Specifications
23-14
Cisco Security Appliance Command Line Configuration Guide
OL-6721-01
Chapter 23 Configuring IPSec and ISAKMP
Configuring IPSec
• Determine whether or not to accept requests for IPSec security associations on behalf of the
requested data flows when processing IKE negotiation from the peer. (Negotiation is done only for
ipsec-isakmp crypto map entries.) For the peer’s request to be accepted during negotiation, the peer
should specify a data flow that is “permitted” by a crypto access list associated with an
ipsec-isakmp crypto map command entry.
If you want certain traffic to receive one combination of IPSec protection (for example, authentication
only) and other traffic to receive a different combination of IPSec protection (for example, both
authentication and encryption), you must create two different crypto access lists to define the two
different types of traffic. These different access lists are then used in different crypto map entries which
specify different IPSec policies.
Using the permit keyword causes all IP traffic that matches the specified conditions to be protected by
crypto, using the policy described by the corresponding crypto map entry. Using the deny keyword
prevents traffic from being protected by crypto IPSec in the context of that particular crypto map entry.
(In other words, it does not allow the policy as specified in this crypto map entry to apply to this traffic.)
If all the crypto map entries for that interface deny this traffic, it is not protected by crypto IPSec.
A crypto access list you define applies to an interface after you define the corresponding crypto map
entry and apply the crypto map set to the interface. You should use different access lists in different
entries of the same crypto map set. However, the security appliance evaluates both inbound and outbound
traffic against the same “outbound” IPSec access list.
Therefore, the access list criteria apply in the forward direction to traffic exiting your security appliance,
and the reverse direction to traffic entering your security appliance. In Figure 23-1, IPSec protection
applies to traffic between Host 10.0.0.1 and Host 10.2.2.2 as the data exits the outside interface on
security appliance A toward Host 10.2.2.2. For traffic from Host 10.0.0.1 to Host 10.2.2.2, the security
appliance evaluates A as follows:
source = host 10.0.0.1
dest = host 10.2.2.2
For traffic from Host 10.2.2.2 to Host 10.0.0.1, that same access list entry on security appliance A is
evaluated as follows:
source = host 10.2.2.2
dest = host 10.0.0.1
Figure 23-1 How Crypto Access Lists Apply to IPSec
IPSec peers
92616
Internet
outside outside
Security
Appliance
Firewall A
Security
Appliance
Firewall B
Host
10.0.0.1
Host
10.2.2.2
IPSec Access List at "outside" interface:
access-list 101 permit ip host 10.0.0.1 host 10.2.2.2
IPSec Access List at "outside" interface:
access-list 111 permit ip host 10.2.2.2 host 10.0.0.1
Traffic exchanged between hosts 10.0.0.1 and 10.2.2.2 is protected between
Security Appliance Firewall A "outside" and Security Appliance Firewall B "outside"