows you to easily disable or remove unwanted
a program that runs in your Windows startup.
http://www.NirSoft.NET/utils/what_run_in_startup.htmlThere are many excellent free tools to NirSoft
http://www.NirSoft.NET/utils/index.htmlWindow Watcher - free - do you know what is running on your computer? Maybe not. The window
Watcher says it all, reporting of any window created by running programs, if the window
is visible or not.
http://www.KarenWare.com/PowerTools/ptwinwatch.aspMany excellent free tools and an excellent newsletter at Karenware
http://www.KarenWare.com/Hope these helps.
Rob Brown - MS MVP - Windows Desktop Experience: Bike - Mark Twain said it right.
-
original title: program does not open
I'm trying to run an .exe on windows & (64-bit). The program is called processing Modflow 5.3 and was built in the 1990s. I tried to run as an administrator and with parameters different capacity. It starts and appears in the taskbar, but does not open as a window. Help, please.I have experienced the same problem with processing Modflow 5 and was able to bring to the screen thanks to your tip on the move with the arrow keys.
Thanks for the help!
Maybe you are looking for
-
I have a Mac Mini running the Mavericks and I went to reinstall the Mavericks wiping drive and with the help of reinstall feature but I don't have a recovery disc and when it goes to connect to the App store, says he is not available. I realize now t
-
Hello Mac-to-recruit! I get to your doors, after exhausting all other options I can get or don't know so throw me your thanks for the help, advice and assistance. Let me paint you a picture. My friend, let's call him Rob, had a Mac Mini (late 2009) o
-
I just got clear wireless service and cannot use firefox. How can I fix it
HelloI have dial up. I just clear wireless. If I use the dial upwards, I can use firefox, no problem. I have the latest firefox. If I use clear, I get only a few sites. some can help me. not computer savvy. I need information step by step.Thank youBo
-
Equium A200 to WXP Pro and BIOS update (PSAE2)
OK, I have XP Pro instead of Vista which is optimal. Works fine but BIOS is outdated, and the last time I tried to update it went wrong and I had to have a new Board of Directors implemented. I know that I'm not the only one who had this problem, is
-
window of material Diagnostics... lack of little
Hello my new computer just ran for the first time hdt. the overall progress box does all the information and the size of the box cannot be changed. on-screen full or minimsed is this normal? can I fix this so I can see the line missing/s? the compute