Configuring Ipsec; Creating Crypto Access Lists - Cisco 7401ASR Installation And Configuration Manual

Hide thumbs Also See for 7401ASR:

Quick start manual (41 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

Table of Contents

Chapter 4

Configuring the VPN Acceleration Module

Configuring IPSec

After you have completed IKE configuration, configure IPSec at each participating IPSec peer. This

section contains basic steps to configure IPSec and includes the tasks discussed in the following sections:

•

For detailed information on configuring IPSec, refer to the

chapter in the

Creating Crypto Access Lists

Crypto access lists define which IP traffic will be protected by encryption.

Note

IKE uses UDP port 500. The IPSec Encapsulation Security Protocol (ESP) and Authentication Header

(AH) protocols use protocol numbers 50 and 51. Ensure that your interface access lists are configured

so that protocol numbers 50, 51, and UDP port 500 traffic are not blocked at interfaces used by IPSec.

In some cases you might need to add a statement to your access lists to explicitly permit this traffic.

To create crypto access lists, use the following commands in global configuration mode:

Step

Step 1

Step 2

Step 3

1. You specify conditions using anIP access list designated by either a number or a name. The access-list command designates

For detailed information on configuring access lists, refer to the "Configuring IPSec Network Security"

chapter in the

OL-5419-01 B0

Creating Crypto Access Lists, page 4-3

Defining Transform Sets, page 4-4

Creating Crypto Map Entries, page 4-5

Verifying the Configuration, page 4-6

Security Configuration Guide

Command

access-list access-list-number {deny |

permit} protocol source

source-wildcard destination

destination-wildcard [log]

ip access-list extended name

Add permit and deny statements as

appropriate.

end

a numbered extended access list; the ip access-list extended command designates a named access list.

Security Configuration Guide

"Configuring IPSec Network

publication.

Purpose

Specifies conditions to determine which IP

packets are protected.

encryption for traffic that matches these

conditions.)

We recommend that you configure "mirror

image" crypto access lists for use by IPSec and

that you avoid using the any keyword.

Adds permit or deny statements to access lists.

Exits the configuration command mode.

publication.

Cisco 7401ASR Installation and Configuration Guide

Configuration Tasks

Security"

(Enable or disable

4-3

Table of Contents

Configuring Ipsec; Creating Crypto Access Lists - Cisco 7401ASR Installation And Configuration Manual

Configuring IPSec

Creating Crypto Access Lists

Troubleshooting

Related Manuals for Cisco 7401ASR

Related Content for Cisco 7401ASR

Table of Contents