06-18-2009 08:35 AM
Is it possible to create a crypto map with entries that include crypto acls to the most specific network destinations first, and finishing with the least specific network destination (much like routing, the most specific route is taken, even when part of a larger network that is routed to a different gateway).
A part of the hypothetical config is below:
access-list 101 extended permit ip host 3.3.3.3 10.0.0.0 255.255.255.248
access-list 102 extended permit ip host 3.3.3.3 10.0.0.0 255.255.255.0
crypto map HQ 1 match address 101
crypto map HQ 1 set peer 1.1.1.1
crypto map HQ 1 set transform-set strong
crypto map HQ 2 match address 102
crypto map HQ 2 set peer 2.2.2.2
crypto map HQ 2 set transform-set strong
crypto map HQ interface outside
10.0.0.0/29 is within 10.0.0.0/24, but more specific. My understanding is that b/c entry 1 is matched first, it will not interfere with entry 2.
06-18-2009 12:09 PM
Chris
From memory yes this will work as long as you make sure that least specific match is after the most specific otherwise you get problems with tunnnel setup.
Jon
06-19-2009 06:11 AM
You may see some issues, in case traffic comes from peer 2, and matches 102, but on the way back matches 101, if it is addressed for a peer that falls within 101 range. This is not recommended.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide