Creating A Dynamic Crypto Map - Cisco FirePOWER ASA 5500 series Configuration Manual
Security appliance command line
Hide thumbs
Also See for FirePOWER ASA 5500 series:
- Datasheet (20 pages) ,
- Configuration manual (1140 pages)
Table of Contents
Advertisement
Creating a Dynamic Crypto Map
To configure the authentication method, enter the ipsec-attributes mode and then enter the
Step 3
pre-shared-key command to create the preshared key. You need to use the same preshared key on both
the security appliance and the client.
The preshared key must be no larger than that used by the VPN client. If a Cisco VPN Client with a
Note
different preshared key size tries to connect to a security appliance, the client logs an error message
indicating it failed to authenticate the peer.
The key is an alphanumeric string of 1-128 characters. In the following example the preshared key is
44kkaol59636jnfx.
hostname(config)# tunnel-group testgroup ipsec-attributes
hostname(config-ipsec)# pre-shared-key 44kkaol59636jnfx
Save your changes.
Step 4
hostname(config)# write memory
hostname(config)#
Creating a Dynamic Crypto Map
The security appliance uses dynamic crypto maps to define a policy template where all the parameters
do not have to be configured. These dynamic crypto maps let the security appliance receive connections
from peers that have unknown IP addresses. Remote access clients fall in this category.
Dynamic crypto map entries identify the transform set for the connection. You also enable reverse
routing, which lets the security appliance learn routing information for connected clients, and advertise
it via RIP or OSPF.
To specify a transform set for a dynamic crypto map entry, enter the crypto dynamic-map set
Step 1
transform-set command.
The syntax is crypto dynamic -map dynamic-map-name seq-num set transform-set
transform-set-name. In the following example the name of the dynamic map is dyn1, the sequence
number is 1, and the transform set name is FirstSet.
hostname(config)# crypto dynamic-map dyn1 1 set transform-set FirstSet
hostname(config)#
Step 2
To enable RRI for any connection based on this crypto map entry, enter the crypto dynamic-map set
reverse route command.
hostname(config)# crypto dynamic-map dyn1 1 set reverse-route
hostname(config)#
Save your changes.
Step 3
hostname(config)# write memory
hostname(config)#
Cisco Security Appliance Command Line Configuration Guide
32-6
Chapter 32
Configuring Remote Access IPSec VPNs
OL-10088-01
Advertisement
Table of Contents
Troubleshooting
