1-25
Cisco ASA Series CLI Configuration Guide
Chapter 1 Configuring IPsec and ISAKMP
Configuring IPsec
Figure 1-2 Cascading ACLs in a Crypto Map Set
Security Appliance A evaluates a packet originating from Host A.3 until it matches a permit ACE and
attempts to assign the IPsec security associated with the crypto map. Whenever the packet matches a
deny ACE, the ASA ignores the remaining ACEs in the crypto map and resumes evaluation against the
next crypto map, as determined by the sequence number assigned to it. So in the example, if Security
Appliance A receives a packet from Host A.3, it matches the packet to a deny ACE in the first crypto
map and resumes evaluation of the packet against the next crypto map. When it matches the packet to
the permit ACE in that crypto map, it applies the associated IPsec security (strong encryption and
frequent rekeying).
143513
Crypto Map 1
Deny
A.3 B
Deny
A.3 C
Permit
A B
Permit
A C
Apply IPSec assigned to Crypto Map 1
Crypto Map 2
Permit
A.3 B
Permit
A.3 C
Apply IPSec
assigned to
Crypto Map 2
Route as clear text
To Next Page
Loading...
