73-9
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter73 Configuring LAN-to-LAN IPsec VPNs
Creating a Crypto Map and Applying It To an Interface
Creating a Crypto Map and Applying It To an Interface
Crypto map entries pull together the various elements of IPsec security associations, including the
following:
Which traffic IPsec should protect, which you define in an access list.
Where to send IPsec-protected traffic, by identifying the peer.
What IPsec security applies to this traffic, which a transform set specifies.
The local address for IPsec traffic, which you identify by applying the crypto map to an interface.
For IPsec to succeed, both peers must have crypto map entries with compatible configurations. For two
crypto map entries to be compatible, they must, at a minimum, meet the following criteria:
The crypto map entries must contain compatible crypto access lists (for example, mirror image
access lists). If the responding peer uses dynamic crypto maps, the entries in the ASA crypto access
list must be “permitted” by the peer’s crypto access list.
The crypto map entries each must identify the other peer (unless the responding peer is using a
dynamic crypto map).
The crypto map entries must have at least one transform set in common.
If you create more than one crypto map entry for a given interface, use the sequence number (seq-num)
of each entry to rank it: the lower the seq-num, the higher the priority. At the interface that has the crypto
map set, the ASA evaluates traffic against the entries of higher priority maps first.
Create multiple crypto map entries for a given interface if either of the following conditions exist:
Different peers handle different data flows.
You want to apply different IPsec security to different types of traffic (to the same or separate peers),
for example, if you want traffic between one set of subnets to be authenticated, and traffic between
another set of subnets to be both authenticated and encrypted. In this case, define the different types
of traffic in two separate access lists, and create a separate crypto map entry for each crypto access
list.
To create a crypto map and apply it to the outside interface in global configuration mode, enter several
of the crypto map commands. These commands use a variety of arguments, but the syntax for all of them
begin with crypto map map-name-seq-num. In the following example the map-name is abcmap, the
sequence number is 1.
Enter these commands in global configuration mode:
Step1 To assign an access list to a crypto map entry, enter the crypto map match address command.
The syntax is crypto map map-name seq-num match address aclname. In the following example the
map name is abcmap, the sequence number is 1, and the access list name is l2l_list.
hostname(config)# crypto map abcmap 1 match address l2l_list
hostname(config)#
Step2 To identify the peer (s) for the IPsec connection, enter the crypto map set peer command.
The syntax is crypto map map-name seq-num set peer {ip_address1 | hostname1}[... ip_address10 |
hostname10]. In the following example the peer name is 10.10.4.108.
hostname(config)# crypto map abcmap 1 set peer 10.10.4.108
hostname(config)#