Cisco ASA 5505 Configuration Manual page 1390
Asa 5500 series
Hide thumbs
Also See for ASA 5505:
- Getting started manual (168 pages) ,
- Administrator's manual (118 pages) ,
- Hardware installation manual (82 pages)
Table of Contents
Advertisement
Mapping Certificates to IPsec or SSL VPN Connection Profiles
Crypto Map Entry
In this dialog box, specify crypto parameters for the Connection Profile.
Fields
•
•
•
•
•
Crypto Map Entry for Static Peer Address
In this dialog box, specify crypto parameters for the Connection Profile when the Peer IP Address is a
static address.
Fields
•
•
•
Cisco ASA 5500 Series Configuration Guide using ASDM
64-80
Priority—A unique priority (1 through 65,543, with 1 the highest priority). When IKE negotiation
begins, the peer that initiates the negotiation sends all of its policies to the remote peer, and the
remote peer searches for a match with its own policies, in priority order.
Perfect Forward Secrecy—Ensures that the key for a given IPsec SA was not derived from any
other secret (like some other keys). If someone were to break a key, PFS ensures that the attacker
would not be able to derive any other key. If you enable PFS, the Diffie-Hellman Group list becomes
active.
Diffie-Hellman Group—An identifier which the two IPsec peers use to derive a shared secret
–
without transmitting it to each other. The choices are Group 1 (768-bits), Group 2 (1024-bits),
and Group 5 (1536-bits).
Enable NAT-T— Enables NAT Traversal (NAT-T) for this policy, which lets IPsec peers establish
both remote access and LAN-to-LAN connections through a NAT device.
Enable Reverse Route Injection—Provides the ability for static routes to be automatically inserted
into the routing process for those networks and hosts that are protected by a remote tunnel endpoint.
Security Association Lifetime—Configures the duration of a Security Association (SA). This
parameter specifies how to measure the lifetime of the IPsec SA keys, which is how long the IPsec
SA lasts until it expires and must be renegotiated with new keys.
Time—Specifies the SA lifetime in terms of hours (hh), minutes (mm) and seconds (ss).
–
Traffic Volume—Defines the SA lifetime in terms of kilobytes of traffic. Enter the number of
–
kilobytes of payload data after which the IPsec SA expires. Minimum is 100 KB, default is
10000 KB, maximum is 2147483647 KB.
Priority—A unique priority (1 through 65,543, with 1 the highest priority). When IKE negotiation
begins, the peer that initiates the negotiation sends all of its policies to the remote peer, and the
remote peer searches for a match with its own policies, in priority order.
Perfect Forward Secrecy—Ensures that the key for a given IPsec SA was not derived from any
other secret (like some other keys). If someone were to break a key, PFS ensures that the attacker
would not be able to derive any other key. If you enable PFS, the Diffie-Hellman Group list becomes
active.
Diffie-Hellman Group—An identifier which the two IPsec peers use to derive a shared secret
–
without transmitting it to each other. The choices are Group 1 (768-bits), Group 2 (1024-bits),
and Group 5 (1536-bits).
Enable NAT-T— Enables NAT Traversal (NAT-T) for this policy, which lets IPsec peers establish
both remote access and LAN-to-LAN connections through a NAT device.
Chapter 64
General VPN Setup
OL-20339-01
- Quick Links:
- Starting Asdm
- Downloading the Asdm Launcher
Hide quick links:
Advertisement
Chapters
Table of Contents
