Cisco Systems ASA 5510, ASA 5512-X, ASA 5515-X, ASA 5520, ASA 5525-X, ASA 5540, ASA 5545-X, ASA 5550, ASA 5555-X, ASA 5580, ASA 5585-X, ASA 5505 Creating IPsec Rule/Traffic Selection Tab

68-16

Cisco ASA 5500 Series Configuration Guide using ASDM

Chapter68 Configuring IKE, Load Balancing, and NAC

Configuring IPsec

–

IKE Negotiation Mode—Chooses the IKE negotiation mode, Main or Aggressive. This

parameter sets the mode for exchanging key information and setting up the SAs. It sets the mode

that the initiator of the negotiation uses; the responder auto-negotiates. Aggressive Mode is

faster, using fewer packets and fewer exchanges, but it does not protect the identity of the

communicating parties. Main Mode is slower, using more packets and more exchanges, but it

protects the identities of the communicating parties. This mode is more secure and it is the

default selection. If you choose Aggressive, the Diffie-Hellman Group list becomes active.

–

Diffie-Hellman Group—Choose the Diffie-Hellman group to apply. The choices are as follows:

Group 1 (768-bits), Group 2 (1024-bits), or Group 5 (1536-bits).

Modes

The following table shows the modes in which this feature is available:

Creating IPsec Rule/Traffic Selection Tab

This pane lets you define what traffic to protect (permit) or not protect (deny).

Fields

•Action—Specify the action for this rule to take. The selections are protect and do not protect.

•Source—Specify the IP address, network object group or interface IP address for the source host or

network. A rule cannot use the same address as both the source and destination. Click ... to launch

the Browse Source dialog box that contains the following fields:

–

Add/Edit—Choose IP Address or Network Object Group to add more source addresses or

groups.

–

Delete—Click to delete an entry.

–

Filter—Enter an IP Address to filter the results displayed.

–

Name—Indicates that the parameters that follow specify the name of the source host or network.

–

IP Address—Indicates that the parameters that follow specify the interface, IP address, and

subnet mask of the source host or network.

–

Netmask—Chooses a standard subnet mask to apply to the IP address. This parameter appears

when you choose the IP Address option button.

–

Description—Enter a description.

–

Selected Source—Click Source to include the selected entry as a source.

•Destination—Specify the IP address, network object group or interface IP address for the

destination host or network. A rule cannot use the same address as both the source and destination.

Click ... to launch the Browse Destination dialog box that contains the following fields:

–

Add/Edit—Choose IP Address or Network Object Group to add more destination addresses or

groups.

–

Delete—Click to delete an entry.

Firewall Mode Security Context

Routed Transparent Single

Multiple

Context System

•—•——

Cisco Systems Creating IPsec Rule/Traffic Selection Tab

Models: ASA 5510 ASA 5512-X ASA 5515-X ASA 5520 ASA 5525-X ASA 5540 ASA 5545-X ASA 5550 ASA 5555-X ASA 5580 ASA 5585-X ASA 5505