64-25
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter 64 Configuring IPsec and ISAKMP
Configuring IPsec
To complete the security appliance configuration in the example network, we assign mirror crypto maps
to Security Appliances B and C. However, because security appliances ignore deny ACEs when
evaluating inbound, encrypted traffic, we can omit the mirror equivalents of the deny A.3 B
and deny A.3 C ACEs, and therefore omit the mirror equivalents of Crypto Map 2. So the configuration
of cascading ACLs in Security Appliances B and C is unnecessary.
Table 64-4 shows the ACLs assigned to the crypto maps configured for all three ASAs in Figure 64-1.
Figure 64-3 maps the conceptual addresses shown in Figure 64-1 to real IP addresses.
Figure 64-3 Effect of Permit and Deny ACEs on Traffic (Real Addresses)
Table 64-4 Example Permit and Deny Statements (Conceptual)
Security Appliance A Security Appliance B Security Appliance C
Crypto Map
Sequence
No. ACE Pattern
Crypto Map
Sequence
No. ACE Pattern
Crypto Map
Sequence
No. ACE Pattern
1 deny A.3 B 1 permit B A 1 permit C A
deny A.3 C
permit A B
permit A C permit B C permit C B
2 permit A.3 B
permit A.3 C
A.1
192.168.3.1
A.2
192.168.3.2
A.3
192.168.3.3
Human Resources
A
192.168.3.0/26
143514
B.1
192.168.12.1
B.2
192.168.12.2
B.2
192.168.12.3
B
192.168.12.0/29
C.1
192.168.201.1
C.2
192.168.201.2
C.3
192.168.201.3
C
192.168.201.0/27
Internet