157
rule 1 deny ip
acl number 3001
rule 0 permit ip source 1.1.2.0 0.0.0.255 destination 3.3.3.0 0.0.0.255
rule 1 deny ip
#
ipsec policy test 1 isakmp
security acl 3000
ike-peer aa
transform-set 1
#
ipsec policy test 2 isakmp
security acl 3001
ike-peer bb
transform-set 1
• Configure Router B:
acl number 3001
rule 0 permit ip source 3.3.3.0 0.0.0.255 destination 1.1.2.0 0.0.0.255
rule 1 deny ip
#
ipsec policy test 1 isakmp
security acl 3001
ike-peer aa
transform-set 1
Mirror image ACLs
To make sure that SAs can be set up and the traffic protected by IPsec can be processed correctly at
the remote peer, on the remote peer, create a mirror image ACL rule for each ACL rule created at the
local peer. As shown in Figure 56,
ACL rules on Router B are mirror images of the rules on Router A.
This makes sure that SAs can be created successfully for the traffic between Host A and Host C and
the traffic between Network 1 and Network 2.
Figure 56 Mirror image ACLs
If the ACL rules on peers do not form mirror images of each other, SAs can be set up only when both
of the following requirements are met:
• The range specified by an ACL rule on one peer is covered by its counterpart ACL rule on the
other peer. As shown in Figure 57, the ran
ge specified by the ACL rule configured on Router A is
covered by its counterpart on Router B.
To Next Page
Loading...
Need help?
General
