Step 3Create Crypto ACLs using Extended Access Lists

• Define which IP traffic will be protected by crypto.

• Define which IP traffic will be protected by crypto.

© 2004 Cisco Systems, Ir

The crypto ACLs identify the traffic flows that should be protected. Extended IP ACLs select IP traffic to encrypt by using protocol, IP address, network, subnet, and port. Although the ACL syntax is unchanged from extended IP ACLs, the meanings are slightly different for crypto ACLs. That is, permit specifies that matching packets must be encrypted and deny specifies that matching packets must not be encrypted. Crypto ACLs behave similarly to an extended IP ACL that is applied to outbound traffic on an interface.

The command syntax and parameter definitions for the basic form of extended IP access lists are as follows:

access-list access-list-number { permit | deny } protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [log]

access-list access-list-number Command

access-list access-list-number Command

Description

permit

Causes all IP traffic that matches the specified conditions to be protected by crypto, using the policy described by the corresponding crypto map entry.

deny

Instructs the router to route traffic in the clear.

source and destination

These are networks, subnets, or hosts.

Note Although the ACL syntax is unchanged, the meanings are slightly different for crypto ACLs.

That is, permit specifies that matching packets must be encrypted and deny specifies that matching packets must not be encrypted.

Any unprotected inbound traffic that matches a permit entry in the crypto ACL for a crypto map entry that is flagged as IPSec will be dropped. This drop occurs because this traffic was expected to be protected by IPSec.

If you want certain traffic to receive one combination of IPSec protection (authentication only) and other traffic to receive a different combination (both authentication and encryption), create two different crypto ACLs to define the two different types of traffic. These different ACLs are then used in different crypto map entries that specify different IPSec policies.

Warning Cisco recommends that you avoid using the any keyword to specify source or destination addresses. The permit any any statement is strongly discouraged because this will cause all outbound traffic to be protected and all protected traffic to be sent to the peer that is specified in the corresponding crypto map entry. Then, all inbound packets that lack IPSec protection will be silently dropped, including packets for routing protocols, NTP, echo, echo response, and so on.

Try to be as restrictive as possible when defining which packets to protect in a crypto ACL. If you must use the any keyword in a permit statement, you must preface that statement with a series of deny statements to filter out any traffic (that would otherwise fall within that permit statement) that you do not want to be protected.

Later in Step 4, you will associate a crypto ACL to a crypto map, which in turn is assigned to a specific interface.

0 0

Post a comment