Table of Contents
Advertisement
Configuration Tasks
Step
Command
Step 1
Router(config)# access-list access-list-number {deny
| permit} protocol source source-wildcard
destination destination-wildcard [log]
or
Router(config)# ip access-list extended name
Step 2
Add permit and deny statements as appropriate.
Step 3
End
1. You specify conditions using an IP access list designated by either a number or a name. The access-list command designates a numbered extended access
list; the ip access-list extended command designates a named access list.
For detailed information on configuring access lists, refer to the "Configuring IPSec Network Security"
chapter in the
Creating Crypto Map Entries
You can apply only one crypto map set to a single interface. The crypto map set can include a
combination of IPSec/IKE and IPSec/manual entries. Multiple interfaces can share the same crypto map
set if you want to apply the same policy to multiple interfaces.
To create crypto map entries that use IKE to establish the security associations, use the following
commands, starting in global configuration mode:
Command
Step 1
Router(config)# crypto map map-name seq-num
ipsec-manual
Step 2
Router(config-crypto-m)# match address
access-list-id
Step 3
Router(config-crypto-m)# set peer {hostname |
ip-address}
Step 4
Router(config-crypto-m)# set transform-set
transform-set-name
VPN Acceleration Module 2+ (VAM2+) Installation and Configuration Guide
4-10
Security Configuration Guide
Chapter 4
Purpose
Specifies conditions to determine which IP packets
1
will be protected.
(Enable or disable crypto for
traffic that matches these conditions.)
We recommend that you configure "mirror image"
crypto access lists for use by IPSec and that you
avoid using the any keyword.
Adds permit or deny statements to access lists.
Exits the configuration command mode.
publication.
Purpose
Specifies the crypto map entry to create (or modify).
This command puts you into the crypto map
configuration mode.
Names an IPSec access list. This access list
determines which traffic should be protected by
IPSec and which traffic should not be protected by
IPSec security in the context of this crypto map entry.
(The access list can specify only one permit entry
when IKE is not used.)
Specifies the remote IPSec peer. This is the peer to
which IPSec protected traffic should be forwarded.
(Only one peer can be specified when IKE is not
used.)
Specifies which transform set should be used.
This must be the same transform set that is specified
in the remote peer's corresponding crypto map entry.
(Only one transform set can be specified when IKE is
not used.)
Configuring the SA-VAM2+
OL-5979-03
Advertisement
Table of Contents
