Cisco ASA Series Cli Configuration Manual page 1586

Configuring IPsec
Caution
Do not assign module default routes for traffic to be tunneled to a ASA interface configured with a
dynamic crypto map set. To identify the traffic that should be tunneled, add the ACLs to the dynamic
crypto map. Use care to identify the proper address pools when configuring the ACLs associated with
remote access tunnels. Use Reverse Route Injection to install routes only after the tunnel is up.
The procedure for using a dynamic crypto map entry is the same as the basic configuration described in
"Creating a Basic IPsec
dynamic crypto map entry. You can also combine static and dynamic map entries within a single crypto
map set.
Follow these steps to create a crypto dynamic map entry using either single or multiple context mode:
Step 1
(Optional) Assign an access list to a dynamic crypto map:
crypto dynamic-map dynamic-map-name dynamic-seq-num match address access-list-name
This determines which traffic should be protected and not protected. Dynamic-map-name specifies the
name of the crypto map entry that refers to a pre-existing dynamic crypto map. Dynamic-seq-num
specifies the sequence number that corresponds to the dynamic crypto map entry.
For example:
crypto dynamic-map dyn1 10 match address 101
In this example, access list 101 is assigned to dynamic crypto map dyn1. The map sequence number is
10.
Step 2
Specify which IKEv1 transform sets or IKEv2 proposals are allowed for this dynamic crypto map. List
multiple transform sets or proposals in order of priority (highest priority first) using the command for
IKEv1 transform sets or IKEv2 proposals:
crypto dynamic-map dynamic-map-name dynamic-seq-num set ikev1 transform-set
transform-set-name1, [transform-set-name2, ...transform-set-name9]
crypto dynamic-map dynamic-map-name dynamic-seq-num set ikev2 ipsec-proposal
proposal-name1
[proposal-name2, ... proposal-name11]
Dynamic-map-name specifies the name of the crypto map entry that refers to a pre-existing dynamic
crypto map. Dynamic-seq-num specifies the sequence number that corresponds to the dynamic crypto
map entry. The transform-set-name is the name of the transform-set being created or modified. The
proposal-name specifies one or more names of the IPsec proposals for IKEv2.
For example (for IKEv1):
crypto dynamic-map dyn 10 set ikev1 transform-set myset1 myset2
In this example, when traffic matches access list 101, the SA can use either myset1 (first priority) or
myset2 (second priority), depending on which transform set matches the transform sets of the peer.
Step 3
(Optional) Specify the SA lifetime for the crypto dynamic map entry if you want to override the global
lifetime value:
crypto dynamic-map dynamic-map-name dynamic-seq-num set security-association lifetime
{seconds seconds | kilobytes kilobytes}
Dynamic-map-name specifies the name of the crypto map entry that refers to a pre-existing dynamic
crypto map. Dynamic-seq-num specifies the sequence number that corresponds to the dynamic crypto
map entry.
Cisco ASA Series CLI Configuration Guide
1-36
Configuration," except that instead of creating a static crypto map, you create a
Chapter 1 Configuring IPsec and ISAKMP