Creating a Crypto Access List
Crypto access lists are used to identify which IP traffic is to be protected by encryption and
which traffic is not. After the access list is defined, the crypto maps reference it to identify the
type of traffic that IPSec protects. The permit keyword in the access list causes IPSec to
protect all IP traffic that matches the access list criteria. If the deny keyword is used in the
access list, the traffic is not encrypted. The crypto access lists specified at the remote peer
should be mirror images of the access lists specified at the local peer. This ensures that traffic
that has IPSec protection applied locally can be processed correctly at the remote peer. The
crypto map entries should also support common transforms and should refer to the other
system as a peer.
It is not recommended that you use the permit ip any any command, because it causes all
outbound traffic to be encrypted (and all encrypted traffic to be sent to the peer specified in
the corresponding crypto map entry), and it requires encryption of all inbound traffic. With
this type of access list, the firewall drops all inbound packets that are not encrypted.
The syntax for the access-list command is as follows:
access-list acl_name permit | deny protocol src_addr src_mask
[operator port[port]] dest_addr dest_mask [operator port[port]]
Table 13-3 lists and describes the command arguments and options for the access-list
command.