Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Overlapping Crypto ACLs

Is it possible to create a crypto map with entries that include crypto acls to the most specific network destinations first, and finishing with the least specific network destination (much like routing, the most specific route is taken, even when part of a larger network that is routed to a different gateway).

A part of the hypothetical config is below:

access-list 101 extended permit ip host 3.3.3.3 10.0.0.0 255.255.255.248

access-list 102 extended permit ip host 3.3.3.3 10.0.0.0 255.255.255.0

crypto map HQ 1 match address 101

crypto map HQ 1 set peer 1.1.1.1

crypto map HQ 1 set transform-set strong

crypto map HQ 2 match address 102

crypto map HQ 2 set peer 2.2.2.2

crypto map HQ 2 set transform-set strong

crypto map HQ interface outside

10.0.0.0/29 is within 10.0.0.0/24, but more specific. My understanding is that b/c entry 1 is matched first, it will not interfere with entry 2.

2 REPLIES
Hall of Fame Super Blue

Re: Overlapping Crypto ACLs

Chris

From memory yes this will work as long as you make sure that least specific match is after the most specific otherwise you get problems with tunnnel setup.

Jon

Cisco Employee

Re: Overlapping Crypto ACLs

You may see some issues, in case traffic comes from peer 2, and matches 102, but on the way back matches 101, if it is addressed for a peer that falls within 101 range. This is not recommended.

169
Views
0
Helpful
2
Replies
CreatePlease to create content