[c-nsp] ASA5520 questions on crypto map structure

Scott Granados gsgranados at comcast.net
Tue Aug 25 17:31:53 EDT 2009 

It is, looks like I'm pretty close.

I like the rekey options based on bits transfered.

Thanks
Scott

----- Original Message ----- 
From: "Tom Lusty" <TLusty at csnstores.com>
To: "Scott Granados" <gsgranados at comcast.net>
Cc: <cisco-nsp at puck.nether.net>
Sent: Tuesday, August 25, 2009 2:22 PM
Subject: RE: [c-nsp] ASA5520 questions on crypto map structure


Scott,

Yep, just make the sequence number 20, or some other number between your 
current entry and the dynamic map entry, and things should be fine.

We're running the same thing, multiple L2L VPN tunnels and RA VPN clients, 
as well and the included configuration/cryptomap works like a champ :)

crypto ipsec transform-set esp-aes256-sha esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set esp-aes256-sha
crypto dynamic-map outside_dyn_map 40 set security-association lifetime 
seconds 28800
crypto dynamic-map outside_dyn_map 40 set security-association lifetime 
kilobytes 4608000

crypto map outside_map1 10 match address vpn-IE
crypto map outside_map1 10 set peer IE-pub-IP
crypto map outside_map1 10 set transform-set esp-aes256-sha
crypto map outside_map1 10 set security-association lifetime seconds 28800
crypto map outside_map1 10 set security-association lifetime kilobytes 
4608000
crypto map outside_map1 20 match address vpn-UK
crypto map outside_map1 20 set peer UK-pub-IP
crypto map outside_map1 20 set transform-set esp-aes256-sha
crypto map outside_map1 20 set security-association lifetime seconds 28800
crypto map outside_map1 20 set security-association lifetime kilobytes 
4608000

crypto map outside_map1 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map1 interface outside

Hope this is helpful
-Tom


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net 
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Scott Granados
Sent: Tuesday, August 25, 2009 5:03 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] ASA5520 questions on crypto map structure

Hi list,
First, thanks for all the great pointers and suggestions I've made a lot of
progress as a result and I appreciate it.

I'm wondering if I have the general idea correct for writing crypto maps.
My understanding is that a dynamic map is used for client access and in
terms of sequence should be the last in the list.  I have this working.  I
want to add a LAN-to-LAN session now on the same device.  I've written the
following and I'm looking for input as to whether this looks correct or is
there a better way?

Here's the example config.

crypto ipsec transform-set vpn-transform1 esp-aes-256 esp-sha-hmac
crypto ipsec transform-set vpn-transform2 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set vpn-transform3 esp-3des esp-sha-hmac
crypto dynamic-map dynmap 10 set transform-set vpn-transform1 vpn-transform2
vpn-transform3
crypto dynamic-map dynmap 10 set reverse-route
(original dynamic map portion)

crypto map vpn-ra-map 10 match address ny-vpn-acl
crypto map vpn-ra-map 10 set peer ny-fw-outside
crypto map vpn-ra-map 10 set transform-set vpn-transform2
crypto map vpn-ra-map 10 set reverse-route

(note I'm using the names facility to name the peer and the ACL mentioned
marks the traffic to encrypt destined to New York)

crypto map vpn-ra-map 65535 ipsec-isakmp dynamic dynmap
crypto map vpn-ra-map interface outside
(adds the dynamic map and the whole shooting match to the outside interface)

Do I more or less have this right?  Using the examples that I received off
list this seems close.  Also, would I simply increase the sequence number
and add the next LAN-to-LAN mapping as sequence 20 between the existing peer
and the dynmap? A little hint as to whether I'm in the right area or totally
off base would be helpful.

Thanks
Scott


_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list