For more information, see Understanding NAT | 3D Innovations 3.0.1

Appendix B Site-to-Site VPN User Interface Reference

		Site to Site VPN Policies
Table B-23	Easy VPN IPSec Proposal Page (continued)

Element		Description

Enable RRI		Supported on Cisco IOS routers, PIX 7.0 and ASA devices.
		When selected (the default), enables Reverse Route Injection (RRI)
		on the crypto map (static or dynamic) for the support of VPN
		clients.
		Reverse Route injection (RRI) ensures that a static route is created
		on a device for each client internal IP address.
		Deselect this check box if the crypto map is being applied to a
		Generic Routing Encapsulation (GRE) tunnel that is already being
		used to distribute routing information.
		Reverse Route Injection (RRI) learns all the subnets from any
		network that is defined in a crypto access control list (ACL) as the
		destination network. The learned routes are installed into the local
		routing table as static routes that point to the encrypted interface.
		When the IPSec tunnel is removed, the associated static routes will
		be removed. These static routes may then be redistributed into other
		dynamic routing protocols, so that they can be advertised to other
		parts of the network (usually done by redistributing RRI routes into
		dynamic routing protocols on the core side).
		Note Security Manager automatically configures RRI on devices
		with High Availability (HA), or on the IPSec Aggregator
		when VRF-Aware IPSec is configured.

Enable Network Address		Supported on PIX 7.0 and ASA devices.
Translation		When selected, enables you to configure Network Address

		Translation (NAT) on a device.
		NAT enables devices that use internal IP addresses to send and
		receive data through the Internet. Private NAT addresses are
		converted to globally routable IP addresses when they try to access
		data on the Internet.
		For more information, see Understanding NAT, page 9-70.

		User Guide for Cisco Security Manager 3.0.1
		User Guide for Cisco Security Manager 3.0.1
	OL-8214-02			B-71
	OL-8214-02			B-71

Image 71

3D Innovations 3.0.1 appendix For more information, see Understanding NAT

Contents

Site-to-Site VPN User Interface Reference Working with VPN Topologies, Understanding VPN Topologies, B-37 VPN SummaryB-3 and Peers Page, page B-7 Configuring IPSec Proposals, Configuring High Availability in Your VPN Topology,Configuring VRF-Aware IPSec Settings, Configuring an IKE Proposal, B-53 Understanding IPSec Technologies and Policies,Topology. See IKE Proposal Page, page B-37 See IPSec Proposal Page, page B-39 IPSec Tab, page B-28 See GRE Modes Page, page B-59High Availability Page, page B-34 Managing VPN Devices in Device View, Peers Topology. See Device Selection Page, page B-10 Create VPN Wizard Name and Technology B-10 Device SelectionEditing a VPN Topology, Defining a Name and IPSec Technology, Navigation Path Page, page B-9 Endpoints See VPN Interface Tab, page B-17 B-34 Tab, page B-24See Edit Endpoints Dialog Box, page B-16 Edit Endpoints Dialog Box VPN Interface Tab Information, see Interface Roles Page, page C-126 Procedure for Configuring a Vpnsm or VPN SPA Blade, More information, see Interface Roles Page, page C-126 IP Address for IPSec Termination -To enter manually the IP Cisco IOS Routers, More information, see Configuring Dialer Interfaces on Box, page B-32 Defining VPN Services Module Vpnsm or VPN SPA Settings VPN SPA Blade, For more information, see Adding VPN SPA Slot Locations IP Address for IPSec Termination-To enter manually the IP Protected Networks Tab Table B-9 Edit Endpoints Dialog Box Protected Networks Tab Information, see Editing Network/Host Objects, More information, see Editing Access Control List ObjectsFwsm Tab More information, see Editing Interface Role Objects, Table B-10 Edit Endpoints Dialog Box Fwsm Tab For more information, see Interface Roles Page, page C-126 VRF Aware IPSec Tab Table B-11 Edit Endpoints Dialog Box VRF Aware IPSec Tab IPSec Two-Box Solution, Solution, Routers C-126 Summary page. See VPN Summary Page, page B-3 Dial Backup Settings Dialog Box Table B-12 Dial Backup Settings Dialog Box High Availability Table B-13 Create VPN wizard High Availability For more information, see Enabling Stateful Failover, Policy configured. See VPN Summary Page, page B-3 IKE Proposal Site to Site VPN Policies More information, see IKE Proposal Dialog Box, page C-123 Site-to-Site VPN Policies in Policy View,Understanding Preshared Key Policies, C-123 IPSec ProposalIKE, For more information, see About Crypto Maps, Shared Site-to-Site VPN Policies in Policy View, For more information, see About Transform Sets, IPSec Transform Sets Page, page C-130 To Use, Element Description ISAKMP/IPSec Settings Tab VPN Global Settings For more information, see About IKE Keepalive, Configuring VPN Global Settings, See Understanding IKE, Appendix B Site-to-Site VPN User Interface Reference VPN Global Settings Page, page B-44 Understanding NAT, NAT Settings Tab NAT, For more information, see About NAT Traversal, General Settings Tab For more information, see Understanding Fragmentation Select the required setting for the DF bit Preshared Key Table B-19 Preshared Key Element Description Negotiation Method Public Key Infrastructure Attributes, Working with PKI Enrollment Objects,C-140 GRE Modes FlexConfig see Working with FlexConfigs, Table B-21 GRE Modes Page GRE or GRE Dynamic IP Policy GRE?, OL-8214-02 Configuring Cisco IOS Router Interfaces, OL-8214-02 For more information, see Prerequisites for Successful Configuration of GRE, Element Description Preshared Key Policies, Interfaces, For more information, see Configuring Cisco IOS Router Easy VPN IPSec Proposal Understanding Easy VPN, For more information, see Understanding NAT, More information, see Working with AAA Server Group Objects Device Access Policies,Group Objects, For more information, see Editing User Group Objects, User Group PolicyWorking with User Group Objects, Tunnel Group Policy PIX 7.0/ASA Tunnel Group Policy General Tab For more information, see Working with ASA User Groups Client Address Assignment Network/Host Objects, Tunnel Group Policy IPSec Tab For more information, see Supported AAA Server Types Tunnel Group Policy Advanced Tab More information, see Working with Interface Role Objects Tunnel Group Policy PIX 7.0/ASA Tunnel Group Policy Client VPN Software Update Tab Client Connection Characteristics Table B-29 Easy VPN Remote Client Connection Characteristics Working with Site-to-Site VPN Policies, About Locking in Site-to-Site VPN Topologies, For more information, see Deleting a VPN Topology, See Site to Site VPN Policies, page B-37For more information, see About Editing a VPN Topology OL-8214-02 OL-8214-02