Using Dynamic Crypto Maps - Cisco FirePOWER ASA 5500 series Configuration Manual

Configuring IPSec
e.
Apply a crypto map set to an interface for evaluating IPSec traffic:
Step 4
crypto map map-name interface interface-name
For example:
crypto map mymap interface outside
In this example, the security appliance evaluates the traffic going through the outside interface against
the crypto map "mymap" to determine whether it needs to be protected.

Using Dynamic Crypto Maps

A dynamic crypto map is a crypto map without all of the parameters configured. It acts as a policy
template where the missing parameters are later dynamically learned, as the result of an IPSec
negotiation, to match the peer requirements. The security appliance applies a dynamic crypto map to let
a peer negotiate a tunnel if its IP address is not already identified in a static crypto map. This occurs with
the following types of peers:
•
•
As an administrator configuring static crypto maps, you might not know the IP addresses that are
dynamically assigned (via DHCP or some other method), and you might not know the private IP
addresses of other clients, regardless of how they were assigned. VPN clients typically do not have static
IP addresses; they require a dynamic crypto map to allow IPSec negotiation to occur. For example, the
headend assigns the IP address to a Cisco VPN client during IKE negotiation, which the client then uses
to negotiate IPSec SAs.
A dynamic crypto map requires only the transform-set parameter.
Note
Dynamic crypto maps can ease IPSec configuration and we recommend them for use in networks where
the peers are not always predetermined. Use dynamic crypto maps for Cisco VPN clients (such as mobile
users) and routers that obtain dynamically assigned IP addresses.
Cisco Security Appliance Command Line Configuration Guide
27-24
(Optional) Specify that IPSec require perfect forward secrecy when requesting new SA for this
crypto map, or require PFS in requests received from the peer:
crypto map map-name seq-num set pfs [group1 | group2 | group5 | group7]
For example:
crypto map mymap 10 set pfs group2
This example requires PFS when negotiating a new SA for the crypto map "mymap 10."
The security appliance uses the 1024-bit Diffie-Hellman prime modulus group in the new SA.
Peers with dynamically assigned public IP addresses.
Both LAN-to-LAN and remote access peers can use DHCP to obtain a public IP address. The
security appliance uses this address only to initiate the tunnel.
Peers with dynamically assigned private IP addresses.
Peers requesting remote access tunnels typically have private IP addresses assigned by the headend.
Generally, LAN-to-LAN tunnels have a predetermined set of private networks that are used to
configure static maps and therefore used to establish IPSec SAs.
Chapter 27 Configuring IPSec and ISAKMP
OL-10088-01