1-20
Cisco ASA Series CLI Configuration Guide
Chapter 1 Configuring IPsec and ISAKMP
Configuring IPsec
A crypto map set consists of one or more crypto maps that have the same map name. You create a crypto
map set when you create its first crypto map. The following site-to-site task creates or adds to a crypto
map in either single or multiple context mode:
crypto map map-name seq-num match address access-list-name
Use the access-list-name to specify the access list ID, as a string or integer up to 241 characters in length.
Tip Use all capital letters to more easily identify the access list ID in your configuration.
You can continue to enter this command to add crypto maps to the crypto map set. In the following
example, mymap is the name of the crypto map set to which you might want to add crypto maps:
crypto map mymap 10 match address 101
The sequence number (seq-num) shown in the syntax above distinguishes one crypto map from another
one with the same name. The sequence number assigned to a crypto map also determines its priority
among the other crypto maps within a crypto map set. The lower the sequence number, the higher the
priority. After you assign a crypto map set to an interface, the ASA evaluates all IP traffic passing
through the interface against the crypto maps in the set, beginning with the crypto map with the lowest
sequence number.
[no] crypto map <map_name> <map_index> set pfs [group1 | group2 | group5 | group14 |
group19 | group20 | group21 | group24]
Specifies the ECDH group used for Perfect Forward Secrecy (FCS) for the cryptography map. Prevents
you from onfiguring group14 and group24 options for a cryptography map (when using an IKEv1
policy).
[no]crypto map <name> <priority> set validate-icmp-errors
OR
[no]crypto dynamic-map <name> <priority> set validate-icmp-errors
Specifies whether incoming ICMP error messages are validated for the cryptography or dynamic
cryptographyy map.
[no] crypto map <name> <priority> set df-bit [clear-df | copy-df | set-df}
OR
[no] crypto map dynamic-map <name> <priority> set df-bit [clear-df | copy-df | set-df]
Configures the existing do not fragment (DF ) policy (at a security association level) for the
cryptography or dynamic cryptography map.
• clear-df—Ignores the DF bit.
• copy-df—Maintains the DF bit.
• set-df—Sets and uses the DF bit.
[no] crypto map <name> <priority> set tfc-packets [burst <length | auto] [payload-size
<bytes | auto> [timeout <seconds | auto>
OR
[no] crypto dynamic-map <name> <priority> set tfc-packets [burst <length | auto]
[payload-size <bytes | auto> [timeout <seconds | auto>
An administrator can enable dummy Traffic Flow Confidentiality (TFC) packets at random lengths and
intervals on an IPsec security association. You must have an IKEv2 IPsec proposal set before enabling
TFC.
The ACL assigned to a crypto map consists of all of the ACEs that have the same access list name, as
shown in the following command syntax:
To Next Page
Loading...
Need help?
General
