All Cisco-Network Study Notes: Configuring Crypto Admission Lists

Configuring Crypto Admission Lists

The aboriginal date in the action of IPsec agreement (or creating an SPD, in terms

of the aboriginal area of this chapter) is allegorical cartage selectors for IPsec. Selectors

define which cartage will be adequate by IPsec; to be precise, they will ascertain the

scope of SAs back they are created by IKE Phase 2.These selectors are defined

using the access-list command. Crypto admission lists are activated to the interface using

a crypto map command instead of access-group. It is accessible to administer abounding crypto

access lists to one interface in adjustment to specify altered ambit for different

types of traffic. Actions in admission account entries accept the afterward meaning:

Admittance This agency that IPsec should be activated to the analogous traffic.

Deny This agency that the packet should be forwarded and IPsec not

applied.

www.syngress.com

Configuring Virtual Private Networking • Affiliate 7 363

The afterward admission account admission on PIX1 will bout all IP cartage from the

inside arrangement (192.168.2.0/24), abrogation the alfresco interface to be tunneled to

PIX2 (192.168.3.0/24) and the acknowledgment tunneled IP cartage from 192.168.3.0/24 to

192.168.2.0/24:

access-list crypto1 admittance ip 192.168.2.0 255.255.255.0 192.168.3.0 255

.255.255.0

A packet from 192.168.2.3 to 192.168.3.4 will be akin by admission list

crypto1 and submitted to the IPsec engine.A packet from 192.168.2.3 to www

.cisco.com will not be akin and appropriately transmitted in the clear. Similarly, with

return traffic, if an IPsec packet arrives and afterwards decapsulation, it happens to be

from 192.168.3.4 to 192.168.2.3, it will be akin by the aforementioned admission account and

forwarded to 192.168.2.3. If the IPsec packet originates from www.cisco.com, it

will not be akin and accordingly will be dropped.Any clear-text packets from

www.cisco.com will canyon through and be acceptable unmatched.

When the aboriginal admittance admission in an admission account is matched, this admission will define

the ambit of SA that will be created for its protection. For example, in our case

all cartage from arrangement 192.168.2.0/24 to the arrangement 192.168.3.0/24 will be

protected by the aforementioned SA. Let’s accept that you actualize an admission account on PIX1

using the afterward command set:

access-list crypto2 admittance ip 192.168.2.0 255.255.255.128 192.168.3.0 255

.255.255.0

access-list crypto2 admittance ip 192.168.2.128 255.255.255.128 192.168.3.0

255.255.255.0

In this case, the cartage basic from 192.168.2.0/25 and the cartage from

192.168.2.128/25 will be adequate by two altered IPsec SAs.

Let’s now acknowledgment to our beforehand archetype and configure the firewalls with

access lists:

PIX1(config)# access-list crypto1 admittance ip 192.168.2.0 255.255.255.0 192

.168.3.0 255.255.255.0

PIX2(config)# access-list crypto2 admittance ip 192.168.3.0 255.255.255.0 192

.168.2.0 255.255.255.0

We are not applying these lists yet.This will be done after application a crypto map

command.

www.syngress.com

364 Affiliate 7 • Configuring Virtual Private Networking

NOTE

Source addresses in crypto admission lists should be the aforementioned as they appear

on the firewall’s alfresco interface. For example, if NAT is acclimated for translating

some of the centralized addresses, the all-around IP addresses charge be

stated as the admission account source, not the bounded IP addresses. For example,

let’s accept that the host 192.168.2.25 on the central interface of PIX1 is

translated to 12.23.34.55 on the alfresco by the afterward command:

static (inside, outside) 12.23.34.55 192.168.2.25 netmask 255.255.

255.255 0 0

In this case, an admission account admission for acceptance IPsec for this host only

should attending like:

access account crypto1 admittance ip host 12.23.34.55 192.168.3.0 255.

255.255.0