Cisco ASA 5505 User Manual

Page 1376

Advertising
background image

64-24

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 64 Configuring IPsec and ISAKMP

Configuring IPsec

Figure 64-2

Cascading ACLs in a Crypto Map Set

Security Appliance A evaluates a packet originating from Host A.3 until it matches a permit ACE and
attempts to assign the IPsec security associated with the crypto map. Whenever the packet matches a
deny ACE, the ASA ignores the remaining ACEs in the crypto map and resumes evaluation against the
next crypto map, as determined by the sequence number assigned to it. So in the example, if Security
Appliance A receives a packet from Host A.3, it matches the packet to a deny ACE in the first crypto
map and resumes evaluation of the packet against the next crypto map. When it matches the packet to
the permit ACE in that crypto map, it applies the associated IPsec security (strong encryption and
frequent rekeying).

143513

Crypto Map 1

Deny
A.3 B

Deny
A.3 C

Permit
A B

Permit
A C

Apply IPSec assigned to Crypto Map 1

Crypto Map 2

Permit
A.3 B

Permit
A.3 C

Apply IPSec

assigned to

Crypto Map 2

Route as clear text

Advertising
This manual is related to the following products:

ASA 5585-X, ASA 5555-X, ASA 5545-X, ASA 5525-X, ASA 5515-X, ASA 5512-X, ASA 5580, ASA 5550, ASA 5540, ASA 5520, ASA 5510, ASA 5500 Series

Popular Brands
Popular manuals