VPNGlobal Config

crypto map [name] [seq] match address [acl]

Associates an access list with a crypto map entry to define which traffic should be encrypted for an IPsec VPN tunnel.

Overview

The 'crypto map [name] [seq] match address [acl]' command is a fundamental building block for IPsec VPN configuration on Cisco ASA firewalls. It links a crypto map entry to an access control list (ACL) that defines which traffic should be encrypted and sent over the VPN tunnel. The crypto map itself is a collection of entries, each with a sequence number, that collectively define the VPN policy for a given interface. The ACL specifies interesting traffic: source and destination IP addresses and optionally ports. When a packet matches a permit statement in the ACL, the ASA attempts to establish an IPsec security association (SA) with the remote peer and encrypt the packet. If the ACL denies the traffic, it is sent in the clear. This command is used in both site-to-site and remote access VPNs. On the ASA, the crypto map must be applied to an interface (e.g., 'crypto map CMAP interface outside') to become active. The command is entered in global configuration mode. Understanding this command is critical for VPN troubleshooting: if traffic is not encrypted, the first check is whether the ACL matches the traffic. The ASA uses the first matching crypto map entry based on sequence number; if no match, traffic is not encrypted. Platform-specific behavior: unlike IOS routers, ASA requires the crypto map to be applied to an interface; also, the ACL in the crypto map can be extended or standard, but extended is typical for specifying both source and destination.

Syntax·Global Config
crypto map map-name seq-num match address access-list-name

When to Use This Command

  • Site-to-site VPN where only specific subnets (e.g., 10.1.1.0/24 to 192.168.2.0/24) are encrypted.
  • Remote access VPN where client traffic to internal servers (e.g., 172.16.0.0/16) is protected.
  • Selective encryption for DMZ traffic while leaving other traffic in the clear.
  • Multi-VPN scenario where different crypto maps use different ACLs for different peers.

Parameters

ParameterSyntaxDescription
map-namestringThe name of the crypto map. This is a user-defined string that identifies the crypto map set. Multiple entries with the same name form a crypto map set.
seq-numinteger (1-65535)The sequence number for this crypto map entry. Lower numbers are evaluated first. It is used to order multiple entries within the same crypto map set.
access-list-namestringThe name or number of an extended IP access list that defines the traffic to be encrypted. The ACL must already exist. For site-to-site VPNs, the ACL on each peer should be a mirror image (source/destination swapped).

Command Examples

Basic site-to-site VPN ACL match

crypto map CMAP 10 match address S2S-ACL

No output on success; the command is stored in running config. Verify with 'show crypto map'.

Verifying the match with show crypto map

show crypto map
Crypto Map "CMAP" 10 ipsec-isakmp
    Peer = 203.0.113.1
    Extended IP access list S2S-ACL
        access-list S2S-ACL permit ip 10.1.1.0 255.255.255.0 192.168.2.0 255.255.255.0
    Current peer: 203.0.113.1
    Security association lifetime: 4608000 kilobytes/3600 seconds
    PFS (Y/N): N
    Transform sets={TSET1,}
    Interfaces using crypto map CMAP: Outside

The output shows the crypto map entry, the peer IP, the matched ACL name and its contents, plus other parameters like lifetime and transform sets.

Understanding the Output

The 'show crypto map' command displays all crypto map entries. For each entry, the 'Extended IP access list' line shows the ACL name used for matching traffic. The ACL itself is shown below with permit/deny statements. A healthy configuration shows the correct ACL name and the expected permit entries. If the ACL is missing or incorrect, the VPN may not encrypt traffic, or traffic may be dropped. The 'Current peer' field indicates the remote VPN peer. If no peer is shown, the crypto map may not be applied to an interface or the peer is misconfigured.

Configuration Scenarios

Site-to-Site VPN between two ASAs

Two offices connected via Internet. ASA1 (10.1.1.0/24) and ASA2 (192.168.2.0/24) need encrypted communication.

Topology

ASA1 (Outside: 203.0.113.1) --- Internet --- ASA2 (Outside: 198.51.100.1)

Steps

  1. 1.Create an ACL on ASA1 that matches traffic from 10.1.1.0/24 to 192.168.2.0/24.
  2. 2.Create the crypto map entry and associate the ACL.
  3. 3.Apply the crypto map to the outside interface.
Configuration
! On ASA1
access-list S2S-ACL extended permit ip 10.1.1.0 255.255.255.0 192.168.2.0 255.255.255.0
crypto map CMAP 10 match address S2S-ACL
crypto map CMAP 10 set peer 198.51.100.1
crypto map CMAP 10 set transform-set TSET
crypto map CMAP interface outside

Verify: Use 'show crypto map' to verify the ACL is attached. Use 'show crypto ipsec sa' to see active SAs.

Watch out: The ACL on ASA2 must be the mirror: permit ip 192.168.2.0 255.255.255.0 10.1.1.0 255.255.255.0. Otherwise, IKE will fail.

Remote Access VPN with split tunneling

Remote clients need access to internal network 172.16.0.0/16 but not to other networks.

Topology

Client --- Internet --- ASA (Outside: 203.0.113.1, Inside: 10.0.0.0/8)

Steps

  1. 1.Create an ACL that permits traffic from any to 172.16.0.0/16.
  2. 2.Create a dynamic crypto map for remote access.
  3. 3.Apply the crypto map to the outside interface.
Configuration
! On ASA
access-list RA-ACL extended permit ip any 172.16.0.0 255.255.0.0
crypto dynamic-map DYNMAP 10 match address RA-ACL
crypto map CMAP 10 ipsec-isakmp dynamic DYNMAP
crypto map CMAP interface outside

Verify: Check 'show crypto map' to see the dynamic map. Use 'show vpn-sessiondb' to see active sessions.

Watch out: Dynamic crypto maps do not require a peer; they are used for remote access where the client IP is unknown.

Troubleshooting with This Command

When troubleshooting VPN connectivity, the 'crypto map match address' command is often the first place to check. If traffic is not being encrypted, verify that the ACL in the crypto map matches the traffic you expect. Use 'show crypto map' to see which ACL is attached. Then use 'show access-list <acl-name>' to see the ACL entries and hit counts. If hit counts are zero, the traffic is not matching. Also ensure the crypto map is applied to the correct interface with 'show running-config crypto map'. On the ASA, you can use 'packet-tracer' to simulate traffic and see if it matches the crypto map. For example: 'packet-tracer input inside tcp 10.1.1.1 1234 192.168.2.1 80' will show if the packet is encrypted or not. If the packet is dropped or sent in clear, check the ACL. Also verify that the crypto map sequence numbers are in the correct order; the ASA uses the first match. If you have multiple crypto map entries, ensure the more specific ACLs have lower sequence numbers. Common issues: ACL is too broad or too narrow, ACL is missing, or the crypto map is not applied to the interface. Also, for site-to-site VPNs, ensure the peer's ACL is the mirror. On the ASA, you can also check 'show crypto isakmp sa' and 'show crypto ipsec sa' to see if SAs are established. If SAs are not established, the ACL match might be failing before IKE negotiation.

CCNA Exam Tips

1.

Remember that the ACL in a crypto map must be mirrored on the peer (inverse) for site-to-site VPNs.

2.

The sequence number determines the order of evaluation; lower numbers are processed first.

3.

In the exam, you may need to identify why traffic is not encrypted: check if the ACL matches the traffic and if the crypto map is applied to the correct interface.

Common Mistakes

Using a named ACL without creating it first, causing the crypto map to be incomplete.

Forgetting to apply the crypto map to an interface with 'crypto map map-name interface if-name'.

Mismatched ACLs between peers (e.g., source/destination reversed) causing IKE to fail.

Platform Notes

On Cisco ASA, the 'crypto map match address' command behaves similarly to Cisco IOS routers, but there are key differences. On ASA, the crypto map must be explicitly applied to an interface using 'crypto map map-name interface if-name'. On IOS, the crypto map is applied to the interface with 'crypto map map-name'. Also, ASA supports both static and dynamic crypto maps. Dynamic crypto maps are used for remote access VPNs and do not require a peer address. On IOS, dynamic crypto maps are also supported but configuration differs slightly. ASA uses the 'crypto dynamic-map' command. In terms of ACLs, ASA supports both standard and extended ACLs, but extended is typical. On IOS, the ACL in a crypto map can also be named or numbered. ASA version differences: In ASA 8.4 and later, the ACL syntax changed to support object groups and network objects, but the 'match address' command still accepts traditional ACL names. For example, you can use 'access-list S2S-ACL extended permit ip object-group LOCAL object-group REMOTE'. This is more scalable. Also, on ASA, the 'crypto map' command can be used with 'ipsec-isakmp' or 'ipsec-manual' modes; the 'match address' is only used with ipsec-isakmp. For manual IPsec, you specify the SA parameters directly. Finally, on ASA, you can have multiple crypto maps on the same interface, but they must have different names. The sequence numbers are per crypto map name.

Related Commands

Practice for the CCNA 200-301

Test your knowledge with hundreds of CCNA practice questions covering all exam domains.

Practice CCNA Questions