Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Crypto ACL entries arrangement

Hello

Is it only important that the entries on a crypto ACL are identical on both ends or the order in which they were entered matters too? I mean, for instance:

On one end:

A->B

A->C

On the other:

C->A

B->A

Could it be a reason for failure?

Thank you!

Guido

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Crypto ACL entries arrangement

Guido,

The crypto ACL have to be identical, that is mirror images of each other but the order does not matter.

Regards,

Arul

*Pls rate if it helps*

3 REPLIES
Cisco Employee

Re: Crypto ACL entries arrangement

Guido,

The crypto ACL have to be identical, that is mirror images of each other but the order does not matter.

Regards,

Arul

*Pls rate if it helps*

Hall of Fame Super Blue

Re: Crypto ACL entries arrangement

Guido

From memory at least on pix v6.x code it can make a difference. The issue is if your crypto access-list subnets overlap. So

site A

access-list vpn1 permit ip 172.16.0.0 255.255.0.0 192.168.5.0 255.255.255.0

access-list vpn2 permit ip 172.16.5.0 255.255.255.0 192.168.10.0 255.255.255.0

Site B

access-list vpn1 permit ip 172.16.5.0 255.255.255.0 192.168.10.0 255.255.255.0

access-list vpn2 permit ip 172.16.0.0 255.255.255.0 192.168.5.0 255.255.255.0

I have seen this configuration not work correctly because 172.16.5.0 falls under 172.16.0.0 so on Site A the first line is matched but the 2 peers are different so the remote and local subnets do not match.

Like i say i have never tested this on v7.x code but if you suspect this may be causing a problem always put the more specfic subnets before less specific subnets.

Edit - apologies but it has been a while since i saw this behaviour. It produces a specific error message but due to time and old age :-) i can't remember the actual message. If you are having problems please post the error message.

Jon

New Member

Re: Crypto ACL entries arrangement

Jon

Thanks a lot!

I asked you guys about this because I recently encountered a problem with Cat6500 SPA-IPSec service modules and we are now paying special attention to ACLs among other things. In this case I meant Cisco IOS but as a general rule is safer to keep more specific entries first.

Thanks again!

Guido

125
Views
0
Helpful
3
Replies