Home   | CCNA Certification  |   CCNP Training   | CompTIA |  Boot Camps  |  Free Tutorials   | MS Vista | About Me
 

Get My Exclusive FREE 7-Part Report,
"How To Pass The CCNA", Daily FREE
Cisco And CompTIA Exam Questions,
And All The Latest Certification News
In My Daily Newsletter!

Privacy Policy

Name:
Email:
  More Testimonials >
Visit my blog for free daily Cisco CCNA and CCNP certification questions, my latest free articles and tutorials, and more!


 

Cisco CCNP Certification Exam Training:

Configuring Crypto Access Lists On Cisco Routers

By Chris Bryant, CCIE #12933

Network security is an important part of the CCNP certification track, and even more important for today's networks. Let's take a look at how to configure crypto access-lists on Cisco routers.

Crypto ACLs are used to define the traffic that is protected by IPSec.  While most of the Crypto ACLs you write will be configured to affect outbound traffic, they can also be configured to affect inbound traffic.  Outbound crypto ACLs identify the traffic to be secured by IPSec, and traffic not named by the crypto ACL will be sent in clear text.

IPSecurity

Inbound crypto ACLs can identify traffic that should have been protected by IPSec, but wasn't.  Such traffic can be discarded.

Inbound Crypto Lists

 

Extended ACLs will serve as Crypto ACLs, but the results differ.  With Extended ACLs, matched traffic is permitted and unmatched traffic denied (by the implicit deny).  With Crypto ACLs, matched traffic is encrypted and unmatched traffic is unencrypted but still transmitted.

If inbound Crypto ACLs are configured, unprotected traffic that matches the ACL is still dropped - simply because it's unprotected.

From personal experience, I can tell you that the hardest part of writing Crypto ACLs for IPSec peers is making sure they're symmetrical.  Let's use the following network to show you what I mean.

Ethernet Segment

 

To have traffic on R1's ethernet segment protected by IPSec if it's destined for the ethernet segment on R2, R1's ACL will look like this:

access-list 123 permit ip 172.10.1.0 0.0.0.255 172.10.5.0 0.0.0.255

For traffic on R2's ethernet segment to be protected by IPSec if it's destined for the ethernet segment on R1, R2's ACL will look like this:

access-list 123 permit ip 172.10.5.0 0.0.0.255 172.10.1.0 0.0.0.255

When you're configuring IPSec and concentrating on the many details we've discussed in this chapter, it's really easy to write the same ACL on both routers.  Whether it's on the exam or on a production network, double-check your ACLs - if they're the same, there is a problem.

Once the Crypto ACLs are written, it's time to apply them to the appropriate interfaces.  That's just one purpose of a Crypto Map.  Let's look at the basic command to write a Crypto Map along with some options, courtesy of IOS Help.

R3(config)#crypto map CCNP ?
  <1-65535>       Sequence to insert into crypto map entry
  client          Specify client configuration settings
  isakmp          Specify isakmp configuration settings
  isakmp-profile  Specify isakmp profile to use
  local-address   Interface to use for local address for this crypto map

R3(config)#crypto map CCNP 100 ?
  ipsec-isakmp  IPSEC w/ISAKMP
  ipsec-manual  IPSEC w/manual keying
  <cr>

R3(config)#crypto map CCNP 100 ipsec-isakmp ?
  dynamic  Enable dynamic crypto map support
  profile  Enable crypto map as a crypto-profile
  <cr>

R3(config)#crypto map CCNP 100 ipsec-isakmp
R3(config-crypto-map)#

We've successfully created a crypto map named CCNP, sequence number 100, that will use ISAKMP to establish the IPSec Security Associations.  We're now in crypto map configuration mode, where the ACL, peers, transform sets, and security association lifetime for this particular crypto map can be set.  Any SA lifetime value configured here overrides the globally configured value, but we'll leave that value alone for now.

R3(config)#crypto map CCNP 100 ipsec-isakmp
R3(config-crypto-map)#match address 123
R3(config-crypto-map)#set peer 172.12.12.1
R3(config-crypto-map)#set transform-set R3_TRANSFORM_SET
R3(config-crypto-map)#set security-association lifetime ?
  kilobytes  Volume-based key duration
  seconds    Time-based key duration

The crypto map is applied to an interface with the crypto map command. You should see a message telling you that ISAKMP is on just a moment or two after configuring this command.

R3(config)#int s0/1
R3(config-if)#crypto map CCNP
R3(config-if)#
*Mar  1 04:10:12.260: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

This is just the beginning when it comes to securing Cisco routers and earning your CCNP certification. Never stop learning and always move forward when it comes to your networking education.

To your success,

Chris Bryant

CCIE #12933

chris@thebryantadvantage.com

 

 

The Ultimate CCNA Study Package | The Ultimate CCNA Study Guide

Binary Math And Subnetting Mastery

Cisco Rack Rentals

CCNP BSCI Exam Study Package

CCNP BCMSN Exam Study Package

CCNP BCRAN Exam Study Package

CCNP CIT Exam Study Package | CCNP BSCI Exam Study Guide

CCNA CBT Video Boot Camp | CCNP BSCI Video Boot Camp

Cisco Training Tutorials And Cisco Certification Articles

CCNP CBT BCMSN Video Boot Camp | CCNP CBT BCRAN Video Boot Camp

CompTIA Network+ Exam Study Package

CompTIA Security+ Exam Study Package

CompTIA A + Certification Exam Study Package

CCNA Training Store | CCNP Certification Training Store

CompTIA Certification Training Store

Cisco Lab Router And Switch Home Lab Help

Site Map | Home Page | Testimonials

Microsoft Windows Vista Certification Updates And News

The Bryant Advantage Blog | About Chris Bryant, CCIE #12933