Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

specifying tcp ports on a vpn's acl

I need to create a site to site vpn tunnel and was told that its not a good idea to specify the tcp ports on the associated acl. The reason had something to do with the stability or reliability of the tunnel. From a security standpoint, I would think that having the ports would be better. what's the best way to go?

Cisco Employee

Re: specifying tcp ports on a vpn's acl

using port range in the crypto ACL is never recommended because every port in the

specified port range will create a tunnel. It put a heavy load on the vpn gateway and

could crash the device if it can't handle that many tunnels.

The better way,use " ip " or " tcp " in not specify the port.

Regarding security,traffic is already encrypted over the tunnel.So,I do not see any threats.

Do rate helpful posts.



New Member

Re: specifying tcp ports on a vpn's acl

thanks, let me ask the question a different way, if its the interesting traffic that needs the tcp port, does that make a difference? Or, for the interesting traffic, is it still recommended to not use the tcp port?