Configuring IPsec Network Security
S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m
access-list S0 permit ip 10.0.0.1 0.0.0.255 188.8.131.52 0.0.0.255
Mirror Image Crypto IPv4-ACLs
For every crypto IPv4-ACL specified for a crypto map entry defined at the local peer, define a mirror
image crypto IPv4-ACL at the remote peer. This configuration ensures that IPsec traffic applied locally
can be processed correctly at the remote peer.
The crypto map entries themselves must also support common transforms and must refer to the other
system as a peer.
OL-16184-01, Cisco MDS SAN-OS Release 3.x
IPsec Processing of Crypto IPv4-ACLs
IPSec access list at S0:
Traffic exchanged between 10.0.0.1 and 184.108.40.206 is protected.
If you configure multiple statements for a given crypto IPv4-ACL that is used for IPsec, the first
permit statement that is matched is used to determine the scope of the IPsec SA. Later, if traffic
matches a different permit statement of the crypto IPv4-ACL, a new, separate IPsec SA is negotiated
to protect traffic matching the newly matched IPv4-ACL statement.
Unprotected inbound traffic that matches a permit entry in the crypto IPv4-ACL for a crypto map
entry flagged as IPsec is dropped, because this traffic was expected to be protected by IPsec.
You can use the show ip access-lists command to view all IP-ACLs. The IP-ACLs used for traffic
filtering purposes are also used for crypto.
For IPsec to interoperate effectively with Microsoft iSCSI initiators, specify the TCP protocol and
the local iSCSI TCP port number (default 3260) in the IPv4-ACL. This configuration ensures the
speedy recovery of encrypted iSCSI sessions following disruptions such as Gigabit Ethernet
interfaces shutdowns, VRRP switchovers, and port failures. The following example of a IPv4-ACL
entry shows that the MDS switch IPv4 address is 10.10.10.50 and remote Microsoft host running
encrypted iSCSI sessions is 10.10.10.16:
switch(config)# ip access-list aclmsiscsi2 permit tcp 10.10.10.50 0.0.0.0 range port
3260 3260 10.10.10.16 0.0.0.0
shows some sample scenarios with and without mirror image IPv4-ACLs.
access-list S1 permit ip 220.127.116.11 0.0.0.255 10.0.0.1 0.0.0.255
Cisco MDS 9000 Family CLI Configuration Guide
IPSec access list at S1: