Command Reference Guide

SROS Command Line Interface Reference Guide Ethernet Interface Configuration Command Set

Functional Notes

When configuring a system to use both the stateful inspection firewall and IKE negotiation for VPN, keep

the following notes in mind.

When defining the policy-class and associated access-control lists (ACLs) that describe the behavior of the

firewall, do not forget to include the traffic coming into the system over a VPN tunnel terminated by the

system. The firewall should be set up with respect to the un-encrypted traffic that is destined to be sent or

received over the VPN tunnel. The following diagram represents typical Secure Router OS data-flow logic.

As shown in the diagram above, data coming into the product is first processed by the static filter

associated with the interface on which the data is received. This access-group is a true static filter and is

available for use regardless of whether the firewall is enabled or disabled. Next (if the data is encrypted) it

is sent to the IPSec engine for decryption. The decrypted data is then processed by the stateful inspection

firewall. Therefore, given a terminating VPN tunnel, only un-encrypted data is processed by the firewall.

The ACLs for a crypto map on an interface work in reverse logic to the ACLs for a policy-class on an

interface. When specifying the ACLs for a crypto map, the source information is the private local-side,

un-encrypted source of the data. The destination information will be the far-end, un-encrypted destination

of the data. However, ACLs for a policy-class work in reverse. The source information for the ACL in a

policy-class is the far-end. The destination information is the local-side.

Interfaces (Ethernet, Frame Relay, PPP, local)

Static Filter

(in)

Static Filter

(out)

IPSec

Decrypt/Discard

IPSec

Encrypt

NAT/ACP/

Firewall

Router