Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IPsec tunnel acl

If I create a crypto map there is the command match addres (acl). My question is; Is this acl defining the only traffic that will be allowed down the tunnel or will other traffic be allowed down the tunnel and just not encrypted.

1 ACCEPTED SOLUTION

Accepted Solutions

Re: IPsec tunnel acl

Hi Chris and Daniel,

All traffic permitted by the crypto acl will be directed through the IPSec tunnel.

The rest of the traffic will not use the tunnel, but will be transmitted over the link.

"permit ip any any" is allowed on crypto acls like on any other acls. Its use is dependent on how you want to define your interesting traffic.

Cheers:

Istvan

6 REPLIES
Green

Re: IPsec tunnel acl

It defines the traffic to be encrypted over the tunnel. Therefore, any traffic not defined will not enter the tunnel.

New Member

Re: IPsec tunnel acl

is permit ip any any valid for a crypto acl if more than 1 lan to lan is configured?

Re: IPsec tunnel acl

Hi Chris and Daniel,

All traffic permitted by the crypto acl will be directed through the IPSec tunnel.

The rest of the traffic will not use the tunnel, but will be transmitted over the link.

"permit ip any any" is allowed on crypto acls like on any other acls. Its use is dependent on how you want to define your interesting traffic.

Cheers:

Istvan

New Member

Re: IPsec tunnel acl

if I have crypto acl's like this:

*************

acl A permit host 1.1.1.1 host 2.2.2.2

acl B permit ip any any

*************

All the traffic will get put on the tunnel that acl B is applied and no traffic will go across the A tunnel - correct?

Re: IPsec tunnel acl

Hi Daniel,

If you apply acl B to the crypto map than acl B will allow all ip traffic through the IPSec tunnel, according to this configuration.

If you apply acl A to the crypto map than acl A will allow traffic from host 1.1.1.1 to host 2.2.2.2 through the IPSec tunnel. All other traffic will go through the link but not through the IPSec tunnel (will not be protected).

One addition: acl A should be

acl A permit ip host 1.1.1.1 host 2.2.2.2 (an extended ip acl)

Within one crypto map there can be only 1 acl (though this 1 acl can have multiple acl entries).

Cheers:

Istvan

Re: IPsec tunnel acl

Just to correct my wording:

Within one crypto map STATEMENT there can be only 1 acl.

If you have several statements within your crypto map, you can have several different acls within each statement, but all these statements refer to different IPSec tunnels.

You can use this type of configuration if you have a headend router with several remote branches needing different IPSec tunnels.

Cheers:

Istvan

598
Views
5
Helpful
6
Replies
CreatePlease to create content