Re: PIX crypto map ACL with a deny?

pjorgensen · ‎06-21-2006

On a PIX v6.3(5) I have a site-site VPN that works. I want to change it to exclude a destination subnet.

Here is what I want to do:

access-list 90 deny ip 192.168.12.0 255.255.255.0 10.1.0.0 255.255.0.0

access-list 90 permit ip 192.168.12.0 255.255.255.0 10.0.0.0 255.0.0.0

crypto map toSanJose 20 match address 90

I it OK to add the "deny" at the start of the ACL? Or will it deny

all traffic?

grant.maynard · ‎06-22-2006

From memory I thought you were not supposed to use a "deny" in a crypto ACL, however the 6.3 config guide says:

"Traffic that is permitted by the access list will be protected. Traffic that is denied by the access list will not be protected in the context of the corresponding crypto map entry."

And since an ACL has an implicit "deny all" at the end anyway, then go for it.

pjorgensen · ‎06-22-2006

The TAC initially said that "deny" is not allowed, but when I pressed them they admitted that they couldn't find any specific reason.

They then said that it would hurt performance.

Eventually they said that I should try to make it work and let them know.