Cisco ASA 5505 User Manual

Page 1374

Advertising
background image

64-22

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 64 Configuring IPsec and ISAKMP

Configuring IPsec

ACEs containing deny statements filter out outbound traffic that does not require IPsec protection
(for example, routing protocol traffic). Therefore, insert initial deny statements to filter outbound traffic
that should not be evaluated against permit statements in a crypto access list.

For an inbound, encrypted packet, the security appliance uses the source address and ESP SPI to
determine the decryption parameters. After the security appliance decrypts the packet, it compares the
inner header of the decrypted packet to the permit ACEs in the ACL associated with the packet SA. If the
inner header fails to match the proxy, the security appliance drops the packet. It the inner header matches
the proxy, the security appliance routes the packet.

When comparing the inner header of an inbound packet that was not encrypted, the security appliance
ignores all deny rules because they would prevent the establishment of a Phase 2 SA.

Note

To route inbound, unencrypted traffic as clear text, insert deny ACEs before permit ACEs.

Figure 64-1

shows an example LAN-to-LAN network of ASAs.

Figure 64-1

Effect of Permit and Deny ACEs on Traffic (Conceptual Addresses)

The simple address notation shown in this figure and used in the following explanation is an abstraction.
An example with real IP addresses follows the explanation.

The objective in configuring Security Appliances A, B, and C in this example LAN-to-LAN network is
to permit tunneling of all traffic originating from one of the hosts shown in

Figure 64-1

and destined for

one of the other hosts. However, because traffic from Host A.3 contains sensitive data from the Human
Resources department, it requires strong encryption and more frequent rekeying than the other traffic.
So you will want to assign a special transform set for traffic from Host A.3.

To configure Security Appliance A for outbound traffic, you create two crypto maps, one for traffic from
Host A.3 and the other for traffic from the other hosts in Network A, as shown in the following example:

A.1

A.2

A.3

Human Resources

A

143514

B.1

B.2

B.3

B

C.1

C.2

C.3

C

Internet

Advertising
This manual is related to the following products:

ASA 5585-X, ASA 5555-X, ASA 5545-X, ASA 5525-X, ASA 5515-X, ASA 5512-X, ASA 5580, ASA 5550, ASA 5540, ASA 5520, ASA 5510, ASA 5500 Series

Popular Brands
Popular manuals