Configure The Security Exchange Protocol - Cisco ASA Series Configuration Manual

Chapter 6 ASA and Cisco TrustSec
hostname(exec_pac_hex)# 70d0130650122bdb13a83b2dae55533a
hostname(exec_pac_hex)# 4a394f21b441e164
hostname(exec_pac_hex)# quit
PAC Imported Successfully
hostname(config)#
•

Configure the Security Exchange Protocol

This section describes how to configure the Security Exchange Protocol.
Before You Begin
At least one interface must be in the UP/UP state.
When SXP is enabled with all interfaces down, the ASA does not display a message indicating that SXP
Note
is not working or it could not be enabled. If you check the configuration by entering the show
running-config command, the command output displays the following message:
"WARNING: SXP configuration in process, please wait for a few moments and try again."
This message is generic and does not specify the reason why SXP is not working.
To configure SXP, perform the following steps:
Procedure
Enable SXP on the ASA. By default, SXP is disabled.
Step 1
cts sxp enable
Example:
hostname(config)# cts sxp enable
Configure the default source IP address for SXP connections.
Step 2
cts sxp default source-ip ipaddress
Example:
hostname(config)# cts sxp default source-ip 192.168.1.100
The ipaddress argument is an IPv4 or IPv6 address.
When you configure a default source IP address for SXP connections, you must specify the same address
as the ASA outbound interface. If the source IP address does not match the address of the outbound
interface, SXP connections fail.
When a source IP address for an SXP connection is not configured, the ASA performs a route/ARP
lookup to determine the outbound interface for the SXP connection.
Configure the default password for TCP MD5 authentication with SXP peers. By default, SXP
Step 3
connections do not have a password.
cts sxp default password [0 | 8] password
Cisco ASA Series Firewall CLI Configuration Guide
Guidelines for Cisco TrustSec
6-17