Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

What is the difference among Normal ACL, crypto ACL, ACL Manager


I am new to Cisco Site to site VPN. I have deployed new site to site VPN. Request help to understand few concepts.

1). i need to understand the basic difference among Normal ACL, crypto ACL, ACL Manager.

2). If i want to pass my traffic through VPN rather than direct open internet, where exactly i should make ACL entry?  is NAT Exempt mandatory?

3). If i make same ACL entry in Normal ACL rules and also in Crypto ACL rules, which one will be preffered for sending traffic?

4). what are the available commands on CLI for checking whether specified traffic is going through VPN or direct open internet? is there any what to verify the same on ASDM?

Everyone's tags (1)
Super Bronze

What is the difference among Normal ACL, crypto ACL, ACL Manager


I guess you are partly referring to the terms used in the ASDM Configuration section.

I dont personally use ASDM really all that much as I do most configurations through CLI so I might not be familiar with all the terms used on ASDM side.

Generally speaking the terms you mention mean the following

  • Normal ACL I assume refers to the ACLs that you are using on the ASA interfaces to control traffic. These ACLs are usually attached in the inbound direction to the ASA interface in which case they control traffic that is coming from network behind that interface towards (inbound) to that interface. In other words they are heading out towards some destination hosts behind a different ASA interface. There is usually no need to define a outbound ACL.
  • Crypto ACL usually refers to the ACL you define in a L2L VPN configuration to define the local/remote networks of the VPN Connection. This tells the ASA between which networks or hosts traffic should be forwarded through VPN and through which VPN. I guess a Split Tunnel ACL in VPN Client setups could also be called a Crypto ACL but to me it usually refers to L2L VPN connections ACL
  • ACL Manager I am not completely sure about this. There is a section in the ASDM called this. It seems to me to be the section where you can see all the ACLs configured on your ASA firewall currently. Notice though that not all of the ACLs are necesarily attached to any interface or used in some other role.

With regards to your second question,

The Crypto ACL that is used in the "crypto map" configuration tells the ASA what traffic needs to be forwarded through a VPN connection. You define source network/host and a destination network/host (or multiple of both) which tells the ASA what traffic to forward.

The NAT configuration is not that clear. Most of the time you will configure NAT0 as you might be connecting 2 offices together through the Internet with the help of L2L VPN. Then its natural to configure NAT0 so that your 2 LAN networks can directly communicate using their local IP addresses. In some cases you might on the other hand want to use a public IP address even through the L2L VPN connection. In this case you naturally would not configure NAT0 (unless you actually had a public IP address/subnet in your LAN network) but you would rather define that public IP address as the source in the Crypto ACL.

With regards to your third question,

These 2 different ACLs (if we are talking about interface ACLs and Crypto ACLs) dont really "compete" with each other. When traffic attempts to pass through the ASA the interface ACL is first check. Then the NAT is applied (depends if its configured or not) and after this the traffic is matched against the Crypto ACL.

So lets say you configured a L2L VPN and your aim was to have the LAN networks at both ends connect to eachother with their original IP addresses then you would need a NAT0 configuration to avoid NAT happening. You would also configure the actual local and remote network in the Crypto ACL. Now lets say you forgot to configure NAT0 then your traffic would probably match the Dynamic PAT for Internet traffic. And naturally when this NAT is applied the source address doesnt match the one in the Crypto ACL anymore so the traffic is NOT passed on to the L2L VPN but rather forwarded to the Internet.

With regards to your fourth question,

There are several things that we can check. Naturally you can check the L2L VPN configurations

You first check the Crypto Map configurations with

show run crypto map

Find the section for the correct L2L VPN connection on the basis of the peer IP address for example. (The lines related to one L2L VPN connection always have the same after the Crypto Map name)

Find the following looking CLI configuration line

crypto map match address

Then you can check what the ACL has configured with the command

show run access-list

This will tell you what traffic is supposed to be passed through the L2L VPN connection.

To confirm what would happen to a certain packet that is coming from the LAN through ASA towards some remote address you can use the "packet-tracer" command. This will show a VPN Phase if it matches some VPN configuration.

Example commands could be

packet-tracer input inside tcp 12345

packet-tracer input inside udp 12345

packet-tracer input inside icmp 8 0

The above are the example commands for some TCP/UDP or ICMP test. The source interface in this case is "inside" where the connecting host would be located at. In your ASA the interface might have a different name,

The Packet Tracer is also available through the ASDM in its top menus.

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed

- Jouni

CreatePlease to create content