SROS Command Line Interface Reference Guide Frame Relay Sub-Interface Config Command Set

Interfaces (Ethernet, Frame Relay, PPP, local)

Static Filter

(in)

IPSec

Decrypt/Discard

NAT/ACP/

Firewall

Router

Static Filter

(out)

IPSec

Encrypt

As shown in the diagram above, data coming into the product is first processed by the static filter associated with the interface on which the data is received. This access-group is a true static filter and is available for use regardless of whether the firewall is enabled or disabled. Next (if the data is encrypted) it is sent to the IPSec engine for decryption. The decrypted data is then processed by the stateful inspection firewall. Therefore, given a terminating VPN tunnel, only un-encrypted data is processed by the firewall.

The ACLs for a crypto map on an interface work in reverse logic to the ACLs for a policy-class on an interface. When specifying the ACLs for a crypto map, the source information is the private local-side, un-encrypted source of the data. The destination information will be the far-end, un-encrypted destination of the data. However, ACLs for a policy-class work in reverse. The source information for the ACL in a policy-class is the far-end. The destination information is the local-side.

Usage Examples

The following example applies all crypto maps with the name MyMap to the frame-relay interface:

(config-fr 1.16)#crypto map MyMap

5991-2114

© Copyright 2005 Hewlett-Packard Development Company, L.P.

602

Page 602
Image 602
HP 7000 dl Router manual Copyright 2005 Hewlett-Packard Development Company, L.P 602