3D Innovations 3.0.1 appendix For more information, see Understanding NAT

Site to Site VPN Policies

Table B-23

Easy VPN IPSec Proposal Page (continued)

Element

Description

Enable RRI

Supported on Cisco IOS routers, PIX 7.0 and ASA devices.

When selected (the default), enables Reverse Route Injection (RRI)

on the crypto map (static or dynamic) for the support of VPN

clients.

Reverse Route injection (RRI) ensures that a static route is created

on a device for each client internal IP address.

Deselect this check box if the crypto map is being applied to a

Generic Routing Encapsulation (GRE) tunnel that is already being

used to distribute routing information.

Reverse Route Injection (RRI) learns all the subnets from any

network that is defined in a crypto access control list (ACL) as the

destination network. The learned routes are installed into the local

routing table as static routes that point to the encrypted interface.

When the IPSec tunnel is removed, the associated static routes will

be removed. These static routes may then be redistributed into other

dynamic routing protocols, so that they can be advertised to other

parts of the network (usually done by redistributing RRI routes into

dynamic routing protocols on the core side).

Note Security Manager automatically configures RRI on devices

with High Availability (HA), or on the IPSec Aggregator

when VRF-Aware IPSec is configured.

Enable Network Address

Supported on PIX 7.0 and ASA devices.

Translation

When selected, enables you to configure Network Address

Translation (NAT) on a device.

NAT enables devices that use internal IP addresses to send and

receive data through the Internet. Private NAT addresses are

converted to globally routable IP addresses when they try to access

data on the Internet.

For more information, see Understanding NAT, page 9-70.

User Guide for Cisco Security Manager 3.0.1

OL-8214-02

B-71