To define an encryption access list by number, use the extended IP access-list (encryption) global configuration command.
Use the no
form of this command to remove a numbered encryption access list.
access-list access-list-number [dynamic dynamic-name [timeout minutes]]{deny | permit } protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [log ]
no access-list access-list-number
access-list access-list-number [dynamic dynamic-name [timeout minutes]]{deny | permit }icmp source source-wildcard destination destination-wildcard [icmp-type [icmp-code] | icmp-message] [precedence precedence] [tos tos] [log ]
access-list access-list-number [dynamic dynamic-name [timeout minutes]]{deny | permit }igmp source source-wildcard destination destination-wildcard [igmp-type ] [precedence precedence] [tos tos] [log ]
access-list access-list-number [dynamic dynamic-name [timeout minutes]]{deny | permit }tcp source source-wildcard [operatorport [port]] destination destination-wildcard [operatorport [port]] [established ] [precedence precedence] [tos tos] [log ]
access-list access-list-number [dynamic dynamic-name [timeout minutes]]{deny | permit }udp source source-wildcard [operatorport [port]] destination destination-wildcard [operatorport [port]] [precedence precedence] [tos tos] [log ]
access-list-number Number of an encryption access list. This is a decimal number from 100 to 199.
dynamic dynamic-name (Optional) Identifies this encryption access list as a dynamic encryption access list. Refer to lock-and-key access documented in the "Configuring Lock-and-Key Security (Dynamic Access Lists)" chapter in the Security Configuration Guide .
timeout minutes (Optional) Specifies the absolute length of time (in minutes) that a temporary access list entry can remain in a dynamic access list. The default is an infinite length of time and allows an entry to remain permanently. Refer to lock-and-key access documented in the "Configuring Lock-and-Key Security (Dynamic Access Lists)" chapter in the Security Configuration Guide .
deny Does not encrypt/decrypt IP traffic if the conditions are matched.
permit Encrypts/decrypts IP traffic if the conditions are matched.
protocol Name or number of an IP protocol. It can be one of the keywords eigrp , gre , icmp , igmp , igrp , ip , ipinip , nos , ospf , tcp , or udp , or an integer in the range 0 to 255 representing an IP protocol number. To match any Internet protocol, including ICMP, TCP, and UDP, use the keyword ip . Some protocols allow further qualifiers, as described in text that follows.
source Number of the network or host from which the packet is being sent. There are three other ways to specify the source:
- Use a 32-bit quantity in four-part dotted-decimal format.
- Use the keyword any as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255. This keyword is normally not recommended (see the section "Usage Guidelines").
- Use host source as an abbreviation for a source and source-wildcard of source 0.0.0.0.
source-wildcard Wildcard bits (mask) to be applied to source. There are three other ways to specify the source wildcard:
- Use a 32-bit quantity in four-part dotted-decimal format. Place ones in the bit positions you want to ignore.
- Use the keyword any as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255. This keyword is normally not recommended (see the section "Usage Guidelines").
- Use host source as an abbreviation for a source and source-wildcard of source 0.0.0.0.
destination Number of the network or host to which the packet is being sent. There are three other ways to specify the destination:
- Use a 32-bit quantity in four-part dotted-decimal format.
- Use the keyword any as an abbreviation for the destinationand destination-wildcard of 0.0.0.0 255.255.255.255. This keyword is normally not recommended (see the section "Usage Guidelines").
- Use host destinationas an abbreviation for a destination and destination-wildcard of destination 0.0.0.0.
destination-wildcard Wildcard bits to be applied to the destination. There are three other ways to specify the destination wildcard:
- Use a 32-bit quantity in four-part dotted-decimal format. Place ones in the bit positions you want to ignore.
- Use the keyword any as an abbreviation for a destination and destination-wildcard of 0.0.0.0 255.255.255.255. This keyword is normally not recommended (see the section "Usage Guidelines").
- Use host destination as an abbreviation for a destination and destination-wildcard of destination 0.0.0.0.
precedence precedence (Optional) Packets can be matched for encryption by precedence level, as specified by a number from 0 to 7 or by name as listed in the section "Usage Guidelines."
tos tos (Optional) Packets can be matched for encryption by type of service level, as specified by a number from 0 to 15 or by name as listed in the section "Usage Guidelines."
icmp-type (Optional) ICMP packets can be matched for encryption by ICMP message type. The type is a number from 0 to 255.
icmp-code (Optional) ICMP packets that are matched for encryption by ICMP message type can also be matched by the ICMP message code. The code is a number from 0 to 255.
icmp-message (Optional) ICMP packets can be matched for encryption by an ICMP message type name or ICMP message type and code name. The possible names are discussed in the section "Usage Guidelines."
igmp-type (Optional) IGMP packets can be matched for encryption by IGMP message type or message name. A message type is a number from to 15. IGMP message names are listed in the section "Usage Guidelines."
operator (Optional) Compares source or destination ports. Possible operands include lt (less than), gt (greater than), eq (equal), neq (not equal), and range (inclusive range).
If the operator is positioned after the source and source-wildcard, it must match the source port.
If the operator is positioned after the destination and destination-wildcard, it must match the destination port.
The range operator requires two port numbers. All other operators require one port number.
port (Optional) The decimal number or name of a TCP or UDP port. A port number is a number from 0 to 65535.
TCP port names are listed in the section "Usage Guidelines." TCP port names can be used only when filtering TCP.
UDP port names are listed in the section "Usage Guidelines." UDP port names can be used only when filtering UDP.
established (Optional) For the TCP protocol only: Indicates an established connection. A match occurs if the TCP datagram has the ACK or RST bits set. The nonmatching case is that of the initial TCP datagram to form a connection.
log (Optional) Causes an informational logging message about the packet that matches the entry to be sent to the console. (The level of messages logged to the console is controlled by the loggingconsole command.)
The message includes the access list number, whether the packet was encrypted/decrypted or not; the protocol, whether it was TCP, UDP, ICMP, or a number; and, if appropriate, the source and destination addresses and source and destination port numbers. The message is generated for the first packet that matches, and then at 5-minute intervals, including the number of packets encrypted/decrypted or not in the prior 5-minute interval.
No numbered encryption access lists are defined, and therefore no traffic will be encrypted/decrypted. After being defined, all encryption access lists contain an implicit "deny" ("do not encrypt/decrypt") statement at the end of the list.
Global configuration
| Release | Modification | 11.2 | This command was introduced. |
|---|
Use encryption access lists to control which packets on an interface are encrypted/decrypted, and which are transmitted as plain text (unencrypted).
When a packet is examined for an encryption access list match, encryption access list statements are checked in the order that the statements were created. After a packet matches the conditions in a statement, no more statements will be checked. This means that you need to carefully consider the order in which you enter the statements.
To use the encryption access list, you must first specify the access list in a crypto map and then apply the crypto map to an interface, using the crypto map (CET global configuration) and crypto map (CET interface configuration) commands.
Fragmented IP packets, other than the initial fragment, are immediately accepted by any extended IP access list. Extended access lists used to control virtual terminal line access or restrict contents of routing updates must not match the TCP source port, the type of service value, or the packet's precedence.
After an access list is created initially, any subsequent additions (possibly entered from the terminal) are placed at the end of the list. You cannot selectively add or remove access list command lines from a specific access list.
 | Caution
When creating encryption access lists, we do not recommend using the any keyword to specify source or destination addresses. Using the any keyword with a permit statement could cause extreme problems if a packet enters your router and is destined for a router that is not configured for encryption. This would cause your router to attempt to set up an encryption session with a nonencrypting router. If you incorrectly use the any keyword with a deny statement, you might inadvertently prevent all packets from being encrypted, which could present a security risk. |
If you view your router's access lists by using a command such as show ip access-list, allextended IP access lists will be shown in the command output. This includes extended IP access lists that are used for traffic filtering purposes as well as those that are used for encryption. The show command output does not differentiate between the two uses of the extended access lists.
The following is a list of precedence names:
The following is a list of type of service (TOS) names:
The following is a list of ICMP message type names and code names:
The following is a list of IGMP message names:
The following is a list of TCP port names that can be used instead of port numbers. Refer to the current Assigned Numbers RFC to find a reference to these protocols. Port numbers corresponding to these protocols can also be found by typing a ? in the place of a port number.
The following is a list of UDP port names that can be used instead of port numbers. Refer to the current Assigned Numbers RFC to find a reference to these protocols. Port numbers corresponding to these protocols can also be found by typing a ? in the place of a port number.
The following example creates a numbered encryption access list that specifies a class C subnet for the source and a class C subnet for the destination of IP packets. When the router uses this encryption access list, all TCP traffic that is exchanged between the source and destination subnets will be encrypted.
Router1(config)# access-list 101 permit tcp 172.21.3.0 0.0.0.255 172.22.2.0 0.0.0.255
This encryption access list will be applied to an interface as an outbound encryption access list after the router administrator defines a crypto map and applies the crypto map to the interface.
| Command | Description |
|---|---|
| crypto map (CET global configuration) | Deletes the DSS public/private key pair of a crypto engine. |
| crypto map (CET interface configuration) | Applies a previously defined crypto map to an interface. |
| ip access-list extended (encryption) | Defines an encryption access list by name. |
| show ip access-list | Displays the contents of all current IP access lists. |
Printed for apswan@ctr.ap.nic.in on Wed Mar 5 22:32:57 PST 2003
All material in this document copyright 2000 Cisco Systems, Inc. All rights reserved. No material may be reproduced or distributed without written permission of Cisco Systems, Inc.