Specifications
23-13
Cisco Security Appliance Command Line Configuration Guide
OL-6721-01
Chapter 23 Configuring IPSec and ISAKMP
Configuring IPSec
Create multiple crypto map entries for a given security appliance interface, if any of the following
conditions exist:
• If different data flows are to be handled by separate peers.
• If you want to apply different IPSec security to different types of traffic (to the same or separate
peers); for example, if you want traffic between one set of subnets to be authenticated, and traffic
between another set of subnets to be both authenticated and encrypted. In this case, the different
types of traffic should have been defined in two separate access lists, and you create a separate
crypto map entry for each crypto access list.
Applying Crypto Maps to Interfaces
You must apply a crypto map set to each interface through which IPSec traffic flows. The security
appliance supports IPSec on all interfaces. Applying the crypto map set to an interface instructs the
security appliance to evaluate all the traffic against the crypto map set and to use the specified policy
during connection or SA negotiation.
Binding a crypto map to an interface also initializes run-time data structures, such as the security
association database and the security policy database. If the crypto map is modified in any way,
reapplying the crypto map to the interface resynchronizes the various run-time data structures with the
crypto map configuration. In addition, any existing connections are torn down and reestablished after the
new crypto map is triggered.
Using Interface Access Lists
By default, the security appliance lets IPSec packets bypass interface ACLs. If you want to apply
interface access lists to IPSec traffic, use the no form of the sysopt connection permit-ipsec command.
The crypto map access list bound to the outgoing interface either permits or denies IPSec packets
through the VPN tunnel. IPSec authenticates and deciphers packets that arrive from an IPSec tunnel, and
subjects them to the crypto ACL match of the tunnel.
Permit and deny have different meanings depending on the type of ACL. When used in an outbound
crypto ACL, permit means “apply IPSec” and deny means “don't apply IPSec.” In an inbound crypto
ACL, permit and deny statements ensure sure that traffic received through the tunnel matches the correct
permit rule.
Access lists define which IP traffic to protect. For example, you can create access lists to protect all IP
traffic between Subnet A and Subnet Y or between Host A and Host B. (These access lists are similar to
access lists used with the access-group command. With the access-group command, the access list
determines which traffic to forward or block at an interface.)
The access lists themselves are not specific to IPSec. It is the crypto map entry referencing the specific
access list that defines whether IPSec processing applies to the traffic matching a permit in the access
list.
Access lists associated with IPSec crypto map entries have four primary functions:
• Select outbound traffic to be protected by IPSec (permit = protect).
• Trigger and ISAKMP negotiation for data travelling without and established SA.
• Process inbound traffic to filter out and discard traffic that should have been protected by IPSec.