Sample Security Policy Configuration

The following formatted extracts from show running-config ACLI output shows three associated security policies.

The first policy, and the one with the highest priority, opens Port 5060 for SIP traffic.

security-policy
name                           pol1
network-interface              M10:0.6
priority                       0
local-ip-addr-match            3fff:c0ac::c0ac:ce12
remote-ip-addr-match           ::
local-port-match               5060
remote-port-match              0
trans-protocol-match           ALL
direction                      both
local-ip-mask                  ::
remote-ip-mask                 ::
action                         allow
ike-sainfo-name
outbound-sa-fine-grained-mask
local-ip-mask                  ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
remote-ip-mask                 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
local-port-mask                65535
remote-port-mask               65535
trans-protocol-mask            0
valid                          enabled
vlan-mask                      0xFFF
last-modified-by               admin@console
last-modified-date             2012-01-10 17:48:59

The second policy opens Port 4444 for CCP traffic.

security-policy
name                           pol2
network-interface              M10:0.6
priority                       2
local-ip-addr-match            3fff:b623::b623:ce02
remote-ip-addr-match           3fff:b623::b623:ce01
local-port-match               4444
remote-port-match              4444
trans-protocol-match           ALL
direction                      both
local-ip-mask                  ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
remote-ip-mask                 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
action                         allow
ike-sainfo-name
outbound-sa-fine-grained-mask
local-ip-mask                  ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
remote-ip-mask                 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
local-port-mask                65535
remote-port-mask               65535
trans-protocol-mask            0
valid                          enabled
vlan-mask                      0xFFF
last-modified-by               admin@console
last-modified-date             2012-01-10 17:49:15

The third policy, the policy with the least priority, and, consequently, the last policy applied, requires IPsec on all ports.

security-policy
name                           pol3
network-interface              M10:0.6
priority                       10
local-ip-addr-match            3fff:c0ac::c0ac:ce12
remote-ip-addr-match           ::
local-port-match               0
remote-port-match              0
trans-protocol-match           ALL
direction                      both
local-ip-mask                  ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
remote-ip-mask                 ::
action                         ipsec
ike-sainfo-name
outbound-sa-fine-grained-mask
local-ip-mask                  ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
remote-ip-mask                 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
local-port-mask                65535
remote-port-mask               65535
trans-protocol-mask            0
valid                          enabled
vlan-mask                      0xFFF
last-modified-by               admin@console
last-modified-date             2012-01-10 17:50:42