ISAKMP
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Configuring IPsec<br />
Chapter 29<br />
Configuring IPsec and <strong>ISAKMP</strong><br />
Table 29-2<br />
Special Meanings of Permit and Deny in Crypto Access Lists Applied to Outbound<br />
Traffic<br />
Result of Crypto Map<br />
Evaluation<br />
Match criterion in an ACE<br />
containing a permit statement<br />
Match criterion in an ACE<br />
containing a deny statement<br />
Fail to match all tested permit<br />
ACEs in the crypto map set<br />
Response<br />
Halt further evaluation of the packet against the remaining ACEs in the<br />
crypto map set, and evaluate the packet security settings against those in<br />
the transform sets assigned to the crypto map. After matching the<br />
security settings to those in a transform set, the security appliance<br />
applies the associated IPsec settings. Typically for outbound traffic, this<br />
means that it decrypts, authenticates, and routes the packet.<br />
Interrupt further evaluation of the packet against the remaining ACEs in<br />
the crypto map under evaluation, and resume evaluation against the<br />
ACEs in the next crypto map, as determined by the next seq-num<br />
assigned to it.<br />
Route the packet without encrypting it.<br />
ACEs containing deny statements filter out outbound traffic that does not require IPsec protection<br />
(for example, routing protocol traffic). Therefore, insert initial deny statements to filter outbound traffic<br />
that should not be evaluated against permit statements in a crypto access list.<br />
For an inbound, encrypted packet, the security appliance uses the source address and ESP SPI to<br />
determine the decryption parameters. After the security appliance decrypts the packet, it compares the<br />
inner header of the decrypted packet to the permit ACEs in the ACL associated with the packet SA. If the<br />
inner header fails to match the proxy, the security appliance drops the packet. It the inner header matches<br />
the proxy, the security appliance routes the packet.<br />
When comparing the inner header of an inbound packet that was not encrypted, the security appliance<br />
ignores all deny rules because they would prevent the establishment of a Phase 2 SA.<br />
Note<br />
To route inbound, unencrypted traffic as clear text, insert deny ACEs before permit ACEs.<br />
Figure 29-1 shows an example LAN-to-LAN network of security appliances.<br />
29-14<br />
Cisco Security Appliance Command Line Configuration Guide<br />
OL-12172-04