Filter
Top Products
4-10
C7200 VSA (VPN Services Adapter) Installation and Configuration Guide
OL-9129-02
Chapter 4 Configuring the VSA
Configuration Tasks
Creating Crypto Access Lists
Crypto access lists define which IP traffic will be protected by encryption. (These access lists are not the
same as regular access lists, which determine what traffic to forward or block at an interface.) For
example, access lists can be created to protect all IP traffic between Subnet A and Subnet Y or Telnet
traffic between Host A and Host B.
To create crypto access lists, use the following command in global configuration mode:
For detailed information on configuring access lists, refer to the “Configuring IPSec Network Security”
chapter in the Security Configuration Guide publication.
Creating Crypto Map Entries
You can apply only one crypto map set to a single interface. The crypto map set can include a
combination of IPSec/IKE and IPSec/manual entries. Multiple interfaces can share the same crypto map
set if you want to apply the same policy to multiple interfaces.
To create crypto map entries that do not use IKE to establish the security associations, use the following
commands, starting in global configuration mode:
Step Command Purpose
Step 1
Router(config)# access-list
access-list-number
{deny
| permit}
protocol source source-wildcard
destination destination-wildcard
[log]
or
Router(config)# ip access-list extended
name
Specifies conditions to determine which IP packets
will be protected.
1
(Enable or disable crypto for
traffic that matches these conditions.)
We recommend that you configure “mirror image”
crypto access lists for use by IPSec and that you
avoid using the any keyword.
1. You specify conditions using an IP access list designated by either a number or a name. The access-list command designates a numbered extended access
list; the ip access-list extended command designates a named access list.
Step 2
Add permit and deny statements as appropriate. Adds permit or deny statements to access lists.
Step 3
End
Exits the configuration command mode.
Command Purpose
Step 1
Router(config)# crypto map
map-name seq-num
ipsec-manual
Specifies the crypto map entry to create (or modify).
This command puts you into the crypto map
configuration mode.
Step 2
Router(config-crypto-m)# match address
access-list-id
Names an IPSec access list. This access list
determines which traffic should be protected by
IPSec and which traffic should not be protected by
IPSec security in the context of this crypto map entry.
(The access list can specify only one permit entry
when IKE is not used.)
Step 3
Router(config-crypto-m)# set peer
{hostname
|
ip-address
}
Specifies the remote IPSec peer. This is the peer to
which IPSec protected traffic should be forwarded.
(Only one peer can be specified when IKE is not
used.)