Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

PIX crypto map ACL with a deny?

On a PIX v6.3(5) I have a site-site VPN that works. I want to change it to exclude a destination subnet.

Here is what I want to do:

access-list 90 deny ip

access-list 90 permit ip

crypto map toSanJose 20 match address 90

I it OK to add the "deny" at the start of the ACL? Or will it deny

all traffic?


Re: PIX crypto map ACL with a deny?

From memory I thought you were not supposed to use a "deny" in a crypto ACL, however the 6.3 config guide says:

"Traffic that is permitted by the access list will be protected. Traffic that is denied by the access list will not be protected in the context of the corresponding crypto map entry."

And since an ACL has an implicit "deny all" at the end anyway, then go for it.

New Member

Re: PIX crypto map ACL with a deny?

The TAC initially said that "deny" is not allowed, but when I pressed them they admitted that they couldn't find any specific reason.

They then said that it would hurt performance.

Eventually they said that I should try to make it work and let them know.

CreatePlease to create content