cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
679
Views
5
Helpful
1
Replies

Simple ACL & crypto map syntax question-- numbering

Hi folks.

Please see below ACL and cryptomap config...

#access-list MYCOMPANY-ACL-crypto-1 line 1 remark ACL to encrypt traffic from MYCOMPANY to VENDOR
#access-list MYCOMPANY-ACL-crypto-1 line 5 extended permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0

#crypto map MYCOMPANY-cryptomap-1 1 match address MYCOMPANY-ACL-crypto-1
#crypto map MYCOMPANY-cryptomap-1 1 set peer 100.1.1.1
#crypto map MYCOMPANY-cryptomap-1 1 set ikev2 ipsec-proposal MYCOMPANY-proposal-1
#crypto map MYCOMPANY-cryptomap-1 interface outside

QUESTIONS:

1. In the ACL-- if tomorrow I insert an ACL statement with "line 3", then it will place between line 1 and line 5, correct?

2. (This is more curious) In the crypto map, "1 match address" "1 set peer" and "1 set ikev2 ipsec-proposal" does the "1" mean that all these statements logically exist on the same line of the cryptomap? 

3. (depending on #2 answer) What is the syntax for the crypto map to create the ACL "line 3" logic, so that I may similarly insert a new line that places exactly where I desire within the crypto map?

Thank you!!!

1 Accepted Solution

Accepted Solutions

@jmaxwellUSAF yes, insert line 3 on the ACL would add a new ACE (Access Control Entry) between 1 and 5.

MYCOMPANY-cryptomap-1 1 << this 1 represents the sequence number for when you have multiple VPNs to different destinations. You define the match address, set peer and set ikev2 ipsec-proposal on separate lines (as per your example).

Example of multiple sequence numbers for different VPNs.

#crypto map MYCOMPANY-cryptomap-1 1 match address MYCOMPANY-ACL-crypto-1
#crypto map MYCOMPANY-cryptomap-1 1 set peer 100.1.1.1
#crypto map MYCOMPANY-cryptomap-1 1 set ikev2 ipsec-proposal MYCOMPANY-proposal-1

#crypto map MYCOMPANY-cryptomap-1 2 match address MYCOMPANY-ACL-crypto-2
#crypto map MYCOMPANY-cryptomap-1 2 set peer 200.2.2.2
#crypto map MYCOMPANY-cryptomap-1 2 set ikev2 ipsec-proposal MYCOMPANY-proposal-2

View solution in original post

1 Reply 1

@jmaxwellUSAF yes, insert line 3 on the ACL would add a new ACE (Access Control Entry) between 1 and 5.

MYCOMPANY-cryptomap-1 1 << this 1 represents the sequence number for when you have multiple VPNs to different destinations. You define the match address, set peer and set ikev2 ipsec-proposal on separate lines (as per your example).

Example of multiple sequence numbers for different VPNs.

#crypto map MYCOMPANY-cryptomap-1 1 match address MYCOMPANY-ACL-crypto-1
#crypto map MYCOMPANY-cryptomap-1 1 set peer 100.1.1.1
#crypto map MYCOMPANY-cryptomap-1 1 set ikev2 ipsec-proposal MYCOMPANY-proposal-1

#crypto map MYCOMPANY-cryptomap-1 2 match address MYCOMPANY-ACL-crypto-2
#crypto map MYCOMPANY-cryptomap-1 2 set peer 200.2.2.2
#crypto map MYCOMPANY-cryptomap-1 2 set ikev2 ipsec-proposal MYCOMPANY-proposal-2