68-13
Cisco ASA 5500 Series Configuration Guide using ASDM
Chapter68 Configuring IKE, Load Balancing, and NAC
Configuring IPsec
Source—Indicates the IP addresses that are subject to this rule when traffic is sent to the IP
addresses listed in the Remote Side Host/Network column. In detail mode (see the Show Detail
button), an address column might contain an interface name with the word any, such as
inside:any. any means that any host on the inside interface is affected by the rule.
Destination—Lists the IP addresses that are subject to this rule when traffic is sent from the IP
addresses listed in the Security Appliance Side Host/Network column. In detail mode (see the
Show Detail button), an address column might contain an interface name with the word any,
such as outside:any. any means that any host on the outside interface is affected by the rule.
Also in detail mode, an address column might contain IP addresses in square brackets, for
example, [209.165.201.1-209.165.201.30]. These addresses are translated addresses. When an
inside host makes a connection to an outside host, the ASA maps the inside host's address to an
address from the pool. After a host creates an outbound connection, the ASA maintains this
address mapping. This address mapping structure is called an xlate, and remains in memory for
a period of time.
Service—Specifies the service and protocol specified by the rule (TCP, UDP, ICMP, or IP).
Action—Specifies the type of IPsec rule (protect or do not protect).
Transform Set—Displays the transform set for the rule.
Peer—Identifies the IPsec peer.
PFS—Displays perfect forward secrecy settings for the rule.
NAT-T Enabled—Indicates whether NAT Traversal is enabled for the policy.
Reverse Route Enabled—Indicates whether Reverse Route Injection is enabled for the policy.
Connection Type—(Meaningful only for static tunnel policies.) Identifies the connection type for
this policy as bidirectional, originate-only, or answer-only).
SA Lifetime—Displays the SA lifetime for the rule.
CA Certificate—Displays the CA certificate for the policy. This applies to static connections only.
IKE Negotiation Mode—Displays whether IKE negotiations use main or aggressive mode.
Description—(Optional) Specifies a brief description for this rule. For an existing rule, this is the
description you typed when you added the rule. An implicit rule includes the following description:
“Implicit rule.” To edit the description of any but an implicit rule, right-click this column, and
choose Edit Description or double-click the column.
Enable Anti-replay window size—Sets the anti-replay window size, between 64 and 1028 in
multiples of 64. One side-effect of priority queueing in a hierarchical QoS policy with traffic
shaping (see the “Rule Actions > QoS Tab”) is packet re-ordering. For IPsec packets, out-of-order
packets that are not within the anti-replay window generate warning syslog messages. These
warnings becomes false alarms in the case of priority queueing. Configuring the anti-replay pane
size helps you avoid possible false alarms.
Modes
The following table shows the modes in which this feature is available:
Firewall Mode Security Context
Routed Transparent Single
Multiple
Context System
——