6 Replies Latest reply: Apr 3, 2012 12:43 PM by Irfan Sri RSS

    Difference between crypto ACL and Extended ACL

    phanipriyaraju

      Dear Team,

       

      What is the difference between crypto acl and acl and We are using the same syntax.

       

      Thanks,

      Dreams

        • 1. Re: Difference between crypto ACL and Extended ACL
          Paul Stewart  -  CCIE Security

          An extended acl is an acl that allows you to specify a source and destination address as well as protocol and other information.  A crypto acl is not a classification in terms of standard or extended acl.  A crypto acl is a use case for an extended acl in which we specify the source and destination address to be encrypted.  So I can create and acl as follows.

           

          ip access-list extended crypto

          permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255

           

          That is an IOS syntax of an extended acl with the name of "crypto".  That is not necessarily a crypto acl.  However if I apply that extended ACL to a crypto map, then it becomes a crypto acl.  It is how it is used that makes it a crypto acl.

          • 2. Re: Difference between crypto ACL and Extended ACL
            Keith Barker - CCIE RS/Security, CISSP

            Dreams wrote:

             

            Dear Team,

             

            What is the difference between crypto acl and acl and We are using the same syntax.

             

            Thanks,

            Dreams

             

             

            Hi Dreams-

             

            Great question.

             

            The answer is where we use the ACL, and that determines the name.

             

            Let's create ACL 101 that permits IP traffic from the 10.0.0.0/8 network to 172.16.0.0/16 network, and permits nothing else.

             

            If we apply ACL 101 to an interface for filtering, that is exactly what it is, a filter that will only allow that traffic through the interface it is applied to, based on the traffic matching the permit in the ACL.

             

            If we apply the same ACL as part of our crypto-map in IPSec, then that same ACL 101 is now called a crypto acl.   The purpose of the ACL in this case is to identify what traffic should be encrypted, specifically any traffic from 10.0.0.0/8 to 172.16.0.0/16 (in our example).

             

            Great question, and best wishes,

             

            Keith

            • 3. Re: Difference between crypto ACL and Extended ACL
              Irfan Sri

              Paul,

              Crypto acl can use only with vpn tunnel?  if we have "ip access-list extended crypto" line in config, then how can we add a new acl list under the crypto acl? as keith said do we need to creat acl with 101 ? can anybody give us an example for how to add new acl to crypto map please.

               

              Thanks

              • 4. Re: Difference between crypto ACL and Extended ACL
                Daniel

                I think Paul and Keith already provided a very good explanation!

                 

                 

                If you type "ip access-list extended crypto" it would just make a normal extended ACL named crypto. So to edit it you would edit it just like you edit a normal extended ACL.

                 

                 

                You don't have to create the ACL using numbers as keith tried to explain. You just use this ACL to "define interesting traffic" that will be encrypted. You can use a numbered list or a named extended list.

                 

                 

                To match this "ACL" to a crypto map you'd have to do a few configuration steps first, but in the crptyp map configuration you define which ACL to match addresses with the command: match address crypto

                 

                 

                Or if it's a numbered acl with the command: match address 101

                ....it's just used to define like paul and kieth explained, interesting traffic to be encrypted. A permit statement that matches will be sent encrypted, all other traffic will be sent unencrypted.

                 

                Nothing more, nothing less .

                 

                -Daniel

                • 5. Re: Difference between crypto ACL and Extended ACL
                  just plain old Kev

                  crypto map acl...

                   

                   

                  permit = protected (encrypted)

                  deny   = unprotected

                  • 6. Re: Difference between crypto ACL and Extended ACL
                    Irfan Sri

                    Thanks Daniel,

                    thanks for summery .