64-24
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter64 Configuring IPsec and ISAKMP
Configuring IPsec
Figure64-2 Cascading ACLs in a Crypto Map Set
Security Appliance A evaluates a packet originating from Host A.3 until it matches a permit ACE and
attempts to assign the IPsec security associated with the crypto map. Whenever the packet matches a
deny ACE, the ASA ignores the remaining ACEs in the crypto map and resumes evaluation against the
next crypto map, as determined by the sequence number assigned to it. So in the example, if Security
Appliance A receives a packet from Host A.3, it matches the packet to a deny ACE in the first crypto
map and resumes evaluation of the packet against the next crypto map. When it matches the packet to
the permit ACE in that crypto map, it applies the associated IPsec security (strong encryption and
frequent rekeying).
143513
Crypto Map 1
Deny
A.3 B Deny
A.3 C
Permit
A B
Permit
A C
Apply IPSec assigned to Crypto Map 1
Crypto Map 2
Permit
A.3 B Permit
A.3 C
Apply IPSec
assigned to
Crypto Map 2
Route as clear text