Crypto ACL entries arrangement

Answered Question
Nov 24th, 2008
User Badges:

Hello

Is it only important that the entries on a crypto ACL are identical on both ends or the order in which they were entered matters too? I mean, for instance:


On one end:

A->B

A->C


On the other:

C->A

B->A


Could it be a reason for failure?


Thank you!

Guido

Correct Answer by ajagadee about 8 years 6 months ago

Guido,


The crypto ACL have to be identical, that is mirror images of each other but the order does not matter.


Regards,

Arul


*Pls rate if it helps*

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
ajagadee Mon, 11/24/2008 - 09:31
User Badges:
  • Cisco Employee,

Guido,


The crypto ACL have to be identical, that is mirror images of each other but the order does not matter.


Regards,

Arul


*Pls rate if it helps*

Jon Marshall Mon, 11/24/2008 - 11:36
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Guido


From memory at least on pix v6.x code it can make a difference. The issue is if your crypto access-list subnets overlap. So


site A


access-list vpn1 permit ip 172.16.0.0 255.255.0.0 192.168.5.0 255.255.255.0

access-list vpn2 permit ip 172.16.5.0 255.255.255.0 192.168.10.0 255.255.255.0


Site B


access-list vpn1 permit ip 172.16.5.0 255.255.255.0 192.168.10.0 255.255.255.0

access-list vpn2 permit ip 172.16.0.0 255.255.255.0 192.168.5.0 255.255.255.0


I have seen this configuration not work correctly because 172.16.5.0 falls under 172.16.0.0 so on Site A the first line is matched but the 2 peers are different so the remote and local subnets do not match.


Like i say i have never tested this on v7.x code but if you suspect this may be causing a problem always put the more specfic subnets before less specific subnets.


Edit - apologies but it has been a while since i saw this behaviour. It produces a specific error message but due to time and old age :-) i can't remember the actual message. If you are having problems please post the error message.


Jon

ggalteroo Mon, 11/24/2008 - 13:16
User Badges:

Jon

Thanks a lot!

I asked you guys about this because I recently encountered a problem with Cat6500 SPA-IPSec service modules and we are now paying special attention to ACLs among other things. In this case I meant Cisco IOS but as a general rule is safer to keep more specific entries first.

Thanks again!


Guido

Actions

This Discussion