Cisco ASA 5505 User Manual

Page 1382

Advertising
background image

64-30

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 64 Configuring IPsec and ISAKMP

Configuring IPsec

access-list

access-list-name {deny | permit} ip source source-netmask destination

destination-netmask

For example:

hostname(config)# access-list 101 permit ip 10.0.0.0 255.255.255.0 10.1.1.0 255.255.255.0

In this example, the permit keyword causes all traffic that matches the specified conditions to be
protected by crypto.

Step 2

To configure an IKEv1 transform set that defines how to protect the traffic, enter the following
command:

crypto ipsec ikev1 transform-set

transform-set-name encryption [authentication]

For example:

hostname(config)# crypto ipsec ikev1 transform-set myset1 esp-des esp-sha-hmac

hostname(config)# crypto ipsec ikev1 transform-set myset2 esp-3des esp-sha-hmac

hostname(config)# crypto ipsec ikev1 transform-set aes_set esp-md5-hmac esp-aes-256

In this example, myset1 and myset2 and aes_set are the names of the transform sets.

To configure an IKEv2 proposal that also defines how to protect the traffic, enter the crypto ipsec ikev2
ipsec-proposal command to create the proposal and enter the ipsec proposal configuration mode where
you can specify multiple encryption and integrity types for the proposal:

crypto ipsec ikev2 ipsec-proposal

[proposal tag]

For example:

hostname(config)# crypto ipsec ikev2 ipsec-proposal secure

In this example, secure is the name of the proposal. Enter a protocol and encryption types:

hostname(config-ipsec-proposal)# protocol esp encryption 3des aes des

Step 3

To create a crypto map, perform the following steps:

a.

Assign an access list to a crypto map:

crypto map

map-name seq-num match address access-list-name

In the following example, mymap is the name of the crypto map set. The map set sequence number
10, which is used to rank multiple entries within one crypto map set. The lower the sequence
number, the higher the priority.

crypto map mymap 10 match address 101

In this example, the access list named 101 is assigned to crypto map mymap.

b.

Specify the peer to which the IPsec-protected traffic can be forwarded:

crypto map

map-name seq-num set peer ip-address

For example:

crypto map mymap 10 set peer 192.168.1.100

The ASA sets up an SA with the peer assigned the IP address 192.168.1.100. Specify multiple peers
by repeating this command.

c.

Specify which IKEv1 transform sets or IKEv2 proposals are allowed for this crypto map. List
multiple transform sets or proposals in order of priority (highest priority first). You can specify up
to 11 transform sets or proposals in a crypto map using either of these two commands:

Advertising
This manual is related to the following products:

ASA 5585-X, ASA 5555-X, ASA 5545-X, ASA 5525-X, ASA 5515-X, ASA 5512-X, ASA 5580, ASA 5550, ASA 5540, ASA 5520, ASA 5510, ASA 5500 Series

Popular Brands
Popular manuals