Sample Security Policy Configuration
The following formatted extracts from show running-config ACLI output shows three associated security policies.
The first policy, and the one with the highest priority, opens Port 5060 for SIP traffic.
security-policy name pol1 network-interface M10:0.6 priority 0 local-ip-addr-match 3fff:c0ac::c0ac:ce12 remote-ip-addr-match :: local-port-match 5060 remote-port-match 0 trans-protocol-match ALL direction both local-ip-mask :: remote-ip-mask :: action allow ike-sainfo-name outbound-sa-fine-grained-mask local-ip-mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff remote-ip-mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff local-port-mask 65535 remote-port-mask 65535 trans-protocol-mask 0 valid enabled vlan-mask 0xFFF last-modified-by admin@console last-modified-date 2012-01-10 17:48:59
The second policy opens Port 4444 for CCP traffic.
security-policy name pol2 network-interface M10:0.6 priority 2 local-ip-addr-match 3fff:b623::b623:ce02 remote-ip-addr-match 3fff:b623::b623:ce01 local-port-match 4444 remote-port-match 4444 trans-protocol-match ALL direction both local-ip-mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff remote-ip-mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff action allow ike-sainfo-name outbound-sa-fine-grained-mask local-ip-mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff remote-ip-mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff local-port-mask 65535 remote-port-mask 65535 trans-protocol-mask 0 valid enabled vlan-mask 0xFFF last-modified-by admin@console last-modified-date 2012-01-10 17:49:15
The third policy, the policy with the least priority, and, consequently, the last policy applied, requires IPsec on all ports.
security-policy name pol3 network-interface M10:0.6 priority 10 local-ip-addr-match 3fff:c0ac::c0ac:ce12 remote-ip-addr-match :: local-port-match 0 remote-port-match 0 trans-protocol-match ALL direction both local-ip-mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff remote-ip-mask :: action ipsec ike-sainfo-name outbound-sa-fine-grained-mask local-ip-mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff remote-ip-mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff local-port-mask 65535 remote-port-mask 65535 trans-protocol-mask 0 valid enabled vlan-mask 0xFFF last-modified-by admin@console last-modified-date 2012-01-10 17:50:42