Creating A Transform Set - Cisco FirePOWER ASA 5500 series Configuration Manual
Security appliance command line
Hide thumbs
Also See for FirePOWER ASA 5500 series:
- Datasheet (20 pages) ,
- Configuration manual (1140 pages)
Table of Contents
Advertisement
Creating a Transform Set
Creating a Transform Set
A transform set combines an encryption method and an authentication method. During the IPSec security
association negotiation with ISAKMP, the peers agree to use a particular transform set to protect a
particular data flow. The transform set must be the same for both peers.
A transform set protects the data flows for the access list specified in the associated crypto map entry.
You can create transform sets in the security appliance configuration, and then specify a maximum of 11
of them in a crypto map or dynamic crypto map entry.
Table 36-1
Table 36-1
Valid Encryption Methods
esp-des
esp-3des (default)
esp-aes (128-bit encryption)
esp-aes-192
esp-aes-256
esp-null
Tunnel Mode is the usual way to implement IPSec between two security appliances that are connected
over an untrusted network, such as the public Internet. Tunnel mode is the default and requires no
configuration.
To configure a transform set, perform the following steps:
In global configuration mode enter the crypto ipsec transform-set command. The following example
Step 1
configures a transform set with the name FirstSet, esp-3des encryption, and esp-md5-hmac
authentication. The syntax is as follows:
crypto ipsec transform-set transform-set-name encryption-method authentication-method
hostname(config)# crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac
hostname(config)#
Save your changes.
Step 2
hostname(config)# write memory
hostname(config)#
Configuring an ACL
The security appliance uses access control lists to control network access. By default, the security
appliance denies all traffic. You need to configure an ACL that permits traffic.
The ACLs that you configure for this LAN-to-LAN VPN control connections are based on the source
and destination IP addresses. Configure ACLs that mirror each other on both sides of the connection.
To configure an ACL, perform the following steps:
Cisco Security Appliance Command Line Configuration Guide
36-4
lists valid encryption and authentication methods.
Valid Encryption and Authentication Methods
Valid Authentication Methods
esp-md5-hmac
esp-sha-hmac (default)
Chapter 36
Configuring LAN-to-LAN IPSec VPNs
OL-10088-01
Advertisement
Table of Contents
Troubleshooting
