1-26
Cisco ASA Series CLI Configuration Guide
Chapter 1 Configuring IPsec and ISAKMP
Configuring IPsec
To complete the security appliance configuration in the example network, we assign mirror crypto maps
to Security Appliances B and C. However, because security appliances ignore deny ACEs when
evaluating inbound, encrypted traffic, we can omit the mirror equivalents of the deny A.3 B
and deny A.3 C ACEs, and therefore omit the mirror equivalents of Crypto Map 2. So the configuration
of cascading ACLs in Security Appliances B and C is unnecessary.
Table 1-4 shows the ACLs assigned to the crypto maps configured for all three ASAs in Figure 1-1.
Figure 1-3 maps the conceptual addresses shown in Figure 1-1 to real IP addresses.
Figure 1-3 Effect of Permit and Deny ACEs on Traffic (Real Addresses)
Table 1-4 Example Permit and Deny Statements (Conceptual)
Security Appliance A Security Appliance B Security Appliance C
Crypto Map
Sequence
No. ACE Pattern
Crypto Map
Sequence
No. ACE Pattern
Crypto Map
Sequence
No. ACE Pattern
1 deny A.3 B 1 permit B A 1 permit C A
deny A.3 C
permit A B
permit A C permit B C permit C B
2 permit A.3 B
permit A.3 C
A.1
192.168.3.1
A.2
192.168.3.2
A.3
192.168.3.3
Human Resources
A
192.168.3.0/26
143514
B.1
192.168.12.1
B.2
192.168.12.2
B.2
192.168.12.3
B
192.168.12.0/29
C.1
192.168.201.1
C.2
192.168.201.2
C.3
192.168.201.3
C
192.168.201.0/27
Internet
To Next Page
Loading...
