Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Order of ACL´s

Unanswered Question
Sep 9th, 2002
User Badges:


I´m really confused about what order the different types os ACL´s are read in a PIX.

Normally i´m used to that the ACL-list number decides the order with the start of the lowest one, but now when introducing named ACL´s, crypto ACL´s and Nonat ACL´s i´m really confused.

Please help me understand this, or send me a link to a page that clearly describes this !



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
jshakyan Mon, 09/09/2002 - 22:55
User Badges:


Each ACL is used for a different purposes. For example let's say you have ACL 1, ACL 2 , named_acl, crypto_acl. Each one of these ACLs is applied to an interface or to a route map or is a part of IPSec VPN configuration under "crypto map" command. This means if a serial interface has an ACL 1 applient to an inbound traffic, the IOS will jump straight to ACL 1 to filter the incoming traffic and will not pay attention to all other ACLs configured on the router. Also when the process goes through ACL 1, it will start from the rop of the ACL and will quit as soon as a match found and will not go through the rest of the ACL.

thult Tue, 09/10/2002 - 00:23
User Badges:

OK. But for instance with IPSEC, what happenes if you assign a ACL to an inside interface and state exactly the same ACL (traffic to the other side of the VPN-tunnel) as the crypto ACL ? Which ACL will it read first ?

If you use named ACL´s, which will it read first ?

jshakyan Tue, 09/10/2002 - 23:58
User Badges:

If I understand you correctly, you mean applying the same ACL on the same PIX firewall's inside interface (for incoming traffic from inside LAN) and then use it as a crypto_ACL. If this is the case then it will of course go through the interface ACL since this ACL defines if the traffic from specified source host are allowed to enter the PIX firewall in firs place. Then if this is permitted by ACL, after IKE sessions, the IPSec will turn to crypto_ACL (in this case the same ACL) to identify the traffic that needs to be encrypted. Which ACL it will use first (named or numbered) completely depends what have you specified under interface (you can have one ACL per interface per direction) and under crypto-map statement.


This Discussion