Cisco ASA 5505 User Manual

Page 1385

Advertising
background image

64-33

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 64 Configuring IPsec and ISAKMP

Configuring IPsec

crypto dynamic-map

dynamic-map-name dynamic-seq-num match address access-list-name

This determines which traffic should be protected and not protected.

For example:

crypto dynamic-map dyn1 10 match address 101

In this example, access list 101 is assigned to dynamic crypto map dyn1. The map sequence number is
10.

Step 2

Specify which IKEv1 transform sets or IKEv2 proposals are allowed for this dynamic crypto map. List
multiple transform sets or proposals in order of priority (highest priority first) using the command for
IKEv1 transform sets or IKEv2 proposals:

crypto dynamic-map

dynamic-map-name dynamic-seq-num set ikev1 transform-set

transform-set-name1, [transform-set-name2, …transform-set-name9]

crypto dynamic-map

dynamic-map-name dynamic-seq-num set ikev2 ipsec-proposal

proposal-name1

[proposal-name2, proposal-name11]

For example (for IKEv1):

crypto dynamic-map dyn 10 set ikev1 transform-set myset1 myset2

In this example, when traffic matches access list 101, the SA can use either myset1 (first priority) or
myset2 (second priority), depending on which transform set matches the transform sets of the peer.

Step 3

(Optional) Specify the SA lifetime for the crypto dynamic map entry if you want to override the global
lifetime value:

crypto dynamic-map

dynamic-map-name dynamic-seq-num set security-association lifetime

{seconds seconds | kilobytes kilobytes}

For example:

crypto dynamic-map dyn1 10 set security-association lifetime seconds 2700

This example shortens the timed lifetime for dynamic crypto map dyn1 10 to 2700 seconds
(45 minutes). The time volume lifetime is not changed.

Step 4

(Optional) Specify that IPsec ask for PFS when requesting new SAs for this dynamic crypto map, or
should demand PFS in requests received from the peer:

crypto dynamic-map

dynamic-map-name dynamic-seq-num set pfs [group1 | group2 | group5 |

group7

]

For example:

crypto dynamic-map dyn1 10 set pfs group5

Step 5

Add the dynamic crypto map set into a static crypto map set.

Be sure to set the crypto maps referencing dynamic maps to be the lowest priority entries (highest
sequence numbers) in a crypto map set.

crypto map

map-name seq-num ipsec-isakmp dynamic dynamic-map-name

For example:

crypto map mymap 200 ipsec-isakmp dynamic dyn1

Advertising
This manual is related to the following products:

ASA 5585-X, ASA 5555-X, ASA 5545-X, ASA 5525-X, ASA 5515-X, ASA 5512-X, ASA 5580, ASA 5550, ASA 5540, ASA 5520, ASA 5510, ASA 5500 Series

Popular Brands
Popular manuals