Support User Manuals

Cisco Systems VPN 3000 Switch User Manual

Open as PDF

of 502

13 Policy Management

13-14

VPN 3000 Concentrator Series User Guide

Rule Name

Enter a unique name for this rule. Maximum is 48 characters.

Direction

Click the drop-down menu button and select the data direction to which this rule applies:

Inbound = Into the VPN Concentrator interface; or into the VPN tunnel from the remote client or

host. (This is the default selection.)

Outbound = Out of the VPN Concentrator interface; or out of the VPN tunnel to the remote client or

host.

Action

Click the drop-down menu button and select the action to take if the data traffic (packet) matches all

parameters that follow. The choices are:

Drop = Discard the packet (the default selection).

Forward = Allow the packet to pass.

Drop and Log = Discard the packet and log a filter debugging event (FILTERDBG event class). See

Configuration | System | Events and see note below.

Forward and Log = Allow the packet to pass and log a filter debugging event (FILTERDBG

event class). See note below.

Apply IPSec = Apply IPSec to the packet; i.e. apply packet authentication, encryption, etc. according

to parameters that are specified in a Security Association. You must configure a Security

Association if you select this action. Also, you can assign an SA to this rule only if you select this

(or the following) action; see

Configuration | Policy Management | Traffic Management | Security

Associations

. See note below.

Apply IPSec and Log = Apply IPSec to the packet and log a filter debugging event (FILTERDBG event

class). See notes below.

Notes: The

Log actions are intended for use only while debugging filter activity. Since they generate and log an

event for every matched packet, they consume significant system resources and may seriously degrade

performance.

The

Apply IPSec actions are for LAN-to-LAN traffic only, not for remote-access traffic. Remote-access

IPSec traffic is authenticated and encrypted according to the SAs negotiated with the remote client

(tunnel group) and user. In LAN-to-LAN connections, individual hosts on the LANs do not negotiate

SAs. The VPN Concentrator automatically creates and applies appropriate rules when you create a

LAN-to-LAN connection; see

Configuration | System | Tunneling Protocols | IPSec LAN-to-LAN.

Protocol or Other

This parameter refers to the IANA (Internet Assigned Numbers Authority)-assigned protocol number in

an IP packet. The descriptions below include the IANA number [in brackets] for reference.

previous next