Cisco FirePOWER ASA 5500 series Configuration Manual page 569
Security appliance command line
Hide thumbs
Also See for FirePOWER ASA 5500 series:
- Datasheet (20 pages) ,
- Configuration manual (1140 pages)
Table of Contents
Advertisement
Chapter 30
Configuring Tunnel Groups, Group Policies, and Users
For example, the following command specifies the preshared key XYZX to support IKE connections for
an IPSec LAN-to-LAN tunnel group:
hostname(config-tunnel-ipsec)# pre-shared-key xyzx
hostname(config-tunnel-general)#
Specify whether to validate the identity of the peer using the peer's certificate:
Step 3
hostname(config-tunnel-ipsec)# peer-id-validate option
hostname(config-tunnel-ipsec)#
The available options are req (required), cert (if supported by certificate), and nocheck (do not check).
The default is req. For example, the following command sets the peer-id-validate option to nocheck:
hostname(config-tunnel-ipsec)# peer-id-validate nocheck
hostname(config-tunnel-ipsec)#
Specify whether to enable sending of a certificate chain. This action includes the root certificate and any
Step 4
subordinate CA certificates in the transmission:
hostname(config-tunnel-ipsec)# chain
hostname(config-tunnel-ipsec)#
You can apply this attribute to all tunnel-group types.
Specify the name of a trustpoint that identifies the certificate to be sent to the IKE peer:
Step 5
hostname(config-tunnel-ipsec)# trust-point trust-point-name
hostname(config-tunnel-ipsec)#
For example, the following command sets the trustpoint name to mytrustpoint:
hostname(config-tunnel-ipsec)# trust-point mytrustpoint
hostname(config-tunnel-ipsec)#
You can apply this attribute to all tunnel-group types.
Step 6
Specify the ISAKMP(IKE) keepalive threshold and the number of retries allowed. The threshold
parameter specifies the number of seconds (10 through 3600) that the peer is allowed to idle before
beginning keepalive monitoring. The retry parameter is the interval (2 through 10 seconds) between
retries after a keepalive response has not been received. IKE keepalives are enabled by default. To
disable IKE keepalives, enter the no form of the isakmp command:
hostname(config)# isakmp keepalive threshold <number> retry <number>
hostname(config-tunnel-ipsec)#
For example, the following command sets the ISAKMP keepalive threshold to 15 seconds and sets the
retry interval to 10 seconds.:
hostname(config-tunnel-ipsec)# isakmp keepalive threshold 15 retry 10
hostname(config-tunnel-ipsec)#
The default value for the threshold parameter for LAN-to-LAN is 10, and the default value for the retry
parameter is 2.
To specify that the central site ("head end") should never initiate ISAKMP monitoring, enter the
following command:
hostname(config-tunnel-ipsec)# isakmp keepalive threshold infinite
hostname(config-tunnel-ipsec)#
Specify the ISAKMP hybrid authentication method, XAUTH or hybrid XAUTH.
Step 7
OL-10088-01
Cisco Security Appliance Command Line Configuration Guide
Configuring Tunnel Groups
30-15
Advertisement
Table of Contents
Troubleshooting
