Providing Site-To-Site Redundancy - Cisco FirePOWER ASA 5500 series Configuration Manual
Security appliance command line
Hide thumbs
Also See for FirePOWER ASA 5500 series:
- Datasheet (20 pages) ,
- Configuration manual (1140 pages)
Table of Contents
Advertisement
Configuring IPSec
In this example, when traffic matches access list 101, the SA can use either "myset1" (first priority) or
"myset2" (second priority), depending on which transform set matches the transform sets of the peer.
(Optional) Specify the SA lifetime for the crypto dynamic map entry if you want to override the global
Step 3
lifetime value:
crypto dynamic-map dynamic-map-name dynamic-seq-num set security-association lifetime
{seconds seconds | kilobytes kilobytes}
For example:
crypto dynamic-map dyn1 10 set security-association lifetime seconds 2700
This example shortens the timed lifetime for dynamic crypto map "dyn1 10" to 2700 seconds
(45 minutes). The time volume lifetime is not changed.
(Optional) Specify that IPSec ask for PFS when requesting new SAs for this dynamic crypto map, or
Step 4
should demand PFS in requests received from the peer:
crypto dynamic-map dynamic-map-name dynamic-seq-num set pfs [group1 | group2 | group5 |
group7]
For example:
crypto dynamic-map dyn1 10 set pfs group5
Add the dynamic crypto map set into a static crypto map set.
Step 5
Be sure to set the crypto maps referencing dynamic maps to be the lowest priority entries (highest
sequence numbers) in a crypto map set.
crypto map map-name seq-num ipsec-isakmp dynamic dynamic-map-name
For example:
crypto map mymap 200 ipsec-isakmp dynamic dyn1
Providing Site-to-Site Redundancy
You can define multiple peers by using crypto maps to provide redundancy. This configuration is useful
for site-to-site VPNs.
If one peer fails, the security appliance establishes a tunnel to the next peer associated with the crypto
map. It sends data to the peer that it has successfully negotiated with, and that peer becomes the "active"
peer. The "active" peer is the peer that the security appliance keeps trying first for follow-on negotiations
until a negotiation fails. At that point the security appliance goes on to the next peer. The security
appliance cycles back to the first peer when all peers associated with the crypto map have failed.
Viewing an IPSec Configuration
Table 27-5
Cisco Security Appliance Command Line Configuration Guide
27-26
lists commands you can enter to view information about your IPSec configuration.
Chapter 27
Configuring IPSec and ISAKMP
OL-10088-01
Advertisement
Table of Contents
Troubleshooting
