Courseiva
VPNCrypto Map Config

match address [acl]

Associates an IP access list with a crypto map entry to define which traffic should be encrypted and sent over the VPN tunnel.

Syntax·Crypto Map Config
match address [acl]

When to Use This Command

  • Encrypt traffic from the 10.1.1.0/24 subnet to the 192.168.1.0/24 subnet over a site-to-site VPN.
  • Selectively encrypt only specific traffic types (e.g., HTTP, HTTPS) while allowing other traffic to pass in plaintext.
  • Define multiple crypto map entries with different access lists to support multiple VPN peers or different encryption policies.
  • Update an existing crypto map to change the traffic selection criteria without affecting other VPN parameters.

Command Examples

Basic ACL assignment to a crypto map

match address VPN-ACL
crypto map CMAP 10 ipsec-isakmp
 match address VPN-ACL
 set peer 192.168.2.1
 set transform-set TSET

The 'match address VPN-ACL' command ties the access list named VPN-ACL to crypto map entry 10. Only traffic matching VPN-ACL will be encrypted and sent to peer 192.168.2.1 using transform set TSET.

Using a numbered ACL in crypto map

match address 101
crypto map MYMAP 20 ipsec-isakmp
 match address 101
 set peer 10.0.0.2
 set transform-set AES256-SHA

Here, extended access list 101 is referenced. The output shows that traffic matching ACL 101 will be encrypted and sent to peer 10.0.0.2 using the AES256-SHA transform set.

Understanding the Output

When you issue 'show crypto map', the output displays each crypto map entry with its associated match address. The 'match address' line shows the ACL name or number. If the ACL is misconfigured or missing, the crypto map will not encrypt any traffic. A correctly configured entry will show the ACL name and the crypto map will be active. Look for 'ipsec-isakmp' to confirm the map is for IPsec. If the ACL is empty or permits all, unintended traffic may be encrypted or bypassed.

CCNA Exam Tips

1.

Remember that the ACL must be an extended access list; standard ACLs are not supported for crypto maps.

2.

The ACL is used to identify interesting traffic that triggers IKE phase 2 and is encrypted; traffic not matching the ACL is sent in clear text.

3.

On the CCNA exam, you may be asked to configure a crypto map and apply the correct ACL; ensure the ACL permits only the desired traffic and denies all else.

4.

Be aware that the same ACL can be used in multiple crypto map entries, but each entry must have a unique sequence number.

Common Mistakes

Using a standard ACL instead of an extended ACL, which will cause the crypto map to fail to match traffic.

Forgetting to include a deny statement at the end of the ACL, causing unintended traffic to be encrypted.

Applying the crypto map to the wrong interface or not applying it at all, resulting in no encryption.

Related Commands

crypto map [name] [seq] ipsec-isakmp

Creates or modifies a crypto map entry for IPsec VPN configuration, defining the security policies and peer parameters for IKE and IPsec negotiations.

Practice for the CCNA 200-301

Test your knowledge with hundreds of CCNA practice questions covering all exam domains.

Practice CCNA Questions