Sample Security Policy Configuration
The following formatted extracts from show running-config ACLI output shows three associated security policies.
The first policy, and the one with the highest priority, opens Port 5060 for SIP traffic.
security-policy
name pol1
network-interface M10:0.6
priority 0
local-ip-addr-match 3fff:c0ac::c0ac:ce12
remote-ip-addr-match ::
local-port-match 5060
local-port-match-max 5060
remote-port-match 0
trans-protocol-match ALL
direction both
local-ip-mask ::
remote-ip-mask ::
action allow
ike-sainfo-name
outbound-sa-fine-grained-mask
local-ip-mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
remote-ip-mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
local-port-mask 65535
remote-port-mask 65535
trans-protocol-mask 0
valid enabled
vlan-mask 0xFFF
last-modified-by admin@console
last-modified-date 2012-01-10 17:48:59
The second policy opens Port 4444 for CCP traffic.
security-policy
name pol2
network-interface M10:0.6
priority 2
local-ip-addr-match 3fff:b623::b623:ce02
remote-ip-addr-match 3fff:b623::b623:ce01
local-port-match 4444
local-port-match-max 4444
remote-port-match 4444
remote-port-match-max 4444
trans-protocol-match ALL
direction both
local-ip-mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
remote-ip-mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
action allow
ike-sainfo-name
outbound-sa-fine-grained-mask
local-ip-mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
remote-ip-mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
local-port-mask 65535
remote-port-mask 65535
trans-protocol-mask 0
valid enabled
vlan-mask 0xFFF
last-modified-by admin@console
last-modified-date 2012-01-10 17:49:15
The third policy, the policy with the least priority, and, consequently, the last policy applied, requires IPsec on all ports.
security-policy
name pol3
network-interface M10:0.6
priority 10
local-ip-addr-match 3fff:c0ac::c0ac:ce12
remote-ip-addr-match ::
local-port-match 0
remote-port-match 0
trans-protocol-match ALL
direction both
local-ip-mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
remote-ip-mask ::
action ipsec
ike-sainfo-name
outbound-sa-fine-grained-mask
local-ip-mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
remote-ip-mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
local-port-mask 65535
remote-port-mask 65535
trans-protocol-mask 0
valid enabled
vlan-mask 0xFFF
last-modified-by admin@console
last-modified-date 2012-01-10 17:50:42