Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

crypto map access-lists / Problem if more than one entries?

Access List For IPSec allowed traffic.

I was recently setting up a VPN between two sites and I came accross the following problem:

I wanted to setup a VPN for only 2 workstations from site A to a Class C network to site B

So I created an access-list as follows:

access-list 101 permit IP host 192.168.0.1 192.168.1.0 0.0.0.255

access-list 101 permit IP host 192.168.0.2 192.168.1.0 0.0.0.255

When I applied the above access-list to the crypto map (match address 101), I soon realized that only the first host (192.168.0.1) was successfully beeing encrypted while the second one could not. I was geeting errors on ipsec debugging saying that traffic to 192.168.0.2 are denyed by access-list.

When I changed the above access-list to the following

access-list 101 permit IP 192.168.0.1 0.0.0.255 192.168.1.0 0.0.0.255

both workstations could successfully be encrypted through IPSec tunnel.

By looking further into it I realised that only the first entry of the IPsec access-list was actually tested for matching traffic!!

Is this a normal behaviour or a known Bug??? Any workarounds to this problem?

Regards.

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: crypto map access-lists / Problem if more than one entries?

if you have ipsec-manual crypto map in crypto ACL you can specify just one ACE entry. Check 12.2 docs:

Access lists for crypto map entries tagged as ipsec-manual are restricted to a single permit entry and subsequent entries are ignored. In other words, the security associations established by that particular crypto map entry are only for a single data flow. To be able to support multiple manually established security associations for different kinds of traffic, define multiple crypto access lists, and then apply each one to a separate ipsec-manual crypto map entry. Each access list should include one permit statement defining what traffic to protect.

2 REPLIES
Bronze

Re: crypto map access-lists / Problem if more than one entries?

Hi,

your original ACL should also work, make sure that you dont have any other crypto map ... overlapping with the ACL.

check other access-lists on the router interfaces.

Thx

Afaq

New Member

Re: crypto map access-lists / Problem if more than one entries?

if you have ipsec-manual crypto map in crypto ACL you can specify just one ACE entry. Check 12.2 docs:

Access lists for crypto map entries tagged as ipsec-manual are restricted to a single permit entry and subsequent entries are ignored. In other words, the security associations established by that particular crypto map entry are only for a single data flow. To be able to support multiple manually established security associations for different kinds of traffic, define multiple crypto access lists, and then apply each one to a separate ipsec-manual crypto map entry. Each access list should include one permit statement defining what traffic to protect.

140
Views
0
Helpful
2
Replies