First of all, these should be two separate ACLs. A) is what you would reference in your crypto map. Anything conforming to that ACL is encrypted, so you would include all traffic that you would like to be encrypted on that acl. i.e all IP traffic from the source network to the destination network.
B) this you would actually apply to the physical public facing interface, so that gre traffic can be allowed through the interface. Instead of any any you could specify the tunnel source and destinations that you are using. Michael Jia wrote: > > Hi, > > Anyone has good reference doc about GRE with Ipsec . > > I am a little confused about 2 flavors of crypto ACL used: > A) permit ip > B) permit gre any any > > It seems option A is encry first then GRE encap, while option B > is encap > first then encrypt. > > Is there a good ref about these setups? > > > Thanks > Michael > > Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=71989&t=71959 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]