Cisco ASA 5505 Configuration Manual page 1290

Configuring IPsec
•
•
•
Adding Crypto Maps
This pane shows the currently configured crypto maps, including the IPsec rules. Use it to add, edit,
delete and move up, move down, cut, copy, and paste an IPsec rule.
Fields
You cannot edit, delete, or copy an implicit rule. The adaptive security appliance implicitly accepts the
Note
traffic selection proposal from remote clients when configured with a dynamic tunnel policy. You can
override it by giving a specific traffic selection.
•
•
•
•
•
•
•
•
•
Cisco ASA 5500 Series Configuration Guide using ASDM
63-10
Mode Configuration (also known as ISAKMP Configuration Method)
Tunnel Encapsulation Mode
IP compression (IPCOMP) using LZS
Add—Click to launch the Create IPsec Rule dialog box, where you can configure basic, advanced,
and traffic selection parameters for a rule.
Edit—Click to edit an existing rule.
Delete—Click to delete a rule highlighted in the table.
Cut—Deletes a highlighted rule in the table and keeps it in the clipboard for copying.
Copy—Copies a highlighted rule in the table.
Find—Click to enable the Find toolbar where you can specify the parameters of existing rules that
you want to find:
– Filter—Filter the find results by selecting Interface, Source, Destination, Destination Service,
or Rule Query, selecting is or contains, and entering the filter parameter. Click ... to launch a
browse dialog box that displays all existing entries that you can choose.
Diagram—Displays a diagram that illustrates the highlighted IPsec rule.
Type: Priority—Displays the type of rule (static or dynamic) and its priority.
Traffic Selection
– #—Indicates the rule number.
Source—Indicates the IP addresses that are subject to this rule when traffic is sent to the IP
–
addresses listed in the Remote Side Host/Network column. In detail mode (see the Show Detail
button), an address column might contain an interface name with the word any, such as
inside:any. any means that any host on the inside interface is affected by the rule.
Destination—Lists the IP addresses that are subject to this rule when traffic is sent from the IP
–
addresses listed in the Security Appliance Side Host/Network column. In detail mode (see the
Show Detail button), an address column might contain an interface name with the word any,
such as outside:any. any means that any host on the outside interface is affected by the rule. Also
in detail mode, an address column might contain IP addresses in square brackets, for example,
[209.165.201.1-209.165.201.30]. These addresses are translated addresses. When an inside host
makes a connection to an outside host, the adaptive security appliance maps the inside host's
address to an address from the pool. After a host creates an outbound connection, the adaptive
security appliance maintains this address mapping. This address mapping structure is called an
xlate, and remains in memory for a period of time.
Chapter 63 Configuring IKE, Load Balancing, and NAC
OL-20339-01