https://community.cisco.com/t5/network-security/csm-ipsec-acl-customization-within-csm/m-p/1571083#M922655 <HTML><HEAD></HEAD><BODY><P></P><DIV><P>The ACLs with the underscores are CSM generated and cannot be changed&nbsp; (with or without Flex config).</P><P></P><P>Why can't you go change the crypto ACL in the appropriate CSM field?</P><P></P><P>PK </P></DIV><P></P></BODY></HTML> Thu, 09 Dec 2010 21:43:18 GMT Panos Kampanakis 2010-12-09T21:43:18Z https://community.cisco.com/t5/network-security/csm-ipsec-acl-customization-within-csm/m-p/1571080#M922652 <P>Hello,</P><P></P><P>I need to encapsulate a L2TPv3 tunnel in a crypto session. Without CSM, I just need to add</P><P>permit 115 host HOST-A host HOST-B</P><P>in the CSM_IPSEC_ACL related to the hosts in charge of the crypto link.</P><P></P><P>But this ACL is 100% managed by CSM, so it recreates a new one each time I push a config.</P><P></P><P>I tried to create flex prepend to remove my settings, and flex append to recreate it, but CSM makes its checks before prepend. So it works the first time and the second, CSM create a new ACL.</P><P></P><P>Any idea to force CSM to accept my current settings (and let it continue to manage the VPNs) ?</P><P></P><P>PS: I'm using CSM 3.3.1 sp2</P><P></P><P>Thanks,</P><P>NH</P> Fri, 21 Feb 2020 12:10:46 GMT https://community.cisco.com/t5/network-security/csm-ipsec-acl-customization-within-csm/m-p/1571080#M922652 Nicolas Horchower 2020-02-21T12:10:46Z https://community.cisco.com/t5/network-security/csm-ipsec-acl-customization-within-csm/m-p/1571081#M922653 <HTML><HEAD></HEAD><BODY><P>Hi Nicolas,</P><P></P><P>can you be a bit more specific on what CSM is trying to do? Maybe sending the delta with some explanation would work <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/images/emoticons/happy.gif"></SPAN></P><P></P><P>Stefano</P></BODY></HTML> Wed, 08 Dec 2010 23:04:59 GMT https://community.cisco.com/t5/network-security/csm-ipsec-acl-customization-within-csm/m-p/1571081#M922653 Stefano De Crescenzo 2010-12-08T23:04:59Z https://community.cisco.com/t5/network-security/csm-ipsec-acl-customization-within-csm/m-p/1571082#M922654 <HTML><HEAD></HEAD><BODY><P>Hello Stefano,</P><P></P><P>By default CSM auto generate this kind of ACL for the static crypto :</P><P>ip access-list extended CSM_IPSEC_ACL_2<BR /> permit gre host SOURCE host DEST</P><P></P><P>used by</P><P>crypto map CSM_CME_GigabitEthernet0/2.210 1 ipsec-isakmp<BR /> description Provisioned by CSM: Peer device = DEST<BR /> set peer DEST<BR /> set transform-set CSM_TS_1<BR /> match address CSM_IPSEC_ACL_2</P><P></P><P>I would like to add this in the ACL:</P><P> permit 115 host SOURCE host DEST</P><P></P><P>to also allow L2TPv3 to be encrypted too.</P><P></P><P>But as soon as I redeploy after a modification, CSM re-create a new ACL.</P><P></P><P>regards,</P><P>NH</P></BODY></HTML> Thu, 09 Dec 2010 09:49:19 GMT https://community.cisco.com/t5/network-security/csm-ipsec-acl-customization-within-csm/m-p/1571082#M922654 Nicolas Horchower 2010-12-09T09:49:19Z https://community.cisco.com/t5/network-security/csm-ipsec-acl-customization-within-csm/m-p/1571083#M922655 <HTML><HEAD></HEAD><BODY><P></P><DIV><P>The ACLs with the underscores are CSM generated and cannot be changed&nbsp; (with or without Flex config).</P><P></P><P>Why can't you go change the crypto ACL in the appropriate CSM field?</P><P></P><P>PK </P></DIV><P></P></BODY></HTML> Thu, 09 Dec 2010 21:43:18 GMT https://community.cisco.com/t5/network-security/csm-ipsec-acl-customization-within-csm/m-p/1571083#M922655 Panos Kampanakis 2010-12-09T21:43:18Z https://community.cisco.com/t5/network-security/csm-ipsec-acl-customization-within-csm/m-p/1571084#M922656 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>I wasn't able to find this one. It looks to be auto-generated.</P><P></P><P>For instance, NAT ACL can be modified, but I haven't found a way to modify this IPSEC one.</P><P></P><P>Any idea ?</P><P></P><P>Regards,</P><P>NH</P></BODY></HTML> Mon, 13 Dec 2010 09:14:33 GMT https://community.cisco.com/t5/network-security/csm-ipsec-acl-customization-within-csm/m-p/1571084#M922656 Nicolas Horchower 2010-12-13T09:14:33Z