Configuring IPSec
To complete the security appliance configuration in the example network, we assign mirror crypto maps
to Security Appliances B and C. However, because security appliances ignore deny ACEs when
evaluating inbound, encrypted traffic, we can omit the mirror equivalents of the deny A.3 B
and deny A.3 C ACEs, and therefore omit the mirror equivalents of Crypto Map 2. So the configuration
of cascading ACLs in Security Appliances B and C is unnecessary.
Table 27-3
Figure
Table 27-3
Security Appliance A
Crypto Map
Sequence
No.
1
2
Figure 27-3
Cisco Security Appliance Command Line Configuration Guide
27-18
shows the ACLs assigned to the crypto maps configured for all three security appliances in
27-1.
Example Permit and Deny Statements (Conceptual)
ACE Pattern
deny A.3 B
deny A.3 C
permit A B
permit A C
permit A.3 B
permit A.3 C
maps the conceptual addresses shown in
Security Appliance B
Crypto Map
Sequence
No.
ACE Pattern
1
permit B A
permit B C
Figure 27-1
Chapter 27
Configuring IPSec and ISAKMP
Security Appliance C
Crypto Map
Sequence
No.
ACE Pattern
1
permit C A
permit C B
to real IP addresses.
OL-10088-01