Cisco ASA 5505 User Manual

Page 1380

Advertising
background image

64-28

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 64 Configuring IPsec and ISAKMP

Configuring IPsec

Figure 64-4

How Crypto Access Lists Apply to IPsec

Security Appliance A evaluates traffic from Host 10.0.0.1 to Host 10.2.2.2, as follows:

source = host 10.0.0.1

dest = host 10.2.2.2

Security Appliance A also evaluates traffic from Host 10.2.2.2 to Host 10.0.0.1, as follows:

source = host 10.2.2.2

dest = host 10.0.0.1

The first permit statement that matches the packet under evaluation determines the scope of the
IPsec SA.

Note

If you delete the only element in an access list, the ASA also removes the associated crypto map.

If you modify an access list currently referenced by one or more crypto maps, use the crypto map
interface command to reinitialize the run-time SA database. See the crypto map command for more
information.

We recommend that for every crypto access list specified for a static crypto map that you define at the
local peer, you define a “mirror image” crypto access list at the remote peer. The crypto maps should
also support common transforms and refer to the other system as a peer. This ensures correct processing
of IPsec by both peers.

Note

Every static crypto map must define an access list and an IPsec peer. If either is missing, the crypto map
is incomplete and the ASA drops any traffic that it has not already matched to an earlier, complete crypto
map. Use the show conf command to ensure that every crypto map is complete. To fix an incomplete
crypto map, remove the crypto map, add the missing entries, and reapply it.

We discourage the use of the any keyword to specify source or destination addresses in crypto access
lists because they cause problems. We strongly discourage the permit any any command statement
because it does the following:

Protects all outbound traffic, including all protected traffic sent to the peer specified in the
corresponding crypto map.

IPSec peers

92616

Internet

outside

outside

Security

Appliance
Firewall A

Security

Appliance
Firewall B

Host

10.0.0.1

Host

10.2.2.2

IPSec Access List at "outside" interface:
access-list 101 permit ip host 10.0.0.1 host 10.2.2.2

IPSec Access List at "outside" interface:
access-list 111 permit ip host 10.2.2.2 host 10.0.0.1

Traffic exchanged between hosts 10.0.0.1 and 10.2.2.2 is protected between

Security Appliance Firewall A "outside" and Security Appliance Firewall B "outside"

Advertising
This manual is related to the following products:

ASA 5585-X, ASA 5555-X, ASA 5545-X, ASA 5525-X, ASA 5515-X, ASA 5512-X, ASA 5580, ASA 5550, ASA 5540, ASA 5520, ASA 5510, ASA 5500 Series

Popular Brands
Popular manuals