Cisco FirePOWER ASA 5500 series Configuration Manual page 521

Chapter 27 Configuring IPSec and ISAKMP
Figure 27-3
192.168.3.1
192.168.3.3
Human Resources
The tables that follow combine the IP addresses shown in
Table
this network receive the proper IPSec settings.
Table 27-4 Example Permit and Deny Statements for Security Appliance A
Crypto Map
Security Sequence
Appliance No.
A 1
2
B None needed permit B A
C None needed permit C A
You can apply the same reasoning shown in the example network to use cascading ACLs to assign
different security settings to different hosts or subnets protected by a Cisco security appliance.
OL-10088-01
Effect of Permit and Deny ACEs on Traffic (Real Addresses)
A.1
A.2
192.168.3.2
A.3
A
192.168.3.0/26
27-3. The real ACEs shown in these tables ensure that all IPSec packets under evaluation within
ACE Pattern Real ACEs
deny A.3 B deny 192.168.3.3 255.255.255.192 192.168.12.0 255.255.255.248
deny A.3 C deny 192.168.3.3 255.255.255.192 192.168.201.0 255.255.255.224
permit A B permit 192.168.3.0 255.255.255.192 192.168.12.0 255.255.255.248
permit A C permit 192.168.3.0 255.255.255.192 192.168.201.0 255.255.255.224
permit A.3 B permit 192.168.3.3 255.255.255.192 192.168.12.0 255.255.255.248
permit A.3 C permit 192.168.3.3 255.255.255.192 192.168.201.0 255.255.255.224
permit 192.168.12.0 255.255.255.248 192.168.3.0 255.255.255.192
permit B C permit 192.168.12.0 255.255.255.248 192.168.201.0 255.255.255.224
permit 192.168.201.0 255.255.255.224 192.168.3.0 255.255.255.192
permit C B permit 192.168.201.0 255.255.255.224 192.168.12.0 255.255.255.248
B.1
192.168.12.1
B.2
192.168.12.2
B.2
192.168.12.3
B
192.168.12.0/29
Internet
Figure 27-3
Cisco Security Appliance Command Line Configuration Guide
Configuring IPSec
C.1
192.168.201.1
C.2
192.168.201.2
C.3
192.168.201.3
C
192.168.201.0/27
to the concepts shown in
27-19