Cisco FirePOWER ASA 5500 series Configuration Manual page 515

Chapter 27 Configuring IPSec and ISAKMP
Each ACL consists of one or more ACEs that have the same access-list-name. You create an ACL when
you create its first ACE. The following command syntax creates or adds to an ACL:
access-list access-list-name {deny | permit} ip source source-netmask destination
destination-netmask
In the following example, the security appliance applies the IPSec protections assigned to the crypto map
to all traffic flowing from the 10.0.0.0 subnet to the 10.1.1.0 subnet.
access-list 101 permit ip 10.0.0.0 255.255.255.0 10.1.1.0 255.255.255.0
The crypto map that matches the packet determines the security settings used in the SA negotiations.
If the local security appliance initiates the negotiation, it uses the policy specified in the static crypto
map to create the offer to send to the specified peer. If the peer initiates the negotiation, the security
appliance attempts to match the policy to a static crypto map, and if that fails, any dynamic crypto maps
in the crypto map set, to decide whether to accept or reject the peer offer.
For two peers to succeed in establishing an SA, they must have at least one compatible crypto map. To
be compatible, a crypto map must meet the following criteria:
The crypto map must contain compatible crypto ACLs (for example, mirror image ACLs). If the
•
responding peer uses dynamic crypto maps, so must the security appliance as a requirement to apply
IPSec.
Each crypto map identifies the other peer (unless the responding peer uses dynamic crypto maps).
•
The crypto maps have at least one transform set in common.
•
You can apply only one crypto map set to a single interface. Create more than one crypto map for a
particular interface on the security appliance if any of the following conditions exist:
You want specific peers to handle different data flows.
•
You want different IPSec security to apply to different types of traffic.
•
For example, create a crypto map and assign an ACL to identify traffic between two subnets and assign
one transform set. Create another crypto map with a different ACL to identify traffic between another
two subnets and apply a transform set with different VPN parameters.
If you create more than one crypto map for an interface, specify a sequence number (seq-num) for each
map entry to determine its priority within the crypto map set.
Each ACE contains a permit or deny statement.
deny ACEs in ACLs applied to crypto maps.
OL-10088-01
Table 27-2 explains the special meanings of permit and
Cisco Security Appliance Command Line Configuration Guide
Configuring IPSec
27-13