Configuring a Crypto ACL
You use a crypto ACL to identify traffic that should be protected by the
IPsec VPN. Any traffic permitted in the ACL will be sent over the VPN.
Traffic denied by the ACL will not be dropped—it will just be sent normally.
The following example shows a crypto ACL that permits traffic from two
internal networks—172.16.1.0 and 172.16.4.0—if it is bound to the server
network of 10.6.3.0.
Note
When configuring the crypto ACL on the router at the other end of the tunnel, be sure to reverse
the source and destination IP addresses.
IPSEC_RTR(config)access-list 172 permit ip 172.16.1.0 0.0.0.255
10.6.3.0 0.0.0.255
IPSEC_RTR(config)access-list 172 permit ip 172.16.4.0 0.0.0.255
10.6.3.0 0.0.0.255