IPsec rules follow specificity. A generic "deny all" rule is the least
specific, so it will be followed only if traffic doesn't match any other
rule.

Please reply with the following additional information:

* The OS you're using, and the service pack level
* Your rules


--
Steve Riley
steve.riley@microsoft.com
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com


"Stefano Colombo" wrote in message
news:A1DFF0F7-129B-4798-BC35-7093D176EC50@microsoft.com...
> HI ,
> I've the following problem setting up an IPSEC policy.
> I want to use IPSEC policy to restrict traffic from a server .
> So I defined a policy with several rules .
> There are serveral "permit" rules which should permit the allowed traffic
> then I create a "deny IP " policy to block all IP traffic .
> But as soon as I enable the "deny IP" rule the traffic doesn't flow as
> expected ,rather is blocked .
>
> Should it work as I expect ?
> thanks
>

On microsoft.com/ipsec there is a filter weight article that should help.

"Stefano Colombo" wrote:

> HI ,
> I've the following problem setting up an IPSEC policy.
> I want to use IPSEC policy to restrict traffic from a server .
> So I defined a policy with several rules .
> There are serveral "permit" rules which should permit the allowed traffic
> then I create a "deny IP " policy to block all IP traffic .
> But as soon as I enable the "deny IP" rule the traffic doesn't flow as
> expected ,rather is blocked .
>
> Should it work as I expect ?
> thanks
>