Solved: cisco asa 9.1: crypto acl - sequence, order of operation

Peter Handke · ‎06-02-2016

Hi,

Let's say we have the following configuration

access-list vpn1 extended permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.0.0.0

crypto map mymap 10 match address vpn1

crypto map mymap 10 set peer x.x.x.x

access-list vpn2 extended permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0

crypto map mymap 20 match address vpn2

crypto map mymap 20 set peer y.y.y.y

In the above example, what happen if you intend to send a packet to a host on the 10.1.1.x and the peer X.X.X.X is down (no SA).

If Asa will check that the SA is down or missing it starts process the next crypto access list according to crypto map sequence number ? or just drop the packet ?

If Asa proces next crypto map entry/crypto acl and what if no acl match ? Packets are send as a clear text ?

Thanks for explantion

Peter

Aditya Ganjoo · ‎06-02-2016

Hi Peter,

It would work if the first tunnel is down and there are no SA's for it.

However, it is not recommended to have overlapping crypto ACL's.

Regards,

Aditya

Please rate helpful posts and mark correct answers.

View solution in original post

Aditya Ganjoo · ‎06-02-2016