27-19
Cisco Security Appliance Command Line Configuration Guide
OL-10088-01
Chapter 27 Configuring IPSec and ISAKMP
Configuring IPSec
Figure 27-3 Effect of Permit and Deny ACEs on Traffic (Real Addresses)
The tables that follow combine the IP addresses shown in Figure 27-3 to the concepts shown in
Table 27-3. The real ACEs shown in these tables ensure that all IPSec packets under evaluation within
this network receive the proper IPSec settings.
You can apply the same reasoning shown in the example network to use cascading ACLs to assign
different security settings to different hosts or subnets protected by a Cisco security appliance.
A.1
192.168.3.1
A.2
192.168.3.2
A.3
192.168.3.3
Human Resources
A
192.168.3.0/26
143514
B.1
192.168.12.1
B.2
192.168.12.2
B.2
192.168.12.3
B
192.168.12.0/29
C.1
192.168.201.1
C.2
192.168.201.2
C.3
192.168.201.3
C
192.168.201.0/27
Internet
Table 27-4 Example Permit and Deny Statements for Security Appliance A
Security
Appliance
Crypto Map
Sequence
No. ACE Pattern Real ACEs
A 1 deny A.3 B deny 192.168.3.3 255.255.255.192 192.168.12.0 255.255.255.248
deny A.3 C deny 192.168.3.3 255.255.255.192 192.168.201.0 255.255.255.224
permit A B permit 192.168.3.0 255.255.255.192 192.168.12.0 255.255.255.248
permit A C permit 192.168.3.0 255.255.255.192 192.168.201.0 255.255.255.224
2 permit A.3 B permit 192.168.3.3 255.255.255.192 192.168.12.0 255.255.255.248
permit A.3 C permit 192.168.3.3 255.255.255.192 192.168.201.0 255.255.255.224
B None needed permit B A permit 192.168.12.0 255.255.255.248 192.168.3.0 255.255.255.192
permit B C permit 192.168.12.0 255.255.255.248 192.168.201.0 255.255.255.224
C None needed permit C A permit 192.168.201.0 255.255.255.224 192.168.3.0 255.255.255.192
permit C B permit 192.168.201.0 255.255.255.224 192.168.12.0 255.255.255.248
To Next Page
Loading...
