64-21
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter64 Configuring IPsec and ISAKMP
Configuring IPsec
The crypto map that matches the packet determines the security settings used in the SA negotiations.
If the local ASA initiates the negotiation, it uses the policy specified in the static crypto map to create
the offer to send to the specified peer. If the peer initiates the negotiation, the ASA attempts to match the
policy to a static crypto map, and if that fails, then it attempts to match any dynamic crypto maps in the
crypto map set, to decide whether to accept or reject the peer offer.
For two peers to succeed in establishing an SA, they must have at least one compatible crypto map. To
be compatible, a crypto map must meet the following criteria:
The crypto map must contain compatible crypto ACLs (for example, mirror image ACLs). If the
responding peer uses dynamic crypto maps, so the ASA also must contain compatible crypto ACLs
as a requirement to apply IPsec.
Each crypto map identifies the other peer (unless the responding peer uses dynamic crypto maps).
The crypto maps have at least one transform set or proposal in common.
You can apply only one crypto map set to a single interface. Create more than one crypto map for a
particular interface on the ASA if any of the following conditions exist:
You want specific peers to handle different data flows.
You want different IPsec security to apply to different types of traffic.
For example, create a crypto map and assign an ACL to identify traffic between two subnets and assign
one IKEv1 transform set or IKEv2 proposal. Create another crypto map with a different ACL to identify
traffic between another two subnets and apply a transform set or proposal with different VPN
parameters.
If you create more than one crypto map for an interface, specify a sequence number (seq-num) for each
map entry to determine its priority within the crypto map set.
Each ACE contains a permit or deny statement. Table64-3 explains the special meanings of permit and
deny ACEs in ACLs applied to crypto maps.
Table64-3 Special Meanings of Permit and Deny in Crypto Access Lists Applied to Outbound
Tra f f i c
Result of Crypto Map
Evaluation Response
Match criterion in an ACE
containing a permit statement
Halt further evaluation of the packet against the remaining ACEs in the
crypto map set, and evaluate the packet security settings against those in
the IKEv1 transform sets or IKEv2 proposals assigned to the crypto
map. After matching the security settings to those in a transform set or
proposal, the ASA applies the associated IPsec settings. Typically for
outbound traffic, this means that it decrypts, authenticates, and routes
the packet.
Match criterion in an ACE
containing a deny statement
Interrupt further evaluation of the packet against the remaining ACEs in
the crypto map under evaluation, and resume evaluation against the
ACEs in the next crypto map, as determined by the next seq-num
assigned to it.
Fail to match all tested permit
ACEs in the crypto map set
Route the packet without encrypting it.