Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1103
Views
0
Helpful
2
Replies

crypto access-list

reinke
Level 1
Level 1

‎04-27-2004 10:04 AM - edited ‎02-20-2020 09:24 PM

Following cisco command references, crypto access-list should be configured in a mirrored way on both VPN endpoints. E.g.:

VPN_GW_1:

access-list 100 permit host 172.16.1.1 host 172.16.2.1

VPN_GW_2:

access-list 100 permit host 172.16.2.1 host 172.16.1.1

Is this security check done for port numbers as well?

Or is this check only done for ip addresses (... I thought that IPSec RFCs only want to have ip addresses checked ...?)?

Thanks in advance

Edgar

Labels:
0 Helpful
2 Replies 2

revangelista
Level 1
Level 1

‎04-27-2004 10:54 AM

i believe that this is done for IP addresses only. but, i would prefer a more 'official' response from one of the Cisco guys.

what i normally do is add an additional ACL to restrict traffic that will be encrypted.

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame

‎04-30-2004 08:16 AM

Edgar

It depends on what you are attempting to accomplish. The crypto access list identifies "interesting" traffic which will be protected by IPSec (very much like the access list which can be used by Dialer List identifies interesting traffic for Dial Access). Note that you are not permitting or denying the traffic, only whether the traffic is processed by IPSec.

So if you want all traffic between the two addresses to be processed by IPSec your access list should be access-list 100 permit ip host 172.16.1.1 host 172.16.2.1 and if you want telnet encrypted and you want web browsing to be in the clear then your access list should specify a permit at the port level for telnet and specify a deny at the port level for http.

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents