Symmetrical ACLs
As you might have guessed from the preceding discussion regarding inbound and outbound traffic, the crypto ACLs that you configure on both IPSec peers are critical to a successful IPSec implementation. Because the router uses crypto ACLs to evaluate both inbound and outbound traffic, there needs to be ACL symmetry on both IPSec peers. By using the same IP addresses, port numbers, and protocols in your crypto ACL entries on both IPSec peers, you ensure that the router does not discard traffic that it should not discard and that the router decrypts protected traffic.
Configuring Crypto ACLs
Let's look at an example using symmetrical crypto access lists. The two IPSec peers are Ping and Pong. The organization's security policy states ...
Get SECUR Exam Cram™ 2 (Exam 642-501) now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
