Cisco Systems C7200 manual Creating Crypto Access Lists, Creating Crypto Map Entries

Page 44

Chapter 4 Configuring the VSA

Configuration Tasks

Creating Crypto Access Lists

Crypto access lists define which IP traffic will be protected by encryption. (These access lists are not the same as regular access lists, which determine what traffic to forward or block at an interface.) For example, access lists can be created to protect all IP traffic between Subnet A and Subnet Y or Telnet traffic between Host A and Host B.

To create crypto access lists, use the following command in global configuration mode:

Step

Command

Purpose

 

 

 

Step 1

Router(config)# access-listaccess-list-number {deny

Specifies conditions to determine which IP packets

 

permit} protocol source source-wildcard

will be protected.1 (Enable or disable crypto for

 

destination destination-wildcard [log]

traffic that matches these conditions.)

 

 

 

or

We recommend that you configure “mirror image”

 

Router(config)# ip access-list extended name

crypto access lists for use by IPSec and that you

 

avoid using the any keyword.

 

 

 

 

 

Step 2

Add permit and deny statements as appropriate.

Adds permit or deny statements to access lists.

 

 

 

Step 3

End

Exits the configuration command mode.

 

 

 

1.You specify conditions using an IP access list designated by either a number or a name. The access-listcommand designates a numbered extended access list; the ip access-list extended command designates a named access list.

For detailed information on configuring access lists, refer to the “Configuring IPSec Network Security” chapter in the Security Configuration Guide publication.

Creating Crypto Map Entries

Step 1

Step 2

Step 3

You can apply only one crypto map set to a single interface. The crypto map set can include a combination of IPSec/IKE and IPSec/manual entries. Multiple interfaces can share the same crypto map set if you want to apply the same policy to multiple interfaces.

To create crypto map entries that do not use IKE to establish the security associations, use the following commands, starting in global configuration mode:

Command

Purpose

 

 

Router(config)# crypto map map-nameseq-num

Specifies the crypto map entry to create (or modify).

ipsec-manual

This command puts you into the crypto map

 

 

configuration mode.

 

 

Router(config-crypto-m)# match address

Names an IPSec access list. This access list

access-list-id

determines which traffic should be protected by

 

IPSec and which traffic should not be protected by

 

IPSec security in the context of this crypto map entry.

 

(The access list can specify only one permit entry

 

when IKE is not used.)

 

 

Router(config-crypto-m)# set peer {hostname

Specifies the remote IPSec peer. This is the peer to

ip-address}

which IPSec protected traffic should be forwarded.

 

(Only one peer can be specified when IKE is not

 

used.)

 

 

C7200 VSA (VPN Services Adapter) Installation and Configuration Guide

4-10

OL-9129-02

 

 

Page 43 Page 45
Image 44
Page 43 Page 45
Contents Corporate Headquarters Text Part Number OL-9129-02Page N T E N T S Preventing Electrostatic Discharge Damage 2 Creating Dynamic Crypto Maps 4 OL-9129-02 Preface AudienceChapter Title Description ObjectivesOrganization Cisco.com Related DocumentationObtaining Documentation Product Documentation DVD Ordering Documentation Documentation FeedbackCisco Product Security Overview Reporting Security Problems in Cisco Products Product Alerts and Field NoticesObtaining Technical Assistance Cisco Technical Support & Documentation WebsiteObtaining Additional Publications and Information Submitting a Service RequestDefinitions of Service Request Severity Xiv Overview Data Encryption OverviewVSA Overview Screws Handle Status LED light VSA Module Front ViewFeatures This section describes the VSA features, as listed in TableFeature Description/Benefit Hardware RequiredSupported Standards, MIBs, and RFCs PerformanceStandards MIBsCommand Purpose Enabling/Disabling the VSADisabling the VSA during Operation Enabling/Disabling SchemeLEDs Condition System is ConfiguredCommand Description of VSA Behavior Connectors See -2for the VSA connectorsSlot Locations Cisco 7204VXR RouterPort adapter VSA in I/O controller slot Port adapter lever Cisco 7204VXR Router Front ViewCisco 7206VXR Router Cisco 7206VXR Front ViewRequired Tools and Equipment Hardware and Software RequirementsSoftware Requirements Hardware RequirementsRestrictions PlatformOnline Insertion and Removal OIR Safety GuidelinesSafety Warnings Electrical Equipment Guidelines Preventing Electrostatic Discharge DamagePreparing for Installation OL-9129-02 Handling the VSA VSA circuit board is sensitive to ESD damageVSA Removal and Installation This section describes how to remove and install the VSARemoving and Installing the VSA VSA Removal and Installation OL-9129-02 Configuration Tasks OverviewUsing the Exec Command Interpreter Configuring an IKE PolicyKey Management Protocol Isakmp policy configuration Config-isakmp modeOptional Specifies the authentication method within an IKE Signatures as the authentication methodConfiguring a Transform Set Disabling VSA OptionalDefining a Transform Set Transform type Description Selecting Appropriate Transforms Crypto Transform Configuration Mode IPSec Protocols AH and ESP Configuring IPSec Ensuring That Access Lists Are Compatible with IPSecSetting Global Lifetimes for IPSec Security Associations Changing Existing TransformsStep Command Purpose Creating Crypto Access Lists Creating Crypto Map EntriesOnly one transform set can be specified when IKE is Authenticator keys if the transform set includes anESP authenticator algorithm Exits crypto-map configuration mode and return toCreating Dynamic Crypto Maps Optional Accesses list number or name of an Extended access list. This access list determinesIf this is configured, the data flow identity proposed For this crypto access listMonitoring and Maintaining IPSec Applying Crypto Map Sets to InterfacesVerifying IKE and IPSec Configurations Router# show crypto isakmp policyVerifying the Configuration Currentpeer 172.21.114.67 PERMIT, flags=originisacl Configuration Examples Configuring IKE Policies ExampleConfiguring IPSec Configuration Example This section provides the following configuration examplesCrypto map is applied to an interface Basic IPSec Configuration IllustrationRouter a Configuration Specify the parameters to be used during an IKE negotiation Router B ConfigurationTransform set defines how the traffic will be protected Troubleshooting Tips Router# show diagTunnel I/F Using Deny Policies in Access Lists Monitoring and Maintaining the VSAMonitor and Maintenance Commands Configuration Guidelines and RestrictionsD E Set session-key command Set transform-set command Sa command, clear crypto Entries, creatingSet pfs command Features Handling Monitoring and maintaining 4 Overview Handling VPN Acceleration Module see VAM 1IN-4
Top Page Image Contents