Cisco MDS 9000 Series Configuration Manual page 205

Configuring IPSec Network Security
• The following example of a IPv4-ACL entry shows that the MDS switch IPv4 address is 10.10.10.50
switch(config)# ip access-list aclmsiscsi2 permit tcp 10.10.10.50 0.0.0.0 range port 3260
3260 10.10.10.16 0.0.0.0
Mirror Image Crypto IPv4-ACLs
For every crypto IPv4-ACL specified for a crypto map entry defined at the local peer, define a mirror image
crypto IPv4-ACL at the remote peer. This configuration ensures that IPsec traffic applied locally can be
processed correctly at the remote peer.
Tip The crypto map entries themselves must also support common transforms and must refer to the other system
as a peer.
Figure 14: IPsec Processing of Mirror Image Configuration, on page 187
and without mirror image IPv4-ACLs.
Figure 14: IPsec Processing of Mirror Image Configuration
As Figure 14: IPsec Processing of Mirror Image Configuration, on page 187
established as expected whenever the two peers' crypto IPv4-ACLs are mirror images of each other. However,
an IPsec SA can be established only some of the time when the IPv4-ACLs are not mirror images of each
other. This can happen in the case when an entry in one peer's IPv4-ACL is a subset of an entry in the other
peer's IPv4-ACL, such as shown in cases 3 and 4 of
and remote Microsoft host running encrypted iSCSI sessions is 10.10.10.16:
Figure 14: IPsec Processing of Mirror Image Configuration,
Cisco MDS 9000 Series Security Configuration Guide, Release 8.x
Mirror Image Crypto IPv4-ACLs
shows some sample scenarios with
indicates, IPsec SAs can be
187