Overview
10-6
10.1.5 match
Crypto Map Config Commands
Use this command to assign an IP access-list to a crypto map definition. The access-list designates the IP
packets to be encrypted by this crypto map.
A crypto map entry is a single policy that describes how certain traffic is to be secured. There are two types
of crypto map entries: ipsec-manual and ipsec-ike. Each entry is given an index, which is used to sort the
ordered list.
When a non-secured packet arrives on an interface, the crypto map set associated with that interface is
processed in order. If a crypto map entry matches the non-secured traffic, the traffic is discarded.
When a packet is to be transmitted on an interface, the crypto map set associated with that interface is
processed in order. The first crypto map entry that matches the packet will be used to secure the packet. If a
suitable SA exists, that is used for transmission. Otherwise, IKE is used to establish an SA with the peer. If no
SA exists, and the crypto map entry is “respond only”, the packet is discarded.
When a secured packet arrives on an interface, its SPI is used to look up an SA. If an SA does not exist, or if
the packet fails any of the security checks (bad authentication, traffic does not match SA selectors, etc.), it is
discarded. If all checks pass, the packet is forwarded normally.
Syntax
match <list name>
Parameters
Usage Guidelines
Crypto map entries do not directly contain the selectors used to determine which data to secure. Instead, the
crypto map entry refers to an access control list. An access control list (ACL) is assigned to the crypto map using
the match address command. If no ACL is configured for a crypto map, then the entry is incomplete and will
have no effect on the system.
The entries of the ACL used in a crypto map should be created with respect to traffic sent by the OS product.
The source information must be the local OS product and the destination must be the peer.
Only extended access-lists can be used in crypto maps.
Example
The following example shows setting up an ACL (called TestList) and then assigning the new list to a crypto
map (called TestMap):
RFS7000(config)#ip access-list extended TestList
Configuring New Extended ACL "TestList"
(config-ext-nacl)#exit
RFS7000(config)#crypto map TestMap 220 isakmp dynamic
RFS7000(config-crypto-map)#
RFS7000(config-crypto-map)#match address TestMap
RFS7000(config-crypto-map)#
list name Enter the name of the access list or ACL id you wish to assign to this crypto map.
To Next Page
Loading...
Need help?
General
