Applying Crypto Maps To Interfaces - Cisco FirePOWER ASA 5500 series Configuration Manual

Configuring IPSec
By default, the security appliance does not support IPSec traffic destined for the same interface from
Note
which it enters. (Names for this type of traffic include U-turn, hub-and-spoke, and hairpinning.)
However, you might want IPSec to support U-turn traffic. To do so, insert an ACE to permit traffic to
and from the network. For example, to support U-turn traffic on Security Appliance B, add a conceptual
"permit B B" ACE to ACL1. The actual ACE would be as follows:
permit 192.168.12.0 255.255.255.248 192.168.12.0 255.255.255.248

Applying Crypto Maps to Interfaces

You must assign a crypto map set to each interface through which IPSec traffic flows. The security
appliance supports IPSec on all interfaces. Assigning the crypto map set to an interface instructs the
security appliance to evaluate all the traffic against the crypto map set and to use the specified policy
during connection or SA negotiation.
Assigning a crypto map to an interface also initializes run-time data structures, such as the SA database
and the security policy database. Reassigning a modified crypto map to the interface resynchronizes the
run-time data structures with the crypto map configuration. Also, adding new peers through the use of
new sequence numbers and reassigning the crypto map does not tear down existing connections.
Using Interface Access Lists
By default, the security appliance lets IPSec packets bypass interface ACLs. If you want to apply
interface access lists to IPSec traffic, use the no form of the sysopt connection permit-ipsec command.
The crypto map access list bound to the outgoing interface either permits or denies IPSec packets
through the VPN tunnel. IPSec authenticates and deciphers packets that arrive from an IPSec tunnel, and
subjects them to evaluation against the ACL associated with the tunnel.
Access lists define which IP traffic to protect. For example, you can create access lists to protect all IP
traffic between two subnets or two hosts. (These access lists are similar to access lists used with the
access-group command. However, with the access-group command, the access list determines which
traffic to forward or block at an interface.)
Before the assignment to crypto maps, the access lists are not specific to IPSec. Each crypto map
references the access lists and determines the IPSec properties to apply to a packet if it matches a permit
in one of the access lists.
Access lists assigned to IPSec crypto maps have four primary functions:
•
•
•
•
Regardless of whether the traffic is inbound or outbound, the security appliance evaluates traffic against
the access lists assigned to an interface. You assign IPSec to an interface as follows:
Step 1 Create the access lists to be used for IPSec.
Cisco Security Appliance Command Line Configuration Guide
27-20
Select outbound traffic to be protected by IPSec (permit = protect).
Trigger an ISAKMP negotiation for data travelling without an established SA.
Process inbound traffic to filter out and discard traffic that should have been protected by IPSec.
Determine whether to accept requests for IPSec SAs when processing IKE negotiation from the peer.
(Negotiation applies only to ipsec-isakmp crypto map entries.) The peer must "permit" a data flow
associated with an ipsec-isakmp crypto map command entry to ensure acceptance during
negotiation.
Chapter 27 Configuring IPSec and ISAKMP
OL-10088-01