Cisco ASA 5505 User Manual

Page 1379

Advertising
background image

64-27

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 64 Configuring IPsec and ISAKMP

Configuring IPsec

The crypto map access list bound to the outgoing interface either permits or denies IPsec packets through
the VPN tunnel. IPsec authenticates and deciphers packets that arrive from an IPsec tunnel, and subjects
them to evaluation against the ACL associated with the tunnel.

Access lists define which IP traffic to protect. For example, you can create access lists to protect all IP
traffic between two subnets or two hosts. (These access lists are similar to access lists used with the
access-group command. However, with the access-group command, the access list determines which
traffic to forward or block at an interface.)

Before the assignment to crypto maps, the access lists are not specific to IPsec. Each crypto map
references the access lists and determines the IPsec properties to apply to a packet if it matches a permit
in one of the access lists.

Access lists assigned to IPsec crypto maps have four primary functions:

Select outbound traffic to be protected by IPsec (permit = protect).

Trigger an ISAKMP negotiation for data travelling without an established SA.

Process inbound traffic to filter out and discard traffic that should have been protected by IPsec.

Determine whether to accept requests for IPsec SAs when processing IKE negotiation from the peer.
(Negotiation applies only to ipsec-isakmp crypto map entries.) The peer must permit a data flow
associated with an ipsec-isakmp crypto map command entry to ensure acceptance during
negotiation.

Regardless of whether the traffic is inbound or outbound, the ASA evaluates traffic against the access
lists assigned to an interface. You assign IPsec to an interface as follows:

Step 1

Create the access lists to be used for IPsec.

Step 2

Map the lists to one or more crypto maps, using the same crypto map name.

Step 3

Map the IKEv1 transform sets or IKEv2 proposals to the crypto maps to apply IPsec to the data flows.

Step 4

Apply the crypto maps collectively as a crypto map set by assigning the crypto map name they share to
the interface.

In

Figure 64-4

, IPsec protection applies to traffic between Host 10.0.0.1 and Host 10.2.2.2 as the data

exits the outside interface on Security Appliance A toward Host 10.2.2.2.

Advertising
This manual is related to the following products:

ASA 5585-X, ASA 5555-X, ASA 5545-X, ASA 5525-X, ASA 5515-X, ASA 5512-X, ASA 5580, ASA 5550, ASA 5540, ASA 5520, ASA 5510, ASA 5500 Series

Popular Brands
Popular manuals