Cisco ASA Series Cli Configuration Manual page 1576

Configuring IPsec
To complete the security appliance configuration in the example network, we assign mirror crypto maps
to Security Appliances B and C. However, because security appliances ignore deny ACEs when
evaluating inbound, encrypted traffic, we can omit the mirror equivalents of the deny A.3 B
and deny A.3 C ACEs, and therefore omit the mirror equivalents of Crypto Map 2. So the configuration
of cascading ACLs in Security Appliances B and C is unnecessary.
Table 1-4
Table 1-4
Security Appliance A
Crypto Map
Sequence
No.
1
2
Figure 1-3
Figure 1-3
192.168.3.1
192.168.3.3
Human Resources
Cisco ASA Series CLI Configuration Guide
1-26
shows the ACLs assigned to the crypto maps configured for all three ASAs in
Example Permit and Deny Statements (Conceptual)
ACE Pattern
deny A.3 B
deny A.3 C
permit A B
permit A C
permit A.3 B
permit A.3 C
maps the conceptual addresses shown in
Effect of Permit and Deny ACEs on Traffic (Real Addresses)
A.1
A.2
192.168.3.2
A.3
A
192.168.3.0/26
Security Appliance B
Crypto Map
Sequence
No. ACE Pattern
1 permit B A
permit B C
Figure 1-1
B.1
192.168.12.1
B.2
192.168.12.2
B.2
192.168.12.3
B
192.168.12.0/29
Internet
Chapter 1 Configuring IPsec and ISAKMP
Figure
Security Appliance C
Crypto Map
Sequence
No. ACE Pattern
1 permit C A
permit C B
to real IP addresses.
C.1
192.168.201.1
192.168.201.2
C.3
192.168.201.3
C
192.168.201.0/27
1-1.
C.2