Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Strange Access-list !!

Hi all, i have 2 routers connected via serial link, RA and RB, RA has a pc in its lan with IP, RB has a pc with IP, now i am deploying a very SIMPLE site to site vpn with this access-list on both side,

access-list 111 per ip, now i think that it should work but it didnt, i want to know why is that ??? when a traffic originates from doesnt it match ??, can some1 clear my confusion ?



Re: Strange Access-list !!

Hi There

Is the wild card mask you are using correct or is this a typing error.

Are you sure that is a valid wildcard mask? I have never seen a wildcard mask like this.

Can I ask what you wish to achieve with the access list you are applying?

Best Regards,


Cisco Employee

Re: Strange Access-list !!


The ACL "access-list 111 permit ip" will allow all hosts with 10.x.y.30 to any IPv4 address in As such it is somewhat unusual, but correct.

To have maximum control one would rather use

access-list 111 permit ip host host

access-list 111 permit ip host host

This would only allow your two PCs to exchange traffic.

Regarding your problem: it will be helpful to post your IPSec configuration, as the problem might be somewhere else. Did you check, if the tunnel comes up?

Hope this helps! Please use the rating system.

Regards, Martin


Re: Strange Access-list !!

Hi Martin

Well that just blows everyting I thought I knew (through CCNA studies) right out of the water.

I always thought that the wild card mask was the inverse of the subnet mask.


subnet mask -or- 11111111.11111111.11111111.00000000

Wildcard mask -or- 00000000.00000000.00000000.11111111

Now it appears that you can create wildcard masks anyway you like adn there is no structure to adhere to.

Is there some book that I can read up on this use of wildcard masks.

Best Regards,


New Member

Re: Strange Access-list !!

Dear Michael, there is a misconception that wildcard are strictly the inverse of subnet mask, you can check this by using simple filtering using simple access-list, now regarding as what i want to do is as follows

I am trying to deploy GET VPN in my environment, i have 100 branches country wide and each branch has a server which traffic needs to be encrypted, now this is common in every server IP, 10.x.x.30, eg.,,, now the access-list cannot be defined on the group members so i want to create an access-list on a key server that just permits the traffic sourced from my server ( 10.x.x.30 ) and destined to any network ( ), i hope you guys now get an idea what i am trying to achieve, but before that i tried testing this access-list with a simple site to site vpn but it didnt work, i didnt get it, this statement is correct then why its not working ???

Any body ??

Hall of Fame Super Silver

Re: Strange Access-list !!


It is a common understanding but not really correct that wildcard masks are always the inverse of subnet masks. If you change always to usually then the statement is correct. The wildcard mask is usually the inverse of the subnet mask but it is not always.

A key difference is that subnet masks have a requirement that the binary 1s and 0s be contiguous. So a subnet mask of is invalid. But its inverse is quite valid.

In a lot of access lists we want to permit or deny particular subnets and so the wildcard mask that we use is the inverse of the subnet mask. But sometimes we want the access list to match on things that are not particular subnets (like match on any host equal to 30 in the class A network 10).



New Member

Re: Strange Access-list !!

Dear Martin, my isakmp tunnel comes up, i have done this configuration a 100 of times, the only difference today was the access-list and even then also tunnel came up, that is show crypto isakmp sa showed me idle in the connected which mean that tunnel is up, ok i am posting my actual configuration plz check it at your end,

RA connected via serial 2/0 to RB serial 2/0

Crypto isakmp key cisco123 address 11.x.x.2

crypto isakmp policy 10

authentication pre-share

encryption des

group 2

hash md5

crypto ipsec transform-set aset esp-des esp-md5-hmac

access-list 111 per ip

crypto map my 10 ipsec-isakmp

match address 111

set peer 11.x.x.2

set transform-set aset

interface se 2/0

ip address 11.x.x.1

crypto map my

now you know the other side configuration exact replica

can you kindly check it at your end