04-29-2008 06:57 AM - edited 02-21-2020 03:42 PM
If I create a crypto map there is the command match addres (acl). My question is; Is this acl defining the only traffic that will be allowed down the tunnel or will other traffic be allowed down the tunnel and just not encrypted.
Solved! Go to Solution.
04-29-2008 10:37 AM
Hi Chris and Daniel,
All traffic permitted by the crypto acl will be directed through the IPSec tunnel.
The rest of the traffic will not use the tunnel, but will be transmitted over the link.
"permit ip any any" is allowed on crypto acls like on any other acls. Its use is dependent on how you want to define your interesting traffic.
Cheers:
Istvan
04-29-2008 07:15 AM
It defines the traffic to be encrypted over the tunnel. Therefore, any traffic not defined will not enter the tunnel.
04-29-2008 09:57 AM
is permit ip any any valid for a crypto acl if more than 1 lan to lan is configured?
04-29-2008 10:37 AM
Hi Chris and Daniel,
All traffic permitted by the crypto acl will be directed through the IPSec tunnel.
The rest of the traffic will not use the tunnel, but will be transmitted over the link.
"permit ip any any" is allowed on crypto acls like on any other acls. Its use is dependent on how you want to define your interesting traffic.
Cheers:
Istvan
04-30-2008 08:42 AM
if I have crypto acl's like this:
*************
acl A permit host 1.1.1.1 host 2.2.2.2
acl B permit ip any any
*************
All the traffic will get put on the tunnel that acl B is applied and no traffic will go across the A tunnel - correct?
05-01-2008 12:24 AM
Hi Daniel,
If you apply acl B to the crypto map than acl B will allow all ip traffic through the IPSec tunnel, according to this configuration.
If you apply acl A to the crypto map than acl A will allow traffic from host 1.1.1.1 to host 2.2.2.2 through the IPSec tunnel. All other traffic will go through the link but not through the IPSec tunnel (will not be protected).
One addition: acl A should be
acl A permit ip host 1.1.1.1 host 2.2.2.2 (an extended ip acl)
Within one crypto map there can be only 1 acl (though this 1 acl can have multiple acl entries).
Cheers:
Istvan
05-01-2008 06:11 AM
Just to correct my wording:
Within one crypto map STATEMENT there can be only 1 acl.
If you have several statements within your crypto map, you can have several different acls within each statement, but all these statements refer to different IPSec tunnels.
You can use this type of configuration if you have a headend router with several remote branches needing different IPSec tunnels.
Cheers:
Istvan
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: