Filter
Top Products
4-5
Integrated Services Adapter and Integrated Services Module Installation and Configuration
OL-3575-01 B0
Chapter 4 Configuring the ISA and ISM
Configuring IPSec
Later, you will associate the crypto access lists to particular interfaces when you configure and apply
crypto map sets to the interfaces (following instructions in the section “Creating Crypto Maps” section
on page 4-7).
Note IKE uses UDP port 500. The IPSec Encapsulation Security Protocol (ESP) and Authentication Header
(AH) protocols use protocol numbers 50 and 51. Ensure that your interface access lists are configured
so that protocol numbers 50, 51, and UDP port 500 traffic are not blocked at interfaces used by IPSec.
In some cases you might need to add a statement to your access lists to explicitly permit this traffic.
To create crypto access lists, use the following commands in global configuration mode:
For detailed information on configuring access lists, refer to the “Configuring IPSec Network Security”
chapter in the Security Configuration Guide publication. This chapter contains information on the
following topics:
• Crypto Access List Tips
• Defining Mirror Image Crypto Access Lists at Each IPSec Peer
• Using the any Keyword in Crypto Access Lists
Defining a Transform Set
A transform set represents a certain combination of security protocols and algorithms. During the IPSec
security association negotiation, the peers agree to use a particular transform set for protecting a
particular data flow.
You can specify multiple transform sets, and then specify one or more of these transform sets in a crypto
map entry. The transform set defined in the crypto map entry is used in the IPSec security association
negotiation to protect the data flows specified by that crypto map entry’s access list.
During IPSec security association negotiations with IKE, the peers search for a transform set that is the
same at both peers. When such a transform set is found, it is selected and is applied to the protected
traffic as part of both peers’ IPSec security associations.
With manually established security associations, there is no negotiation with the peer, so both sides must
specify the same transform set.
Step Command Purpose
1. access-list access-list-number {deny |
permit} protocol source source-wildcard
destination destination-wildcard [log]
or
ip access-list extended name
Specify conditions to determine which IP
packets are protected.
1
(Enable or disable
encryption for traffic that matches these
conditions.)
We recommend that you configure “mirror
image” crypto access lists for use by IPSec
and that you avoid using the any keyword.
2. Add permit and deny statements as
appropriate.
3. end Exit the configuration command mode.
1. You specify conditions using an IP access list designated by either a number or a name. The access-list command
designates a numbered extended access list; the ip access-list extended command designates a named access list.