Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

IP problem with ACL's

I am having some difficulty configuring a VPN between two Cisco IOS routers. I can establish the VPN and packets are been encrytped, however my problem is when I apply an inbound ACL on the external interface, the VPN end point, the VPN can still establish but the ACL drops the packets. I want the ACL to allow only AH, ESP and ISAKMP but even though these packets are allowed through in order to make the ACL work I also need to add in entries for the unencrypted traffic.

The two routers are 3620's running IOS version 12.2.5d. Below is the router VPN config with the ACL that fails.

crypto isakmp policy 100

hash md5

authentication pre-share

crypto isakmp key ****** address

crypto isakmp keepalive 10



crypto ipsec transform-set test ah-md5-hmac esp-des


crypto map mytest 10 ipsec-isakmp

set peer

set transform-set test

match address 110


interface Ethernet0/0

ip address

crypto map mytest


ip route


access-list 101 permit ahp any any

access-list 101 permit esp any any

access-list 101 permit udp any any eq isakmp

access-list 110 permit ip


So if ACL 101 is applied to e0/0 then packets are dropped. It appears as if the ACL is checked twice, as the packets arrive at the interface and then again after they have been decrypted. This problem seem to be the same for multiple IOS versions that I have tried. 12.2.5, 12.2.3d all IP Plus IPSEC 56.

Anyone come accross this problem before or any ideas would be apprieciated.



New Member

Re: IP problem with ACL's

Hi Justin,

In the Begining(12.0.x T), the ACL are always checked twice. After the packet decrypted, it will recheck the ACL applied to the interface again.

In some 12.1.x T version, the ACL only check once. When the packet is decrypted, it will not be checked by the ACL again.

But in the latest 12.2 version, I believe DE eventually going back to the original design to increase more sure for the IPSEC tunnel. This is same as 12.2.8T

That means, in all the 12.2 code, the ACL will be checked twice, I believe this will be same in the future 12.2.x release.

Best Regards,

New Member

Re: IP problem with ACL's

Hi Justin,

As long as the CAL is exactly symetrical at both ends then it will work , It may be an idea to change to AH to esp-ah just in case you NAT at some point . The config shows 2 ACls so a little unsure which is CAl but if it's 101 then in your example it would be permit ip then reverse this at the network interface .

Good luck