Cisco FirePOWER ASA 5500 series Configuration Manual page 516
Security appliance command line
Hide thumbs
Also See for FirePOWER ASA 5500 series:
- Datasheet (20 pages) ,
- Configuration manual (1140 pages)
Table of Contents
Advertisement
Configuring IPSec
Table 27-2
Result of Crypto Map
Evaluation
Match criterion in an ACE
containing a permit statement
Match criterion in an ACE
containing a deny statement
Fail to match all tested permit
ACEs in the crypto map set
ACEs containing deny statements filter out outbound traffic that does not require IPSec protection
(for example, routing protocol traffic). Therefore, insert initial deny statements to filter outbound traffic
that should not be evaluated against permit statements in a crypto access list.
For an inbound, encrypted packet, the security appliance uses the source address and ESP SPI to
determine the decryption parameters. After the security appliance decrypts the packet, it compares the
inner header of the decrypted packet to the permit ACEs in the ACL associated with the packet SA. If the
inner header fails to match the proxy, the security appliance drops the packet. It the inner header matches
the proxy, the security appliance routes the packet.
When comparing the inner header of an inbound packet that was not encrypted, the security appliance
ignores all deny rules because they would prevent the establishment of a Phase 2 SA.
To route inbound, unencrypted traffic as clear text, insert deny ACEs before permit ACEs.
Note
Figure 27-1
Cisco Security Appliance Command Line Configuration Guide
27-14
Special Meanings of Permit and Deny in Crypto Access Lists Applied to Outbound
Traffic
Response
Halt further evaluation of the packet against the remaining ACEs in the
crypto map set, and evaluate the packet security settings against those in
the transform sets assigned to the crypto map. After matching the
security settings to those in a transform set, the security appliance
applies the associated IPSec settings. Typically for outbound traffic, this
means that it decrypts, authenticates, and routes the packet.
Interrupt further evaluation of the packet against the remaining ACEs in
the crypto map under evaluation, and resume evaluation against the
ACEs in the next crypto map, as determined by the next seq-num
assigned to it.
Route the packet without encrypting it.
shows an example LAN-to-LAN network of security appliances.
Chapter 27
Configuring IPSec and ISAKMP
OL-10088-01
Advertisement
Table of Contents
Troubleshooting
