[c-nsp] ASA5520 questions on crypto map structure

Ryan West rwest at zyedge.com
Tue Aug 25 19:18:22 EDT 2009 

Scott,

You're good so far, the crypto map reads top down like an ACL and you  
can insert at any time. If by chance you're on 7.2.4(18), make sure  
you upgrade, that code has ISAKMP bug.

The fun has just started, wait until you have internal addressing  
overlap.

Sent from handheld.

On Aug 25, 2009, at 5:37 PM, "Scott Granados" <gsgranados at comcast.net>  
wrote:

> It is, looks like I'm pretty close.
>
> I like the rekey options based on bits transfered.
>
> Thanks
> Scott
>
> ----- Original Message -----
> From: "Tom Lusty" <TLusty at csnstores.com>
> To: "Scott Granados" <gsgranados at comcast.net>
> Cc: <cisco-nsp at puck.nether.net>
> Sent: Tuesday, August 25, 2009 2:22 PM
> Subject: RE: [c-nsp] ASA5520 questions on crypto map structure
>
>
> Scott,
>
> Yep, just make the sequence number 20, or some other number between  
> your
> current entry and the dynamic map entry, and things should be fine.
>
> We're running the same thing, multiple L2L VPN tunnels and RA VPN  
> clients,
> as well and the included configuration/cryptomap works like a champ :)
>
> crypto ipsec transform-set esp-aes256-sha esp-aes-256 esp-sha-hmac
> crypto ipsec security-association lifetime seconds 28800
> crypto ipsec security-association lifetime kilobytes 4608000
>
> crypto dynamic-map outside_dyn_map 40 set pfs
> crypto dynamic-map outside_dyn_map 40 set transform-set esp-aes256-sha
> crypto dynamic-map outside_dyn_map 40 set security-association  
> lifetime
> seconds 28800
> crypto dynamic-map outside_dyn_map 40 set security-association  
> lifetime
> kilobytes 4608000
>
> crypto map outside_map1 10 match address vpn-IE
> crypto map outside_map1 10 set peer IE-pub-IP
> crypto map outside_map1 10 set transform-set esp-aes256-sha
> crypto map outside_map1 10 set security-association lifetime seconds  
> 28800
> crypto map outside_map1 10 set security-association lifetime kilobytes
> 4608000
> crypto map outside_map1 20 match address vpn-UK
> crypto map outside_map1 20 set peer UK-pub-IP
> crypto map outside_map1 20 set transform-set esp-aes256-sha
> crypto map outside_map1 20 set security-association lifetime seconds  
> 28800
> crypto map outside_map1 20 set security-association lifetime kilobytes
> 4608000
>
> crypto map outside_map1 65535 ipsec-isakmp dynamic outside_dyn_map
> crypto map outside_map1 interface outside
>
> Hope this is helpful
> -Tom
>
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Scott Granados
> Sent: Tuesday, August 25, 2009 5:03 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] ASA5520 questions on crypto map structure
>
> Hi list,
> First, thanks for all the great pointers and suggestions I've made a  
> lot of
> progress as a result and I appreciate it.
>
> I'm wondering if I have the general idea correct for writing crypto  
> maps.
> My understanding is that a dynamic map is used for client access and  
> in
> terms of sequence should be the last in the list.  I have this  
> working.  I
> want to add a LAN-to-LAN session now on the same device.  I've  
> written the
> following and I'm looking for input as to whether this looks correct  
> or is
> there a better way?
>
> Here's the example config.
>
> crypto ipsec transform-set vpn-transform1 esp-aes-256 esp-sha-hmac
> crypto ipsec transform-set vpn-transform2 esp-aes-192 esp-md5-hmac
> crypto ipsec transform-set vpn-transform3 esp-3des esp-sha-hmac
> crypto dynamic-map dynmap 10 set transform-set vpn-transform1 vpn- 
> transform2
> vpn-transform3
> crypto dynamic-map dynmap 10 set reverse-route
> (original dynamic map portion)
>
> crypto map vpn-ra-map 10 match address ny-vpn-acl
> crypto map vpn-ra-map 10 set peer ny-fw-outside
> crypto map vpn-ra-map 10 set transform-set vpn-transform2
> crypto map vpn-ra-map 10 set reverse-route
>
> (note I'm using the names facility to name the peer and the ACL  
> mentioned
> marks the traffic to encrypt destined to New York)
>
> crypto map vpn-ra-map 65535 ipsec-isakmp dynamic dynmap
> crypto map vpn-ra-map interface outside
> (adds the dynamic map and the whole shooting match to the outside  
> interface)
>
> Do I more or less have this right?  Using the examples that I  
> received off
> list this seems close.  Also, would I simply increase the sequence  
> number
> and add the next LAN-to-LAN mapping as sequence 20 between the  
> existing peer
> and the dynmap? A little hint as to whether I'm in the right area or  
> totally
> off base would be helpful.
>
> Thanks
> Scott
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list