11-24-2008 09:11 AM - edited 02-20-2020 09:41 PM
Hello
Is it only important that the entries on a crypto ACL are identical on both ends or the order in which they were entered matters too? I mean, for instance:
On one end:
A->B
A->C
On the other:
C->A
B->A
Could it be a reason for failure?
Thank you!
Guido
Solved! Go to Solution.
11-24-2008 09:31 AM
Guido,
The crypto ACL have to be identical, that is mirror images of each other but the order does not matter.
Regards,
Arul
*Pls rate if it helps*
11-24-2008 09:31 AM
Guido,
The crypto ACL have to be identical, that is mirror images of each other but the order does not matter.
Regards,
Arul
*Pls rate if it helps*
11-24-2008 11:36 AM
Guido
From memory at least on pix v6.x code it can make a difference. The issue is if your crypto access-list subnets overlap. So
site A
access-list vpn1 permit ip 172.16.0.0 255.255.0.0 192.168.5.0 255.255.255.0
access-list vpn2 permit ip 172.16.5.0 255.255.255.0 192.168.10.0 255.255.255.0
Site B
access-list vpn1 permit ip 172.16.5.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list vpn2 permit ip 172.16.0.0 255.255.255.0 192.168.5.0 255.255.255.0
I have seen this configuration not work correctly because 172.16.5.0 falls under 172.16.0.0 so on Site A the first line is matched but the 2 peers are different so the remote and local subnets do not match.
Like i say i have never tested this on v7.x code but if you suspect this may be causing a problem always put the more specfic subnets before less specific subnets.
Edit - apologies but it has been a while since i saw this behaviour. It produces a specific error message but due to time and old age :-) i can't remember the actual message. If you are having problems please post the error message.
Jon
11-24-2008 01:16 PM
Jon
Thanks a lot!
I asked you guys about this because I recently encountered a problem with Cat6500 SPA-IPSec service modules and we are now paying special attention to ACLs among other things. In this case I meant Cisco IOS but as a general rule is safer to keep more specific entries first.
Thanks again!
Guido
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide