Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

Is this a valid IPSEC access-list?


does anyone know if this IPSEC access list will cause trouble? Each numbered list is set to a different peer.

100 permit ip

102 permit ip

104 permit ip

170 deny ip

170 deny ip

170 deny ip

170 permit ip any



New Member

Re: Is this a valid IPSEC access-list?

Making sure you have defined the crypto map and transforms sets correctly then the above would work.

ACL 170 could be rewritten as just:

permit ip any

One not, the above would start the VPN link up for ANY traffic from passing through the router. Maybe not quite what you intended?

New Member

Re: Is this a valid IPSEC access-list?

Thanks for the response. Just to verify, this is what I would have for the transform-set and crypto map:

crypto ipsec transform-set transform1 ah-md5-hmac esp-des

crypto map ipsec-map 1 ipsec-isakmp

set peer

set security-association lifetime seconds 86400

set transform-set transform1

match address 100

The other crypto maps would be similar except the number, peer, and access-list. The crypto map is then applied to the serial interface.

I am already pushing all traffic through the tunnels. There is an AT&T frame router on the same network as the peer for list 170. Currently, I need to have each network on the AT&T side in the access list. I was thinking that if I put the access-list for this peer at the bottom (170) instead of where I have it now (100 with each AT&T network explicity listed) I could still keep a meshed topology and use the "any" keyword to avoid updating the lists each time a new network is added to the AT&T side.

Thanks again for your help!

CreatePlease to create content