Using dynamic crypto maps – Cisco ASA 5505 User Manual

Page 1383

Advertising
background image

64-31

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 64 Configuring IPsec and ISAKMP

Configuring IPsec

crypto map

map-name seq-num set ikev1 transform-set transform-set-name1

[transform-set-name2, …transform-set-name11]

crypto

map map-name seq-num set ikev2 ipsec-proposal proposal-name1

[proposal-name2, proposal-name11]

For example (for IKEv1):

crypto map mymap 10 set ikev1 transform-set myset1 myset2

In this example, when traffic matches access list 101, the SA can use either myset1 (first priority)
or myset2 (second priority) depending on which transform set matches the transform set of the peer.

d.

(Optional) Specify an SA lifetime for the crypto map if you want to override the global lifetime.

crypto map

map-name seq-num set security-association lifetime {seconds seconds |

kilobytes

kilobytes}

For example:

crypto map mymap 10 set security-association lifetime seconds 2700

This example shortens the timed lifetime for the crypto map mymap 10 to 2700 seconds
(45 minutes). The traffic volume lifetime is not changed.

e.

(Optional) Specify that IPsec require perfect forward secrecy when requesting new SA for this
crypto map, or require PFS in requests received from the peer:

crypto map map-name

seq-num set pfs [group1 | group2 | group5]

For example:

crypto map mymap 10 set pfs group2

This example requires PFS when negotiating a new SA for the crypto map mymap 10. The ASA uses
the 1024-bit Diffie-Hellman prime modulus group in the new SA.

Step 4

Apply a crypto map set to an interface for evaluating IPsec traffic:

crypto map

map-name interface interface-name

For example:

crypto map mymap interface outside

In this example, the ASA evaluates the traffic going through the outside interface against the crypto map
mymap to determine whether it needs to be protected.

Using Dynamic Crypto Maps

A dynamic crypto map is a crypto map without all of the parameters configured. It acts as a policy
template where the missing parameters are later dynamically learned, as the result of an IPsec
negotiation, to match the peer requirements. The ASA applies a dynamic crypto map to let a peer
negotiate a tunnel if its IP address is not already identified in a static crypto map. This occurs with the
following types of peers:

Peers with dynamically assigned public IP addresses.

Both LAN-to-LAN and remote access peers can use DHCP to obtain a public IP address. The ASA
uses this address only to initiate the tunnel.

Advertising
This manual is related to the following products:

ASA 5585-X, ASA 5555-X, ASA 5545-X, ASA 5525-X, ASA 5515-X, ASA 5512-X, ASA 5580, ASA 5550, ASA 5540, ASA 5520, ASA 5510, ASA 5500 Series

Popular Brands
Popular manuals