Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

crypto map warning after upgrade to 6.1(1)

Hi,

After upgrading my pix from 5.2(1), to 6.1(1), I get the following warning on my crypto map. Can anyone comment on the significance of it? Thanks

netsafe1(config)# crypto map texas 22 match address 103

WARNING: access-list has port selectors may have performance impact

1 REPLY
New Member

Re: crypto map warning after upgrade to 6.1(1)

Well, it only means that you created an ACL 103 which contains TCP/UDP port statements. If you create it on IP layeryou won't see this notice.

Besides it may have significance if you created many lines in the ACL. The more statements there are in the ACL, the more SAs created in the PIX.

I suggest if you want L3 controll over the IPSec tunnel, define your IPSec in the following way:

Create the crypto ACL containing ip statements

(e.g.access-list ACL_CRYPTO permit ip host 10.1.1.1 host 172.16.3.5)

After create an ACL on the outside containing the limitation at Layer 4

(e.g access-list OUTSIDE_L4 permit tcp host 10.1.1.1 eq 23 host 172.16.3.5)

It will only work with the " no sysopt connection permit ipsec".

Means: if the IPSec traffic is decapsulted, it is permitted or denied by the OUTSIDE_L4 ACL.

Normally we use the "sysopt connection permit ipsec".

2 notices:

the " no sysopt connection permit ipsec" command is hidded in the config.

Use this solution if you have only IPSec connections from the outside. If you have public "normal" services, think it over twice or three times before using this.

Attila Suba

130
Views
0
Helpful
1
Replies