cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
549
Views
0
Helpful
3
Replies

Crypto ACL entries arrangement

ggalteroo
Level 1
Level 1

Hello

Is it only important that the entries on a crypto ACL are identical on both ends or the order in which they were entered matters too? I mean, for instance:

On one end:

A->B

A->C

On the other:

C->A

B->A

Could it be a reason for failure?

Thank you!

Guido

1 Accepted Solution

Accepted Solutions

ajagadee
Cisco Employee
Cisco Employee

Guido,

The crypto ACL have to be identical, that is mirror images of each other but the order does not matter.

Regards,

Arul

*Pls rate if it helps*

View solution in original post

3 Replies 3

ajagadee
Cisco Employee
Cisco Employee

Guido,

The crypto ACL have to be identical, that is mirror images of each other but the order does not matter.

Regards,

Arul

*Pls rate if it helps*

Jon Marshall
Hall of Fame
Hall of Fame

Guido

From memory at least on pix v6.x code it can make a difference. The issue is if your crypto access-list subnets overlap. So

site A

access-list vpn1 permit ip 172.16.0.0 255.255.0.0 192.168.5.0 255.255.255.0

access-list vpn2 permit ip 172.16.5.0 255.255.255.0 192.168.10.0 255.255.255.0

Site B

access-list vpn1 permit ip 172.16.5.0 255.255.255.0 192.168.10.0 255.255.255.0

access-list vpn2 permit ip 172.16.0.0 255.255.255.0 192.168.5.0 255.255.255.0

I have seen this configuration not work correctly because 172.16.5.0 falls under 172.16.0.0 so on Site A the first line is matched but the 2 peers are different so the remote and local subnets do not match.

Like i say i have never tested this on v7.x code but if you suspect this may be causing a problem always put the more specfic subnets before less specific subnets.

Edit - apologies but it has been a while since i saw this behaviour. It produces a specific error message but due to time and old age :-) i can't remember the actual message. If you are having problems please post the error message.

Jon

Jon

Thanks a lot!

I asked you guys about this because I recently encountered a problem with Cat6500 SPA-IPSec service modules and we are now paying special attention to ACLs among other things. In this case I meant Cisco IOS but as a general rule is safer to keep more specific entries first.

Thanks again!

Guido

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: