Crypto Map Mode Commands
XSR CLI Reference Guide 14-111

Crypto Map Rules

Acryptomapisacollectionofrules,eachwithadifferentseqnumbutthesamemapname.So,for
agiveninterface,youcanhavecertaintrafficforwardedtooneIPSecpeerwithspecifiedsecurity
appliedtothattraffic,andothertrafficforwardedtothesameoradifferentIPSecpeerwith
differentIPSecsecurityapplied.Toaccomplishthisyoucreatetwocryptomaps,eachwiththe
samemapname,buteachwithadifferentseqnum.Cryptomaprulesaresearchedinorderofseq
num.Sequencenumbers,inadditiontodeterminingtheorderinwhichtrafficistestedagainstthe
rules,areusedasanantireplaydevicetorejectduplicateandoldpacketsandsopreventan
intruderfromcopyingaconversationandusingittoworkoutencryptionalgorithms.
Syntax
crypto map map-name seq-num [ipsec-isakmp]
Syntax of the “no” Form
Todeleteacryptomapentry,usethenoformofthiscommand:
no crypto map map-name [seq-num]
Mode
Globalconfiguration:XSR(config)#
Next Mode
CryptoMapconfiguration: XSR(config-crypto-m)#
Sample Output
Thefollowingexample���createsthecryptomapACMEmap:
XSR(config)#crypto map ACMEmap 7
XSR(config-crypto-m)#set transform-set esp-3des-sha
XSR(config-crypto-m)#match address 120

match address

Thiscommandspecifiesanaccesscontrollist(ACL)foracryptomapentry.AnACLisapplied
bidirectionallybyIPSecandtheXSRconsidersits“source”asthelocaladdressandits“destination”
astheremoteaddresssotypicallyonlyonematchaddressandACLisneededtodefinetrafficwith
apeer.
Syntax
match address [access-list-id]
map-name Cryptomapidentification.Thisisthenameassignedwhenthecrypto
mapwascreated.
seq-num 32bitdigityouassigntothecryptomap.Range:1to4096.
ipsec-isakmp Thisvalueprovidesbackwardcompatibilitywiththeindustrystandard
CLI.Itisnotmandatory.