[c-nsp] ASA5520 questions on crypto map structure

Tom Lusty TLusty at csnstores.com
Tue Aug 25 17:22:14 EDT 2009


Scott,

Yep, just make the sequence number 20, or some other number between your current entry and the dynamic map entry, and things should be fine.

We're running the same thing, multiple L2L VPN tunnels and RA VPN clients, as well and the included configuration/cryptomap works like a champ :)

crypto ipsec transform-set esp-aes256-sha esp-aes-256 esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map outside_dyn_map 40 set pfs 
crypto dynamic-map outside_dyn_map 40 set transform-set esp-aes256-sha
crypto dynamic-map outside_dyn_map 40 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 40 set security-association lifetime kilobytes 4608000

crypto map outside_map1 10 match address vpn-IE
crypto map outside_map1 10 set peer IE-pub-IP 
crypto map outside_map1 10 set transform-set esp-aes256-sha
crypto map outside_map1 10 set security-association lifetime seconds 28800
crypto map outside_map1 10 set security-association lifetime kilobytes 4608000
crypto map outside_map1 20 match address vpn-UK
crypto map outside_map1 20 set peer UK-pub-IP 
crypto map outside_map1 20 set transform-set esp-aes256-sha
crypto map outside_map1 20 set security-association lifetime seconds 28800
crypto map outside_map1 20 set security-association lifetime kilobytes 4608000

crypto map outside_map1 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map1 interface outside

Hope this is helpful 
-Tom


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Scott Granados
Sent: Tuesday, August 25, 2009 5:03 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] ASA5520 questions on crypto map structure

Hi list,
First, thanks for all the great pointers and suggestions I've made a lot of 
progress as a result and I appreciate it.

I'm wondering if I have the general idea correct for writing crypto maps. 
My understanding is that a dynamic map is used for client access and in 
terms of sequence should be the last in the list.  I have this working.  I 
want to add a LAN-to-LAN session now on the same device.  I've written the 
following and I'm looking for input as to whether this looks correct or is 
there a better way?

Here's the example config.

crypto ipsec transform-set vpn-transform1 esp-aes-256 esp-sha-hmac
crypto ipsec transform-set vpn-transform2 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set vpn-transform3 esp-3des esp-sha-hmac
crypto dynamic-map dynmap 10 set transform-set vpn-transform1 vpn-transform2 
vpn-transform3
crypto dynamic-map dynmap 10 set reverse-route
(original dynamic map portion)

crypto map vpn-ra-map 10 match address ny-vpn-acl
crypto map vpn-ra-map 10 set peer ny-fw-outside
crypto map vpn-ra-map 10 set transform-set vpn-transform2
crypto map vpn-ra-map 10 set reverse-route

(note I'm using the names facility to name the peer and the ACL mentioned 
marks the traffic to encrypt destined to New York)

crypto map vpn-ra-map 65535 ipsec-isakmp dynamic dynmap
crypto map vpn-ra-map interface outside
(adds the dynamic map and the whole shooting match to the outside interface)

Do I more or less have this right?  Using the examples that I received off 
list this seems close.  Also, would I simply increase the sequence number 
and add the next LAN-to-LAN mapping as sequence 20 between the existing peer 
and the dynmap? A little hint as to whether I'm in the right area or totally 
off base would be helpful.

Thanks
Scott


_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


More information about the cisco-nsp mailing list