Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Overlapping Crypto ACLs

Is it possible to create a crypto map with entries that include crypto acls to the most specific network destinations first, and finishing with the least specific network destination (much like routing, the most specific route is taken, even when part of a larger network that is routed to a different gateway).

A part of the hypothetical config is below:

access-list 101 extended permit ip host

access-list 102 extended permit ip host

crypto map HQ 1 match address 101

crypto map HQ 1 set peer

crypto map HQ 1 set transform-set strong

crypto map HQ 2 match address 102

crypto map HQ 2 set peer

crypto map HQ 2 set transform-set strong

crypto map HQ interface outside is within, but more specific. My understanding is that b/c entry 1 is matched first, it will not interfere with entry 2.

Hall of Fame Super Blue

Re: Overlapping Crypto ACLs


From memory yes this will work as long as you make sure that least specific match is after the most specific otherwise you get problems with tunnnel setup.


Cisco Employee

Re: Overlapping Crypto ACLs

You may see some issues, in case traffic comes from peer 2, and matches 102, but on the way back matches 101, if it is addressed for a peer that falls within 101 range. This is not recommended.

CreatePlease to create content