Understanding Transform Sets - Cisco FirePOWER ASA 5500 series Configuration Manual

Configuring IPSec
•
•
•
•
•

Understanding Transform Sets

A transform set is a combination of security protocols and algorithms that define how the security
appliance protects data. During IPSec SA negotiations, the peers must identify a transform set that is the
same at both peers. The security appliance then applies the matching transform set to create an SA that
protects data flows in the access list for that crypto map.
The security appliance tears down the tunnel if you change the definition of the transform set used to
create its SA. See
Note If you clear or delete the only element in a transform set, the security appliance automatically removes
the crypto map references to it.
Defining Crypto Maps
Crypto maps define the IPSec policy to be negotiated in the IPSec SA. They include the following:
•
•
•
•
A crypto map set consists of one or more crypto maps that have the same map name. You create a crypto
map set when you create its first crypto map. The following command syntax creates or adds to a crypto
map:
crypto map map-name seq-num match address access-list-name
You can continue to enter this command to add crypto maps to the crypto map set. In the following
example, "mymap" is the name of the crypto map set to which you might want to add crypto maps:
crypto map mymap 10 match address 101
The sequence number (seq-num) shown in the syntax above distinguishes one crypto map from another
one with the same name. The sequence number assigned to a crypto map also determines its priority
among the other crypto maps within a crypto map set. The lower the sequence number, the higher the
priority. After you assign a crypto map set to an interface, the security appliance evaluates all IP traffic
passing through the interface against the crypto maps in the set, beginning with the crypto map with the
lowest sequence number.
The ACL assigned to a crypto map consists of all of the ACEs that have the same access-list-name, as
shown in the following command syntax:
access-list access-list-name {deny | permit} ip source source-netmask destination
destination-netmask
Cisco Security Appliance Command Line Configuration Guide
27-12
Transform sets
Crypto maps
Access lists
Tunnel groups
Prefragmentation policies
"Clearing Security
Access list to identify the packets that the IPSec connection permits and protects.
Peer identification
Local address for the IPSec traffic (See
Up to six transform sets with which to attempt to match the peer security settings.
Associations" for further information.
"Applying Crypto Maps to Interfaces"
Chapter 27 Configuring IPSec and ISAKMP
for more details.)
OL-10088-01