Overlapping Crypto ACLs

Unanswered Question

Is it possible to create a crypto map with entries that include crypto acls to the most specific network destinations first, and finishing with the least specific network destination (much like routing, the most specific route is taken, even when part of a larger network that is routed to a different gateway).

A part of the hypothetical config is below:

access-list 101 extended permit ip host

access-list 102 extended permit ip host

crypto map HQ 1 match address 101

crypto map HQ 1 set peer

crypto map HQ 1 set transform-set strong

crypto map HQ 2 match address 102

crypto map HQ 2 set peer

crypto map HQ 2 set transform-set strong

crypto map HQ interface outside is within, but more specific. My understanding is that b/c entry 1 is matched first, it will not interfere with entry 2.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jon Marshall Thu, 06/18/2009 - 12:09


From memory yes this will work as long as you make sure that least specific match is after the most specific otherwise you get problems with tunnnel setup.


auraza Fri, 06/19/2009 - 06:11

You may see some issues, in case traffic comes from peer 2, and matches 102, but on the way back matches 101, if it is addressed for a peer that falls within 101 range. This is not recommended.


This Discussion