B-71
User Guide for CiscoSecurity Manager3.0.1
OL-8214-02
AppendixB Site-to-Site VPN User Interface Reference Site to Site VPN Policies
Enable RRI Supported on Cisco IOS routers, PIX 7.0 and ASA devices.
When selected (the default), enables ReverseRoute Injection (RRI)
on the crypto map (static or dynamic) for the support of VPN
clients.
Reverse Route injection (RRI) ensures that a static route is created
on a device for each client internal IP address.
Deselect this check box if the crypto map is being applied to a
Generic Routing Encapsulation (GRE) tunnel that is already being
used to distribute routing information.
Reverse Route Injection (RRI) learns all the subnets from any
network that is defined in a crypto access control list (ACL) as the
destination network. The learned routes are installed into the local
routing table as static routes that point to the encrypted interface.
When the IPSec tunnel is removed, the associated static routes will
be removed.These static routes may then be redistributed into other
dynamic routing protocols, so that they can be advertised to other
parts of the network (usually done by redistributingRRI routes into
dynamic routing protocols on the core side).
Note Security Manager automatically configuresRRI on devices
with High Availability (HA), or on the IPSec Aggregator
when VRF-Aware IPSec is configured.
Enable Network Address
Translation Supported on PIX 7.0 and ASA devices.
When selected, enables you to configure Network Address
Translation (NAT) on a device.
NAT enables devices that use internal IP addresses to send and
receive data through the Internet. Private NAT addresses are
convertedto globally routable IP addresses when they try to access
data on the Internet.
For more information, see Understanding NAT, page9-70.
TableB-23 Easy VPNIPSec Proposal Page (continued)
Element Description