Cisco PIX 500 Series Configuration Manual page 585

Chapter 27 Configuring IPSec and ISAKMP
access-list 101 permit ip 10.0.0.0 255.255.255.0 10.1.1.0 255.255.255.0
In this example, the permit keyword causes all traffic that matches the specified conditions to be
protected by crypto.
To configure a transform set that defines how to protect the traffic, enter the following command:
Step 2
crypto ipsec transform-set transform-set-name transform1 [ tcansform2 , transform3 ]
For example:
crypto ipsec transform-set myset1 esp-des esp-sha-hmac
crypto ipsec transform-set myset2 esp-3des esp-sha-hmac
crypto ipsec transform-set aes_set esp-md5-hmac esp-aes-256
In this example, "myset1" and "myset2" and "aes_set" are the names of the transform sets.
Step 3 To create a crypto map, perform the following steps:
Assign an access list to a crypto map:
a.
crypto map map-name seq-num match address access-list-name
In the following example, "mymap" is the name of the crypto map set. The map set sequence number
10, which is used to rank multiple entries within one crypto map set. The lower the sequence
number, the higher the priority.
crypto map mymap 10 match address 101
In this example, the access list named 101 is assigned to crypto map "mymap."
Specify the peer to which the IPSec protected traffic can be forwarded:
b.
crypto map map-name seq-num set peer ip-address
For example:
crypto map mymap 10 set peer 192.168.1.100
The security appliance sets up an SA with the peer assigned the IP address 192.168.1.100.
Specify multiple peers by repeating this command.
Specify which transform sets are allowed for this crypto map. List multiple transform sets in order
c.
of priority (highest priority first). You can specify up to 11 transform sets in a crypto map.
crypto map map-name seq-num set transform-set transform-set-name1
[transform-set-name2 , ... transform-set-name6 ]
For example:
crypto map mymap 10 set transform-set myset1 myset2
In this example, when traffic matches access list 101, the SA can use either "myset1" (first priority)
or "myset2" (second priority) depending on which transform set matches the transform set of the
peer.
(Optional) Specify an SA lifetime for the crypto map if you want to override the global lifetime.
d.
crypto map map-name seq-num set security-association lifetime {seconds seconds |
kilobytes kilobytes}
For example:
crypto map mymap 10 set security-association lifetime seconds 2700
This example shortens the timed lifetime for the crypto map "mymap 10" to 2700 seconds
(45 minutes). The traffic volume lifetime is not changed.
OL-12172-03
Cisco Security Appliance Command Line Configuration Guide
Configuring IPSec
27-23