64-31
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter64 Configuring IPsec and ISAKMP
Configuring IPsec
crypto map map-name seq-num set ikev1 transform-set transform-set-name1
[transform-set-name2, …transform-set-name11]
crypto map map-name seq-num set ikev2 ipsec-proposal proposal-name1
[proposal-name2, proposal-name11]
For example (for IKEv1):
crypto map mymap 10 set ikev1 transform-set myset1 myset2
In this example, when traffic matches access list 101, the SA can use either myset1 (first priority)
or myset2 (second priority) depending on which transform set matches the transform set of the peer.
d. (Optional) Specify an SA lifetime for the crypto map if you want to override the global lifetime.
crypto map map-name seq-num set security-association lifetime {seconds seconds |
kilobytes kilobytes}
For example:
crypto map mymap 10 set security-association lifetime seconds 2700
This example shortens the timed lifetime for the crypto map mymap 10 to 2700 seconds
(45 minutes). The traffic volume lifetime is not changed.
e. (Optional) Specify that IPsec require perfect forward secrecy when requesting new SA for this
crypto map, or require PFS in requests received from the peer:
crypto map map-name seq-num set pfs [group1 | group2 | group5]
For example:
crypto map mymap 10 set pfs group2
This example requires PFS when negotiating a new SA for the crypto map mymap 10. TheASA uses
the 1024-bit Diffie-Hellman prime modulus group in the new SA.
Step4 Apply a crypto map set to an interface for evaluating IPsec traffic:
crypto map map-name interface interface-name
For example:
crypto map mymap interface outside
In this example, the ASA evaluates the traffic going through the outside interface against the crypto map
mymap to determine whether it needs to be protected.
Using Dynamic Crypto Maps
A dynamic crypto map is a crypto map without all of the parameters configured. It acts as a policy
template where the missing parameters are later dynamically learned, as the result of an IPsec
negotiation, to match the peer requirements. The ASA applies a dynamic crypto map to let a peer
negotiate a tunnel if its IP address is not already identified in a static crypto map. This occurs with the
following types of peers:
Peers with dynamically assigned public IP addresses.
Both LAN-to-LAN and remote access peers can use DHCP to obtain a public IP address. The ASA
uses this address only to initiate the tunnel.