Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

subnetmask in crypto acl changes when used in ipsec tunneling

I have a strange problem when setting up an ipsec-tunnel between my Cisco ASA 5520 (8.3(2)) and a remote Firewall1. At both firewalls we configure the ACL's with one entry for each network we want tunneled. On my side these networks are,, and At the remote site the network is Traffic to/from the and works fine, but we cannot initiate traffic from remote site to or, the logs says that the ACL's do not match. What I think is happening is that even if we configure one entry pr. network in the ACL, one of the firewall "simplifies" the and and instead uses (mask This address/mask should include both networks, but I think that the firewalls see this as an mismatch.

Any tips on this?

Everyone's tags (3)

Re: subnetmask in crypto acl changes when used in ipsec tunnelin


If you define the crypto identities as /24 mask that's what it should use.

You can check it by doing a ''sh cry ipsec sa'' and check the SAs for the identities (it will show the networks with the masks being used to send traffic through the tunnel).

Unless you actually configure the interesting traffic to be /23, it shouldn't use this mask.


Re: subnetmask in crypto acl changes when used in ipsec tunnelin

Checkpoint has a "send subnet/netmask" flag somewhere in the config of the vpn, look for that, sounds like thats your problem.

CreatePlease to create content