Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
506
Views
0
Helpful
3
Replies

Order of ACL´s

thult
Level 1
Level 1

‎09-09-2002 12:52 PM - edited ‎02-20-2020 09:18 PM

Hi,

I´m really confused about what order the different types os ACL´s are read in a PIX.

Normally i´m used to that the ACL-list number decides the order with the start of the lowest one, but now when introducing named ACL´s, crypto ACL´s and Nonat ACL´s i´m really confused.

Please help me understand this, or send me a link to a page that clearly describes this !

Regards

//Tomas

Labels:
0 Helpful
3 Replies 3

jshakyan
Cisco Employee
Cisco Employee

‎09-09-2002 10:55 PM

Tomas,

Each ACL is used for a different purposes. For example let's say you have ACL 1, ACL 2 , named_acl, crypto_acl. Each one of these ACLs is applied to an interface or to a route map or is a part of IPSec VPN configuration under "crypto map" command. This means if a serial interface has an ACL 1 applient to an inbound traffic, the IOS will jump straight to ACL 1 to filter the incoming traffic and will not pay attention to all other ACLs configured on the router. Also when the process goes through ACL 1, it will start from the rop of the ACL and will quit as soon as a match found and will not go through the rest of the ACL.

0 Helpful

thult
Level 1
Level 1
In response to jshakyan

‎09-10-2002 12:23 AM

OK. But for instance with IPSEC, what happenes if you assign a ACL to an inside interface and state exactly the same ACL (traffic to the other side of the VPN-tunnel) as the crypto ACL ? Which ACL will it read first ?

If you use named ACL´s, which will it read first ?

0 Helpful

jshakyan
Cisco Employee
Cisco Employee
In response to thult

‎09-10-2002 11:58 PM

If I understand you correctly, you mean applying the same ACL on the same PIX firewall's inside interface (for incoming traffic from inside LAN) and then use it as a crypto_ACL. If this is the case then it will of course go through the interface ACL since this ACL defines if the traffic from specified source host are allowed to enter the PIX firewall in firs place. Then if this is permitted by ACL, after IKE sessions, the IPSec will turn to crypto_ACL (in this case the same ACL) to identify the traffic that needs to be encrypted. Which ACL it will use first (named or numbered) completely depends what have you specified under interface (you can have one ACL per interface per direction) and under crypto-map statement.

0 Helpful
Customers Also Viewed These Support Documents