Symmetrical ACLs

Previous page
Table of content
Next page

As you might have guessed from the preceding discussion regarding inbound and outbound traffic, the crypto ACLs that you configure on both IPSec peers are critical to a successful IPSec implementation. Because the router uses crypto ACLs to evaluate both inbound and outbound traffic, there needs to be ACL symmetry on both IPSec peers. By using the same IP addresses, port numbers , and protocols in your crypto ACL entries on both IPSec peers, you ensure that the router does not discard traffic that it should not discard and that the router decrypts protected traffic.

Configuring Crypto ACLs

Let's look at an example using symmetrical crypto access lists. The two IPSec peers are Ping and Pong. The organization's security policy states that all LAN traffic must be encrypted if the traffic is either UDP or TCP. The Ping LAN is 10.1.100.0/24 , and the Pong LAN is 10.2.200.0/24 .

Here are the symmetric crypto ACLs for both the Ping and Pong routers: 

 
 Ping(config)# access-list 101 permit tcp 10.1.100.0 0.0.0.255 10.2.200.0 0.0.0.255 Ping(config)# access-list 101 permit udp 10.1.100.0 0.0.0.255 10.2.200.0 0.0.0.255 Pong(config)# access-list 195 permit tcp 10.2.200.0 0.0.0.255 10.1.100.0 0.0.0.255 Pong(config)# access-list 195 permit udp 10.2.200.0 0.0.0.255 10.1.100.0 0.0.0.255

Previous page
Table of content
Next page
CCSP SECUR Exam Cram 2
CCSP SECUR Exam Cram 2 (642-501)
ISBN: B000MU86IQ
EAN: N/A
Year: 2003
Pages: 291
Authors: Raman Sud
BUY ON AMAZON
Interprocess Communications in Linux: The Nooks and Crannies
Secure Programming Cookbook for C and C++: Recipes for Cryptography, Authentication, Input Validation & More
C & Data Structures (Charles River Media Computer Engineering)
Cisco CallManager Fundamentals (2nd Edition)
HTI+ Home Technology Integrator & CEDIA Installer I All-In-One Exam Guide
GDI+ Programming with C#
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy