Table Of Contents

crypto ca authenticate through customization Commands

crypto ca authenticate

crypto ca certificate chain

crypto ca certificate map

crypto ca crl request

crypto ca enroll

crypto ca export

crypto ca import

crypto ca trustpoint

crypto dynamic-map match address

crypto dynamic-map set nat-t-disable

crypto dynamic-map set peer

crypto dynamic-map set pfs

crypto dynamic-map set reverse route

crypto dynamic-map set transform-set

crypto ipsec df-bit

crypto ipsec fragmentation

crypto ipsec security-association lifetime

crypto ipsec security-association replay

crypto ipsec transform-set

crypto isakmp am-disable

crypto isakmp disconnect-notify

crypto isakmp enable

crypto isakmp identity

crypto isakmp ipsec-over-tcp

crypto isakmp nat-traversal

crypto isakmp policy

crypto isakmp reload-wait

crypto key generate dsa

crypto key generate rsa

crypto key zeroize

crypto map interface

crypto map ipsec-isakmp dynamic

crypto map match address

crypto map set connection-type

crypto map set inheritance

crypto map set nat-t-disable

crypto map set peer

crypto map set pfs

crypto map set phase1 mode

crypto map set reverse-route

crypto map set security-association lifetime

crypto map set transform-set

crypto map set trustpoint

csc

csd enable

csd image

customization

crypto ca authenticate through customization Commands

---

crypto ca authenticate

To install and authenticate the CA certificates associated with a trustpoint, use the crypto ca authenticate command in global configuration mode. To remove the CA certificate, use the no form of this command.

crypto ca authenticate trustpoint [fingerprint hexvalue] [nointeractive]

no crypto ca authenticate trustpoint

Syntax Description

fingerprint	Specifies a hash value consisting of alphanumeric characters the security appliance uses to authenticate the CA certificate. If a fingerprint is provided, the security appliance compares it to the computed fingerprint of the CA certificate and accepts the certificate only if the two values match. If there is no fingerprint, the security appliance displays the computed fingerprint and asks whether to accept the certificate.
hexvalue	Identifies he hexadecimal value of the fingerprint.
nointeractive	Obtains the CA certificate for this trustpoint using no interactive mode; intended for use by the device manager only. In this case, if there is no fingerprint, the security appliance accepts the certificate without question.
trustpoint	Specifies the trustpoint from which to obtain the CA certificate. Maximum name length is 128 characters.

Defaults

This command has no default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Global configuration	•	•	•	•	—

Command History

Release	Modification
7.0	This command was introduced

Usage Guidelines

If the trustpoint is configured for SCEP enrollment, the CA certificate is downloaded through SCEP. If not, the security appliance prompts you to paste the base-64 formatted CA certificate onto the terminal.

The invocations of this command do not become part of the running configuration.

Examples

In the following example, the security appliance requests the certificate of the CA. The CA sends its certificate and the security appliance prompts the administrator to verify the certificate of the CA by checking the CA certificate fingerprint. The security appliance administrator should verify the fingerprint value displayed against a known, correct value. If the fingerprint displayed by the security appliance matches the correct value, you should accept the certificate as valid.

hostname(config)# crypto ca authenticate myca

Certificate has the following attributes:

Fingerprint: 0123 4567 89AB CDEF 0123

Do you accept this certificate? [yes/no] y#

hostname(config)# 

In the next example, the trustpoint tp9 is configured for terminal-based (manual) enrollment. In this case thesecurity appliance prompts the administrator to paste the CA certificate to the terminal. After displaying the fingerprint of the certificate, the security appliance prompts the administrator to confirm that the certificate should be retained.

hostname(config)# crypto ca authenticate tp9

Enter the base 64 encoded CA certificate.

End with a blank line or the word "quit" on a line by itself

MIIDjjCCAvegAwIBAgIQejIaQ3SJRIBMHcvDdgOsKTANBgkqhkiG9w0BAQUFADBA

MQswCQYDVQQGEwJVUzELMAkGA1UECBMCTUExETAPBgNVBAcTCEZyYW5rbGluMREw

DwYDVQQDEwhCcmlhbnNDQTAeFw0wMjEwMTcxODE5MTJaFw0wNjEwMjQxOTU3MDha

MEAxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJNQTERMA8GA1UEBxMIRnJhbmtsaW4x

ETAPBgNVBAMTCEJyaWFuc0NBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCd

jXEPvNnkZD1bKzahbTHuRot1T8KRUbCP5aWKfqViKJENzI2GnAheArazsAcc4Eaz

LDnpuyyqa0j5LA3MI577MoN1/nll018fbpqOf9eVDPJDkYTvtZ/X3vJgnEjTOWyz

T0pXxhdU1b/jgqVE74OvKBzU7A2yoQ2hMYzwVbGkewIDAQABo4IBhzCCAYMwEwYJ

KwYBBAGCNxQCBAYeBABDAEEwCwYDVR0PBAQDAgFGMA8GA1UdEwEB/wQFMAMBAf8w

HQYDVR0OBBYEFBHr3holowFDmniI3FBwKpSEucdtMIIBGwYDVR0fBIIBEjCCAQ4w

gcaggcOggcCGgb1sZGFwOi8vL0NOPUJyaWFuc0NBLENOPWJyaWFuLXcyay1zdnIs

Q049Q0RQLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENO

PUNvbmZpZ3VyYXRpb24sREM9YnJpYW5wZGMsREM9YmRzLERDPWNvbT9jZXJ0aWZp

Y2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2JqZWN0Y2xhc3M9Y1JMRGlzdHJpYnV0

aW9uUG9pbnQwQ6BBoD+GPWh0dHA6Ly9icmlhbi13Mmstc3ZyLmJyaWFucGRjLmJk

cy5jb20vQ2VydEVucm9sbC9CcmlhbnNDQS5jcmwwEAYJKwYBBAGCNxUBBAMCAQEw

DQYJKoZIhvcNAQEFBQADgYEAdLhc4Za3AbMjRq66xH1qJWxKUzd4nE9wOrhGgA1r

j4B/Hv2K1gUie34xGqu9OpwqvJgp/vCU12Ciykb1YdSDy/PxN4KtR9Xd1JDQMbu5

f20AYqCG5vpPWavCgmgTLcdwKa3ps1YSWGkhWmScHHSiGg1a3tevYVwhHNPA4mWo

7sQ=

Certificate has the following attributes:

Fingerprint: 21B598D5 4A81F3E5 0B24D12E 3F89C2E4

% Do you accept this certificate? [yes/no]: yes

Trustpoint CA certificate accepted.

% Certificate successfully imported

hostname(config)# 

Related Commands

Command	Description
crypto ca enroll	Starts enrollment with a CA.
crypto ca import certificate	Installs a certificate received from a CA in response to a manual enrollment request. Also used to import PKS12 data to a trustpoint.
crypto ca trustpoint	Enters the trustpoint submode for the indicated trustpoint.

crypto ca certificate chain

To enter certificate chain configuration mode for the indicated trustpoint, use the crypto ca certificate chain command in global configuration mode. To return to global configuration mode, use the no form of the command or use the exit command.

crypto ca certificate chain trustpoint

Syntax Description

Syntax DescriptionSyntax Description

trustpoint

Specifies the trustpoint for configuring the certificate chain.

Defaults

This command has no default values.

Command Modes

The following table shows the modes in which you can enter the command

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Global configuration	•	•	•	•	—

:

Command History

Release	Modification
7.0(1)	This command was introduced.

Examples

The following example enters CA certificate chain submode for trustpoint central:

hostname<config># crypto ca certificate chain central 

hostname<config-cert-chain># 

Related Commands

Command	Description
clear configure crypto ca trustpoint	Removes all trustpoints.

crypto ca certificate map

To enter CA certificate map mode, use the crypto ca configuration map command in global configuration mode. Executing this command places you in ca-certificate-map mode. Use this group of commands to maintain a prioritized list of certificate mapping rules. The sequence number orders the mapping rules.

To remove a crypto CA configuration map rule, use the no form of the command.

crypto ca certificate map {sequence-number | map-name sequence-number}

no crypto ca certificate map {sequence-number | map-name [sequence-number]}

Syntax Description

map-name	Specifies a name for a certificate-to-group map.
sequence-number	Specifies a number for the certificate map rule you are creating. The range is 1 through 65535. You can use this number when creating a tunnel-group-map, which maps a tunnel group to a certificate map rule.

Defaults

No default behavior or values for sequence-number.

The default value for map-name is DefaultCertificateMap.

Command Modes

The following table shows the modes in which you can enter the command

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Global configuration	•	•	•	•	—

:

Command History

Release	Modification
7.0(1)	This command was introduced.
7.2	Added keyword map-name.

Usage Guidelines

Issuing this command places the security appliance in CA certificate map configuration mode where you can configure rules based on the certificate's issuer and subject distinguished names (DNs). The general form of these rules is as follows:

DN match-criteria match-value

DN is either subject-name or issuer-name. DNs are defined in the ITU-T X.509 standard. For a list of certificate fields, see Related Commands.

match-criteria comprise the following expressions or operators:

attr tag	Limits the comparison to a specific DN attribute, such as common name (CN).
co	Contains
eq	Equal
nc	Does not contain
ne	Not equal

The DN matching expressions are case insensitive.

Examples

The following example enters CA certificate map mode with a map named example-map and a sequence number of 1 (rule # 1), and specifies that the common name(CN) attribute of the subject-name must match Pat:

hostname(config)# crypto ca certificate map example-map 1

hostname(ca-certificate-map)# subject-name attr cn eq pat

hostname(ca-certificate-map)#

The following example enters CA certificate map mode with a map named example-map and a sequence number of 1, and specifies that the subject-name contain the value cisco anywhere within it:

hostname(config)# crypto ca certificate map example-map 1

hostname(ca-certificate-map)# subject-name co cisco

hostname(ca-certificate-map)#

Related Commands

Command	Description
issuer-name	Indicates that rule entry is applied to the issuer DN of the IPSec peer certificate.
subject-name (crypto ca certificate map)	Indicates that rule entry is applied to the subject DN of the IPSec peer certificate.
tunnel-group-map enable	Associates the certificate map entries created using the crypto ca certificate map command with tunnel groups.

+

crypto ca crl request

To request a CRL based on the configuration parameters of the specified trustpoint, use the crypto ca crl request command in Crypto ca trustpoint configuration mode.

crypto ca crl request trustpoint

Syntax Description

trustpoint

Specifies the trustpoint. Maximum number of characters is 128.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Crypto ca trustpoint configuration	•	•	•	•	—

Command History

Release	Modification
7.0(1)	This command was introduced.

Usage Guidelines

Invocations of this command do not become part of the running configuration.

Examples

The following example requests a CRL based on the trustpoint named central:

hostname(config)# crypto ca crl request central

hostname(config)# 

Related Commands

Command	Description
crl configure	Enters crl configure mode.

crypto ca enroll

To start the enrollment process with the CA, use the crypto ca enroll command in global configuration mode. For this command to execute successfully, the trustpoint must have been configured correctly.

crypto ca enroll trustpoint [noconfirm]

Syntax Description

noconfirm	(Optional) Suppresses all prompts. Enrollment options that might have been prompted for must be pre-configured in the trustpoint. This option is for use in scripts, ASDM, or other such non-interactive needs.
trustpoint	Specifies the name of the trustpoint to enroll with. Maximum number of characters is 128.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Global configuration	•	•	•	•	—

:

Command History

Release	Modification
7.0(1)	This command was introduced.

Usage Guidelines

When the trustpoint is configured for SCEP enrollment, the security appliance displays a CLI prompt immediately and displays status messages to the console asynchronously. When the trustpoint is configured for manual enrollment, the security appliance writes a base-64-encoded PKCS10 certification request to the console and then displays the CLI prompt.

This command generates interactive prompts that vary depending on the configured state of the referenced trustpoint.

Examples

The following example enrolls for an identity certificate with trustpoint tp1 using SCEP enrollment. The security appliance prompts for information not stored in the trustpoint configuration.

hostname(config)# crypto ca enroll tp1

%

% Start certificate enrollment ..

% Create a challenge password. You will need to verbally provide this

% password to the CA Administrator in order to revoke your certificate.

% For security reasons your password will not be saved in the configuration.

% Please make a note of it.

Password:

Re-enter password:

% The fully-qualified domain name in the certificate will be: xyz.example.com

% The subject name in the certificate will be: xyz.example.com

% Include the router serial number in the subject name? [yes/no]: no

% Include an IP address in the subject name? [no]: no

Request certificate from CA [yes/no]: yes

% Certificate request sent to Certificate authority.

% The certificate request fingerprint will be displayed.

% The `show crypto ca certificate' command will also show the fingerprint.

hostname(config)# 

The next command shows manual enrollment of a CA certificate.

hostname(config)# crypto ca enroll tp1

% Start certificate enrollment ..

% The fully-qualified domain name in the certificate will be: xyz.example.com

% The subject name in the certificate will be: wb-2600-3.example.com

if serial number not set in trustpoint, prompt:

% Include the router serial number in the subject name? [yes/no]: no

If ip-address not configured in trustpoint:

% Include an IP address in the subject name? [no]: yes

Enter Interface name or IP Address[]: 1.2.3.4

Display Certificate Request to terminal? [yes/no]: y

Certificate Request follows:

MIIBFTCBwAIBADA6MTgwFAYJKoZIhvcNAQkIEwcxLjIuMy40MCAGCSqGSIb3DQEJ

AhYTd2ItMjYwMC0zLmNpc2NvLmNvbTBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDT

IdvHa4D5wXZ+40sKQV7Uek1E+CC6hm/LRN3p5ULW1KF6bxhA3Q5CQfh4jDxobn+A

Y8GoeceulS2Zb+mvgNvjAgMBAAGgITAfBgkqhkiG9w0BCQ4xEjAQMA4GA1UdDwEB

/wQEAwIFoDANBgkqhkiG9w0BAQQFAANBACDhnrEGBVtltG7hp8x6Wz/dgY+ouWcA

lzy7QpdGhb1du2P81RYn+8pWRA43cikXMTeM4ykEkZhLjDUgv9t+R9c=

---End - This line not part of the certificate request---

Redisplay enrollment request? [yes/no]: no

hostname(config)# 

Related Commands

Command	Description
crypto ca authenticate	Obtains the CA certificate for this trustpoint.
crypto ca import pkcs12	Installs a certificate received from a CA in response to a manual enrollment request. Also used to import PKS12 data to a trustpoint.
crypto ca trustpoint	Enters the trustpoint submode for the indicated trustpoint.

crypto ca export

To export in PKCS12 format the keys and certificates associated with a trustpoint configuration, use the crypto ca export command in global configuration mode.

crypto ca export trustpoint pkcs12 passphrase

Syntax Description

Syntax DescriptionSyntax Description

passphrase	Specifies the passphrase used to encrypt the PKCS12 file for export.
pkcs12	Specifies the public key cryptography standard to use in exporting the trustpoint configuration.
trustpoint	Specifies the name of the trustpoint whose certificate and keys are to be exported. When you export, if the trustpoint uses RSA keys, the exported key pair is assigned the same name as the trustpoint.

Defaults

This command has no default values.

Command Modes

The following table shows the modes in which you can enter the command

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Global configuration	•	•	•	•	—

:

Command History

Release	Modification
7.0(1)	This command was introduced.

Usage Guidelines

Invocations of this command do not become part of the active configuration. The PKCS12 data is written to the terminal.

Examples

The following example exports PKCS12 data for trustpoint central using xxyyzz as the passcode:

hostname (config)# crypto ca export central pkcs12 xxyyzz

Exported pkcs12 follows:

[ PKCS12 data omitted ]

---End - This line not part of the pkcs12---

hostname (config)# 

Related Commands

Command	Description
crypto ca import pkcs12	Installs a certificate received from a CA in response to a manual enrollment request. Also used to import PKS12 data to a trustpoint.
crypto ca authenticate	Obtains the CA certificate for this trustpoint.
crypto ca enroll	Starts enrollment with a CA.
crypto ca trustpoint	Enters the trustpoint submode for the indicated trustpoint.

crypto ca import

To install a certificate received from a CA in response to a manual enrollment request or to import the certificate and key pair for a trustpoint using PKCS12 data, use the crypto ca import command in global configuration mode. The security appliance prompts you to paste the text to the terminal in base 64 format.

crypto ca import trustpoint certificate [ nointeractive ]

crypto ca import trustpoint pkcs12 passphrase [ nointeractive ]

Syntax Description

trustpoint	Specifies the trustpoint with which to associate the import action. Maximum number of characters is 128. If you import PKCS12 data and the trustpoint uses RSA keys, the imported key pair is assigned the same name as the trustpoint.
certificate	Tells the security appliance to import a certificate from the CA represented by the trustpoint.
pkcs12	Tells the security appliance to import a certificate and key pair for a trustpoint, using PKCS12 format.
passphrase	Specifies the passphrase used to decrypt the PKCS12 data.
nointeractive	(Optional) Imports a certificate using nointeractive mode. This suppresses all prompts. This option for use in scripts, ASDM, or other such non-interactive needs.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Global configuration	•	•	•	•	—

Command History

Release	Modification
7.0(1)	This command was introduced.

Examples

The following example manually imports a certificate for the trustpoint Main:

hostname (config)# crypto ca import Main certificate

% The fully-qualified domain name in the certificate will be: 
securityappliance.example.com

Enter the base 64 encoded certificate.

End with a blank line or the word "quit" on a line by itself

[ certificate data omitted ]

quit

INFO: Certificate successfully imported

hostname (config)# 

The following example manually imports PKCS12 data to trustpoint central:

hostname (config)# crypto ca import central pkcs12

Enter the base 64 encoded pkcs12.

End with a blank line or the word "quit" on a line by itself:

[ PKCS12 data omitted ]

quit

INFO: Import PKCS12 operation completed successfully

hostname (config)# 

Related Commands

Command	Description
crypto ca export	Exports a trustpoint certificate and key pair in PKCS12 format.
crypto ca authenticate	Obtains the CA certificate for a trustpoint.
crypto ca enroll	Starts enrollment with a CA.
crypto ca trustpoint	Enters the trustpoint submode for the indicated trustpoint.

crypto ca trustpoint

To enter the trustpoint submode for the specified trustpoint, use the crypto ca trustpoint command in global configuration mode. To remove the specified trustpoint, use the no form of this command. This command manages trustpoint information. A trustpoint represents a CA identity and possibly a device identity, based on a certificate issued by the CA. The commands within the trustpoint sub mode control CA-specific configuration parameters which specify how the security appliance obtains the CA certificate, how the security appliance obtains its certificate from the CA, and the authentication policies for user certificates issued by the CA.

crypto ca trustpoint trustpoint-name

no crypto ca trustpoint trustpoint-name [noconfirm]

Syntax Description

noconfirm	Suppresses all interactive prompting
trustpoint- name	Identifies the name of the trustpoint to manage. The maximum name length is 128 characters.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Global configuration	•	•	•	•	—

Command History

Release	Modification
7.0(1)	This command was introduced.
7.2(1)	Subcommands added to support Online Certificate Status Protocol. These include match certificate map, ocsp disable-nonce, ocsp url, and revocation-check.

Usage Guidelines

Use the crypto ca trustpoint command to declare a CA. Issuing this command puts you in crypto ca trustpoint configuration mode.

You can specify characteristics for the trustpoint using the following commands listed alphabetically in this command reference guide:

•accept-subordinates—Indicates whether CA certificates subordinate to the CA associated with the trustpoint are accepted if delivered during phase one IKE exchange when not previously installed on the device.

•crl required | optional | nocheck—Specifies CRL configuration options.

•crl configure—Enters CRL configuration submode (see crl).

•default enrollment—Returns all enrollment parameters to their system default values. Invocations of this command do not become part of the active configuration.

•email address—During enrollment, asks the CA to include the specified email address in the Subject Alternative Name extension of the certificate.

•enrollment retry period —Specifies a retry period in minutes for automatic (SCEP) enrollment.

•enrollment retry count—Specifies a maximum number of permitted retries for automatic (SCEP) enrollment.

•enrollment terminal—Specifies cut and paste enrollment with this trustpoint.

•enrollment url url—Specifies automatic enrollment (SCEP) to enroll with this trustpoint and configures the enrollment URL (url).

•exit—Leaves the submode.

•fqdn fqdn—During enrollment, asks the CA to include the specified fully-qualified distinguished name (FQDN) in the Subject Alternative Name extension of the certificate.

•id-cert-issuer—Indicates whether the system accepts peer certificates issued by the CA associated with this trustpoint.

•ip-addr ip-address—During enrollment, asks the CA to include the IP address of the security appliance in the certificate.

•keypair name—Specifies the key pair whose public key is to be certified.

•match certificate map-name override ocsp—Matches a certificate map to an OCSP override rule..

•ocsp disable-nonce—Disables the nonce extension, shich cryptographicaly binds revocation requests with responses to avoid replay attacks.

•ocsp url—Specifies that the OCSP server at this URL checks all certificates associated with this trustpoint for revocation status.

•exit—Leaves the submode.

•password string—Specifies a challenge phrase that is registered with the CA during enrollment. The CA typically uses this phrase to authenticate a subsequent revocation request.

•revocation check—Specifies the revocation checking method, which include CRL, OCSP, and none.

•serial-number—During enrollment, asks the CA to include the security appliance's serial number in the certificate.

•subject-name X.500 name—During enrollment, asks the CA to include the specified subject DN in the certificate.

•support-user-cert-validation—If enabled, the configuration settings to validate a remote user certificate can be taken from this trustpoint, provided that this trustpoint is authenticated to the CA that issued the remote certificate. This option applies to the configuration data associated with the subcommands crl required | optional | nocheck and all settings in the CRL sub mode.

Examples

The following example enters CA trustpoint mode for managing a trustpoint named central:

hostname(config)# crypto ca trustpoint central

hostname(ca-trustpoint)# 

Related Commands

Command	Description
clear configure crypto ca trustpoint	Removes all trustpoints.
crypto ca authenticate	Obtains the CA certificate for this trustpoint.
crypto ca certificate map	Enters crypto CA certificate map mode. Defines certificate-based ACLs.
crypto ca crl request	Requests a CRL based on configuration parameters of specified trustpoint.
crypto ca import	Installs a certificate received from a CA in response to a manual enrollment request. Also used to import PKS12 data to a trustpoint.

crypto dynamic-map match address

See the crypto map match address command for additional information about this command.

crypto dynamic-map dynamic-map-name dynamic-seq-num match address acl_name

no crypto dynamic-map dynamic-map-name dynamic-seq-num match address acl_name

Syntax Description

acl-name	Identifies the access-list to be matched for the dynamic crypto map entry.
dynamic-map-name	Specifies the name of the dynamic crypto map set.
dynamic-seq-num	Specifies the sequence number that corresponds to the dynamic crypto map entry.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Global configuration	•	—	•	—	—

Command History

Release	Modification
Preexisting	This command was preexisting.

Examples

The following example shows the use of the crypto dynamic-map command to match address of an access list named aclist1:

hostname(config)# crypto dynamic-map mymap 10 match address aclist1

hostname(config)# 

Related Commands

Command	Description
clear configure crypto dynamic-map	Clears all configuration for all the dynamic crypto maps.
show running-config crypto dynamic-map	Displays all configuration for all the dynamic crypto maps.

crypto dynamic-map set nat-t-disable

To disable NAT-T for connections based on this crypto map entry, use the crypto dynamic-map set nat-t-disable command in global configuration mode. To enable NAT-T for this crypto may entry, use the no form of this command.

crypto dynamic-map dynamic-map-name dynamic-seq-num set nat-t-disable

no crypto dynamic-map dynamic-map-name dynamic-seq-num set nat-t-disable

Syntax Description

dynamic-map-name	Specifies the name of the crypto dynamic map set.
dynamic-seq-num	Specifies the number you assign to the crypto dynamic map entry.

Defaults

The default setting is off.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Global configuration	•	—	•	—	—

Command History

Release	Modification
7.0(1)	This command was introduced.

Usage Guidelines

Use the isakmp nat-traversal command to globally enable NAT-T. Then you can use the crypto dynamic-map set nat-t-disable command to disable NAT-T for specific crypto map entries.

Examples

The following command disables NAT-T for the crypto dynamic map named mymap:

hostname(config)# crypto dynamic-map mymap 10 set nat-t-disable

hostname(config)#

Related Commands

Command	Description
clear configure crypto dynamic-map	Clears all configuration for all the dynamic crypto maps.
show running-config crypto dynamic-map	Displays all configuration for all the dynamic crypto maps.

crypto dynamic-map set peer

See the crypto map set peer command for additional information about this command.

crypto dynamic-map dynamic-map-name dynamic-seq-num set peer ip_address | hostname

no crypto dynamic-map dynamic-map-name dynamic-seq-num set peer ip_address | hostname

Syntax Description

dynamic-map-name	Specifies the name of the dynamic crypto map set.
dynamic-seq-num	Specifies the sequence number that corresponds to the dynamic crypto map entry.
ip_address	Identifies the peer in the dynamic crypto map entry by IP address, as defined by the name command.
hostname	Identifies the peer in the dynamic crypto map entry by hostname, as defined by the name command.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Global configuration	•	—	•	—	—

Command History

Release	Modification
Preexisting	This command was preexisting.

Examples

The following example shows setting a peer for a dynamic-map named mymap to the IP address10.0.0.1:

hostname(config)# crypto dynamic-map mymap 10 set peer 10.0.0.1

hostname(config)#

Related Commands

Command	Description
clear configure crypto dynamic-map	Clears all configuration for all the dynamic crypto maps.
show running-config crypto dynamic-map	Displays all configuration for all the dynamic crypto maps.

crypto dynamic-map set pfs

See the crypto map set pfs command for additional information about this command.

crypto dynamic-map dynamic-map-name dynamic-seq-num set pfs [group1 | group2 | group5 | group 7]

no crypto dynamic-map dynamic-map-name dynamic-seq-num set pfs [group1 | group2 | group5 | group 7]

Syntax Description

dynamic-map-name

Specifies the name of the dynamic