27-17
Cisco Security Appliance Command Line Configuration Guide
OL-10088-01
Chapter 27 Configuring IPSec and ISAKMP
Configuring IPSec
Figure 27-2 Cascading ACLs in a Crypto Map Set
Security Appliance A evaluates a packet originating from Host A.3 until it matches a permit ACE and
attempts to assign the IPSec security associated with the crypto map. Whenever the packet matches a
deny ACE, the security appliance ignores the remaining ACEs in the crypto map and resumes evaluation
against the next crypto map, as determined by the sequence number assigned to it. So in the example, if
Security Appliance A receives a packet from Host A.3, it matches the packet to a deny ACE in the first
crypto map and resumes evaluation of the packet against the next crypto map. When it matches the
packet to the permit ACE in that crypto map, it applies the associated IPSec security (strong encryption
and frequent rekeying).
143513
Crypto Map 1
Deny
A.3 B
Deny
A.3 C
Permit
A B
Permit
A C
Apply IPSec assigned to Crypto Map 1
Crypto Map 2
Permit
A.3 B
Permit
A.3 C
Apply IPSec
assigned to
Crypto Map 2
Route as clear text
To Next Page
Loading...
