As you might have guessed from the preceding discussion regarding inbound and outbound traffic, the crypto ACLs that you configure on both IPSec peers are critical to a successful IPSec implementation. Because the router uses crypto ACLs to evaluate both inbound and outbound traffic, there needs to be ACL symmetry on both IPSec peers. By using the same IP addresses, port numbers , and protocols in your crypto ACL entries on both IPSec peers, you ensure that the router does not discard traffic that it should not discard and that the router decrypts protected traffic. Configuring Crypto ACLsLet's look at an example using symmetrical crypto access lists. The two IPSec peers are Ping and Pong. The organization's security policy states that all LAN traffic must be encrypted if the traffic is either UDP or TCP. The Ping LAN is 10.1.100.0/24 , and the Pong LAN is 10.2.200.0/24 . Here are the symmetric crypto ACLs for both the Ping and Pong routers: Ping(config)# access-list 101 permit tcp 10.1.100.0 0.0.0.255 10.2.200.0 0.0.0.255 Ping(config)# access-list 101 permit udp 10.1.100.0 0.0.0.255 10.2.200.0 0.0.0.255 Pong(config)# access-list 195 permit tcp 10.2.200.0 0.0.0.255 10.1.100.0 0.0.0.255 Pong(config)# access-list 195 permit udp 10.2.200.0 0.0.0.255 10.1.100.0 0.0.0.255 |