Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Order of ACL´s


I´m really confused about what order the different types os ACL´s are read in a PIX.

Normally i´m used to that the ACL-list number decides the order with the start of the lowest one, but now when introducing named ACL´s, crypto ACL´s and Nonat ACL´s i´m really confused.

Please help me understand this, or send me a link to a page that clearly describes this !



Cisco Employee

Re: Order of ACL´s


Each ACL is used for a different purposes. For example let's say you have ACL 1, ACL 2 , named_acl, crypto_acl. Each one of these ACLs is applied to an interface or to a route map or is a part of IPSec VPN configuration under "crypto map" command. This means if a serial interface has an ACL 1 applient to an inbound traffic, the IOS will jump straight to ACL 1 to filter the incoming traffic and will not pay attention to all other ACLs configured on the router. Also when the process goes through ACL 1, it will start from the rop of the ACL and will quit as soon as a match found and will not go through the rest of the ACL.

Community Member

Re: Order of ACL´s

OK. But for instance with IPSEC, what happenes if you assign a ACL to an inside interface and state exactly the same ACL (traffic to the other side of the VPN-tunnel) as the crypto ACL ? Which ACL will it read first ?

If you use named ACL´s, which will it read first ?

Cisco Employee

Re: Order of ACL´s

If I understand you correctly, you mean applying the same ACL on the same PIX firewall's inside interface (for incoming traffic from inside LAN) and then use it as a crypto_ACL. If this is the case then it will of course go through the interface ACL since this ACL defines if the traffic from specified source host are allowed to enter the PIX firewall in firs place. Then if this is permitted by ACL, after IKE sessions, the IPSec will turn to crypto_ACL (in this case the same ACL) to identify the traffic that needs to be encrypted. Which ACL it will use first (named or numbered) completely depends what have you specified under interface (you can have one ACL per interface per direction) and under crypto-map statement.

CreatePlease to create content