Re: Overlapping Crypto ACLs

cwmontgo · ‎06-18-2009

Is it possible to create a crypto map with entries that include crypto acls to the most specific network destinations first, and finishing with the least specific network destination (much like routing, the most specific route is taken, even when part of a larger network that is routed to a different gateway).

A part of the hypothetical config is below:

access-list 101 extended permit ip host 3.3.3.3 10.0.0.0 255.255.255.248

access-list 102 extended permit ip host 3.3.3.3 10.0.0.0 255.255.255.0

crypto map HQ 1 match address 101

crypto map HQ 1 set peer 1.1.1.1

crypto map HQ 1 set transform-set strong

crypto map HQ 2 match address 102

crypto map HQ 2 set peer 2.2.2.2

crypto map HQ 2 set transform-set strong

crypto map HQ interface outside

10.0.0.0/29 is within 10.0.0.0/24, but more specific. My understanding is that b/c entry 1 is matched first, it will not interfere with entry 2.

Jon Marshall · ‎06-18-2009

Chris

From memory yes this will work as long as you make sure that least specific match is after the most specific otherwise you get problems with tunnnel setup.

Jon

auraza · ‎06-19-2009

You may see some issues, in case traffic comes from peer 2, and matches 102, but on the way back matches 101, if it is addressed for a peer that falls within 101 range. This is not recommended.