Changing Ipsec Sa Lifetimes - Cisco FirePOWER ASA 5500 series Configuration Manual

Configuring IPSec
Every static crypto map must define an access list and an IPSec peer. If either is missing, the crypto map
Note
is incomplete and the security appliance drops any traffic that it has not already matched to an earlier,
complete crypto map. Use the show conf command to ensure that every crypto map is complete. To fix
an incomplete crypto map, remove the crypto map, add the missing entries, and reapply it.
We discourage the use of the any keyword to specify source or destination addresses in crypto access
lists because they cause problems. We strongly discourage the permit any any command statement
because it does the following:
•
•
Be sure that you define which packets to protect. If you use the any keyword in a permit statement,
preface it with a series of deny statements to filter out traffic that would otherwise fall within that permit
statement that you do not want to protect.

Changing IPSec SA Lifetimes

You can change the global lifetime values that the security appliance uses when negotiating new
IPSec SAs. You can override these global lifetime values for a particular crypto map.
IPSec SAs use a derived, shared, secret key. The key is an integral part of the SA; they time out together
to require the key to refresh. Each SA has two lifetimes: "timed" and "traffic-volume." An SA expires
after the respective lifetime and negotiations begin for a new one. The default lifetimes are 28,800
seconds (eight hours) and 4,608,000 kilobytes (10 megabytes per second for one hour).
If you change a global lifetime, the security appliance drops the tunnel. It uses the new value in the
negotiation of subsequently established SAs.
When a crypto map does not have configured lifetime values and the security appliance requests a new
SA, it inserts the global lifetime values used in the existing SA into the request sent to the peer. When a
peer receives a negotiation request, it uses the smaller of either the lifetime value the peer proposes or
the locally configured lifetime value as the lifetime of the new SA.
The peers negotiate a new SA before crossing the lifetime threshold of the existing SA to ensure that a
new SA is ready when the existing one expires. The peers negotiate a new SA when about 5 to 15 percent
of the lifetime of the existing SA remains.
Creating a Basic IPSec Configuration
You can create basic IPSec configurations with static or dynamic crypto maps.
To create a basic IPSec configuration using a static crypto map, perform the following steps:
Step 1 To create an access list to define the traffic to protect, enter the following command:
access-list access-list-name {deny | permit} ip source source-netmask destination
destination-netmask
For example:
Cisco Security Appliance Command Line Configuration Guide
27-22
Protects all outbound traffic, including all protected traffic sent to the peer specified in the
corresponding crypto map.
Requires protection for all inbound traffic.
In this scenario, the security appliance silently drops all inbound packets that lack IPSec protection.
Chapter 27 Configuring IPSec and ISAKMP
OL-10088-01