Filter
Top Products
68-13
Cisco ASA 5500 Series Configuration Guide using ASDM
Chapter 68 Configuring IKE, Load Balancing, and NAC
Configuring IPsec
–
Source—Indicates the IP addresses that are subject to this rule when traffic is sent to the IP
addresses listed in the Remote Side Host/Network column. In detail mode (see the Show Detail
button), an address column might contain an interface name with the word any, such as
inside:any. any means that any host on the inside interface is affected by the rule.
–
Destination—Lists the IP addresses that are subject to this rule when traffic is sent from the IP
addresses listed in the Security Appliance Side Host/Network column. In detail mode (see the
Show Detail button), an address column might contain an interface name with the word any,
such as outside:any. any means that any host on the outside interface is affected by the rule.
Also in detail mode, an address column might contain IP addresses in square brackets, for
example, [209.165.201.1-209.165.201.30]. These addresses are translated addresses. When an
inside host makes a connection to an outside host, the ASA maps the inside host's address to an
address from the pool. After a host creates an outbound connection, the ASA maintains this
address mapping. This address mapping structure is called an xlate, and remains in memory for
a period of time.
–
Service—Specifies the service and protocol specified by the rule (TCP, UDP, ICMP, or IP).
–
Action—Specifies the type of IPsec rule (protect or do not protect).
• Transform Set—Displays the transform set for the rule.
• Peer—Identifies the IPsec peer.
• PFS—Displays perfect forward secrecy settings for the rule.
• NAT-T Enabled—Indicates whether NAT Traversal is enabled for the policy.
• Reverse Route Enabled—Indicates whether Reverse Route Injection is enabled for the policy.
• Connection Type—(Meaningful only for static tunnel policies.) Identifies the connection type for
this policy as bidirectional, originate-only, or answer-only).
• SA Lifetime—Displays the SA lifetime for the rule.
• CA Certificate—Displays the CA certificate for the policy. This applies to static connections only.
• IKE Negotiation Mode—Displays whether IKE negotiations use main or aggressive mode.
• Description—(Optional) Specifies a brief description for this rule. For an existing rule, this is the
description you typed when you added the rule. An implicit rule includes the following description:
“Implicit rule.” To edit the description of any but an implicit rule, right-click this column, and
choose Edit Description or double-click the column.
• Enable Anti-replay window size—Sets the anti-replay window size, between 64 and 1028 in
multiples of 64. One side-effect of priority queueing in a hierarchical QoS policy with traffic
shaping (see the “Rule Actions > QoS Tab”) is packet re-ordering. For IPsec packets, out-of-order
packets that are not within the anti-replay window generate warning syslog messages. These
warnings becomes false alarms in the case of priority queueing. Configuring the anti-replay pane
size helps you avoid possible false alarms.
Modes
The following table shows the modes in which this feature is available:
Firewall Mode Security Context
Routed Transparent Single
Multiple
Context System
• — • ——