HP ProCurve 7102dl Reference Manual page 793

SROS Command Line Interface Reference Guide
Interfaces (Ethernet, Frame Relay, PPP, local)
Static Filter
(in)
IPSec
Decrypt/Discard
NAT/ACP/
Firewall
As shown in the previous diagram, data coming into the product is first processed by the static filter
associated with the interface on which the data is received. This access group is a true static filter and is
available for use regardless of whether the firewall is enabled or disabled. Next (if the data is encrypted) it
is sent to the IPSec engine for decryption. The decrypted data is then processed by the stateful inspection
firewall. Therefore, given a terminating VPN tunnel, only unencrypted data is processed by the firewall.
The ACLs for a crypto map on an interface work in reverse logic to the ACLs for a policy class on an
interface. When specifying the ACLs for a crypto map, the source information is the private local side,
unencrypted source of the data. The destination information will be the far end, unencrypted destination of
the data. However, ACLs for a policy class work in reverse. The source information for the ACL in a policy
class is the far end. The destination information is the local side.
Usage Examples
The following example applies all crypto maps with the name MyMap to BVI interface 1:
ProCurve(config)#interface bvi 1
ProCurve(config-bvi 1)#crypto map MyMap
5991-2114
Static Filter
Encrypt
Router
© Copyright 2007 Hewlett-Packard Development Company, L.P.
BVI Interface Config Command Set
(out)
IPSec
791