Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

must I stop crypto map first before chaning ACL?

we have a router connecting to multiple remotes sites via GRE/IPSEC tunnels. Multiple crypto map entries with ACLs are created for the multiple tunnel interfaces.

If i want to change one ACL for one remote site, must i remove the crypto map first? I found out if i dont remove the crypto map statement before changing acl, all the traffics to all the remote sites are affected. Is this the normal behavior?


New Member

Re: must I stop crypto map first before chaning ACL?

You must remove the Crypto map from the physical interface. You can leave the tunnel interfaces alone. If you are making changes to a crypto map in use you have to remove the process off the router or you lock up the router kind of like changing code to a software application while the application is running. You do not although have to unapply crypto if you are adding a new map entry.

Bob Watson

SBC Datacomm CCNP/DP

New Member

Re: must I stop crypto map first before chaning ACL?

You can modify the ACL, however you cannot remove the ACL or all of its entries (ios treats a empty ACL as unconfigured at crypto map will stop)

You need to add your changes first then remove you deletions next.

for example:

you cannot do a "no access-list 123" and then try to add a new access-list with your changes.

you however can do a "ip access-list extended 123" then add your new entry "permit ip" after your addition remove your old entry "deny ip"

You will also want to ensure you are Not managing the router over the same interface that you encrypting. A small error will lock you out of the router.