34-10
Cisco ASDM User Guide
OL-16647-01
Chapter 34 IKE
IPsec
Fields
Note You cannot edit, delete, or copy an implicit rule. The security appliance implicitly accepts the traffic
selection proposal from remote clients when configured with a dynamic tunnel policy. You can override
it by giving a specific traffic selection.
• Add—Click to launch the Add IPsec Rule dialog, where you can configure basic, advanced,
and traffic selection parameters for a rule, or choose
• Edit—Click to edit an existing rule.
• Delete—Click to delete a rule highlighted in the table.
• Cut—Deletes a highlighted rule in the table and keeps it in the clipboard for copying.
• Copy—Copies a highlighted rule in the table.
• Find—Click to enable the Find toolbar where you can specify the parameters of existing rules that
you want to find:
–
Filter—Filter the find results by selecting Interface, Source, Destination, Destination Service,
or Rule Query, selecting is or contains, and entering the filter parameter. Click ... to launch a
browse dialog that displays all existing entries that you can choose.
• Diagram—Displays a diagram that illustrates the highlighted IPsec rule.
• Type: Priority—Displays the type of rule (static or dynamic) and its priority.
• Traffic Selection
–
#—Indicates the rule number.
–
Source—Indicates the IP addresses that are subject to this rule when traffic is sent to the IP
addresses listed in the Remote Side Host/Network column. In detail mode (see the Show
Detail button), an address column might contain an interface name with the word any, such as
inside:any. any means that any host on the inside interface is affected by the rule.
–
Destination—Lists the IP addresses that are subject to this rule when traffic is sent from the IP
addresses listed in the Security Appliance Side Host/Network column. In detail mode (see the
Show Detail button), an address column might contain an interface name with the word any,
such as outside:any. any means that any host on the outside interface is affected by the rule.
Also in detail mode, an address column might contain IP addresses in square brackets, for
example, [209.165.201.1-209.165.201.30]. These addresses are translated addresses. When an
inside host makes a connection to an outside host, the security appliance maps the inside host's
address to an address from the pool. After a host creates an outbound connection, the security
appliance maintains this address mapping. This address mapping structure is called an xlate, and
remains in memory for a period of time.
–
Service—Specifies the service and protocol specified by the rule (TCP, UDP, ICMP, or IP).
–
Action—Specifies the type of IPsec rule (protect or do not protect).
• Transform Set—Displays the transform set for the rule.
• Peer—Identifies the IPsec peer.
• PFS—Displays Perfect Forward Secrecy settings for the rule.
• NAT-T Enabled—Indicates whether NAT Traversal is enabled for the policy.
• Reverse Route Enabled—Indicates whether Reverse Route Injection is enabled for the policy.
• Connection Type—(Meaningful only for static tunnel policies.) Identifies the connection type for
this policy as bidirectional, originate-only, or answer-only).