Downloads |
Table Of Contents
Command Reference
This chapter provides detailed descriptions of the IPSec-related PIX Firewall commands. For all other PIX Firewall commands, see the "Command Reference" chapter of the Cisco Secure PIX Firewall Configuration Guide, Version 5.2.
The following notes can help you as you configure the PIX Firewall:
•
View your configuration at any time with the write terminal command.
•
•
•
•
•
•
http://www.iana.org/assignments/port-numbers
http://www.iana.org/assignments/protocol-numbers
http://www.iana.org/numbers.htm•
ca
Configure the PIX Firewall to interoperate with a certification authority (CA). (Configuration mode.)
ca authenticate ca_nickname [fingerprint]
ca configure ca_nickname ca | ra retry_period retry_count [crloptional]
no ca configure ca_nickname
show ca configure
ca crl request ca_nickname
no ca crl
ca enroll ca_nickname challenge_password [serial] [ipaddress]
no ca enroll ca_nickname
ca generate rsa key | specialkey key_modulus_size
ca identity ca_nickname ca_ipaddress[:ca_script_location] [ldap_ip address]
no ca identity ca_nickname
show ca identity
ca save all
no ca save all
ca zeroize rsa [keypair_name]
show ca certificate
show ca crl
show ca mypubkey rsa
Syntax Description
Usage Guidelines
The sections that follow describe each ca command.
Note
Note
Note
ca authenticate
The ca authenticate command allows the PIX Firewall to authenticate its certification authority (CA) by obtaining the CA's self-signed certificate, which contains the CA's public key.
In order to authenticate a peer's certificate(s), a PIX Firewall must obtain the CA certificate containing the CA public key. Because the CA certificate is a self-signed certificate, the key should be authenticated manually by contacting the CA administrator. You are given the choice of authenticating the public key in that certificate by including within the ca authenticate command the key's fingerprint, which is retrieved in some out-of-band process. The PIX Firewall will discard the received CA certificate and generate an error message, if the fingerprint you specified is different from the received one. You can also simply compare the two fingerprints without having to enter the key within the command.
If you are using RA mode (within the ca configure command), when you issue the ca authenticate command, the RA signing and encryption certificates will be returned from the CA, as well as the CA certificate.
The ca authenticate command is not saved to the PIX Firewall configuration. However, the public keys embedded in the received CA (and RA) certificates are saved in the configuration as part of the RSA public key record (called the "RSA public key chain"). To save the public keys permanently to Flash memory, use the ca save all command.
To view the CA's certificate, use the show ca certificate command.
Note
Examples
In this example, a request for the CA's certificate was sent to the CA. The fingerprint was not included in the command. The CA sends its certificate and the PIX Firewall prompts for verification of the CA's certificate by checking the CA certificate's fingerprint. Using the fingerprint associated with the CA's certificate retrieved in some out-of-band process from a CA administrator, compare the two fingerprints. If both fingerprints match, then the certificate is considered valid.
ca authenticate mycaCertificate has the following attributes:Fingerprint: 0123 4567 89AB CDEF 0123The following example shows the error message. This time, the fingerprint is included in the command. The two fingerprints do not match, and therefore the certificate is not valid.
ca authenticate myca 0123456789ABCDEF0123Certificate has the following attributes:Fingerprint: 0123 4567 89AB CDEF 5432%Error in verifying the received fingerprint. Type help or `?' for a list of available commands.ca configure
The ca configure command is used to specify the communication parameters between the PIX Firewall and the CA.
Use the no ca configure command to reset each of the communication parameters to the default value. If you want to show the current settings stored in RAM, use the show ca configure command.
Note
Examples
The following example indicates that myca is the name of the CA and the CA will be contacted rather than the RA. It also indicates that the PIX Firewall will wait 5 minutes before sending another certificate request, if it does not receive a response, and will resend a total of 15 times before dropping its request. If the CRL is not accessible, crloptional tells the PIX Firewall to accept other peer's certificates.
ca configure myca ca 5 15 crloptionalca crl request
The ca crl request command allows the PIX Firewall to obtain an updated CRL from the CA at any time. The no ca crl command deletes the CRL within the PIX Firewall.
A PIX Firewall automatically requests a CRL from the CA at various times, depending on whether the CA is in the RA mode or not. If the CA is not in the RA mode, a CRL is requested whenever the system reboots and finds that it does not already contain a valid (un-expired) CRL. If the CA is in the RA mode, no CRL can be obtained until a peer's certificate is sent via an ISAKMP exchange. This is because the certificate itself contains the location where the PIX Firewall must query to get the appropriate CRL. When a CRL expires, the PIX Firewall automatically requests an updated one. Until a new valid CRL is obtained, the PIX Firewall will not accept peers' certificates.
Use the ca crl request command only if your CA does not support an RA. A CRL lists all the network's devices' certificates that have been revoked. The PIX Firewall will not accept revoked certificates; therefore, any peer with a revoked certificate cannot exchange IPSec traffic with your PIX Firewall.
The first time your PIX Firewall receives a certificate from a peer, it will download a CRL from the CA. Your PIX Firewall then checks the CRL to make sure the peer's certificate has not been revoked. (If the certificate appears on the CRL, it will not accept the certificate and will not authenticate the peer.)
A CRL can be reused with subsequent certificates until the CRL expires. If your PIX Firewall receives a peer's certificate after the applicable CRL has expired, it will download the new CRL.
If your PIX Firewall has a CRL which has not yet expired, but you suspect that the CRL's contents are out of date, use the ca crl request command to request that the latest CRL be immediately downloaded to replace the old CRL.
The ca crl request command is not saved with the PIX Firewall configuration between reloads.
Examples
The following example indicates the PIX Firewall will obtain an updated CRL from the CA with the name myca:
ca crl request mycaca enroll
The ca enroll command is used to send an enrollment request to the CA requesting a certificate for all of your PIX Firewall unit's key pairs. This is also known as "enrolling" with the CA. (Technically, enrolling and obtaining certificates are two separate events, but they both occur when this command is issued.)
Your PIX Firewall needs a signed certificate from the CA for each of its RSA key pairs; if you previously generated general purpose keys, the ca enroll command will obtain one certificate corresponding to the one general purpose RSA key pair. If you previously generated special usage keys, this command will obtain two certificates corresponding to each of the special usage RSA key pairs.
If you already have a certificate for your keys, you will be unable to complete this command; instead, you will be prompted to remove the existing certificate first.
The ca enroll command is not saved with the PIX Firewall configuration between reloads. To verify if the enrollment process succeeded and to display the PIX Firewall unit's certificate, use the show ca certificate command. If you want to cancel the current enrollment request, use the no ca enroll command.
The required challenge password is necessary in the event that you need to revoke your PIX Firewall unit's certificate(s). When you ask the CA administrator to revoke your certificate, you must supply this challenge password as a protection against fraudulent or mistaken revocation requests.
Note
If you lose the password, the CA administrator may still be able to revoke the PIX Firewall's certificate but will require further manual authentication of the PIX Firewall administrator identity.
The PIX Firewall unit's serial number is optional. If you provide the serial option, the serial number will be included in the obtained certificate. The serial number is not used by IPSec or IKE but may be used by the CA to either authenticate certificates or to later associate a certificate with a particular device. Ask your CA administrator if serial numbers should be included in the certificate. If you are in doubt, specify the serial option.
The PIX Firewall unit's IP address is optional. If you provide the ipaddress option, the IP address will be included in the obtained certificate. Normally, you would not include the ipaddress option because the IP address binds the certificate more tightly to a specific entity. Also, if the PIX Firewall is moved, you would need to issue a new certificate.
Note
Examples
The following example indicates that the PIX Firewall will send an enrollment request to the CA myca.example.com. The password 1234567890 is specified, as well as a request for the PIX Firewall unit's serial number to be embedded in the certificate.
ca enroll myca.example.com 1234567890 serialca generate rsa
The ca generate rsa command generates RSA key pairs for your PIX Firewall. RSA keys are generated in pairs—one public RSA key and one private RSA key. If your PIX Firewall already has RSA keys when you issue this command, you will be warned and prompted to replace the existing keys with new keys.
Note
The ca generate rsa command is not saved in the PIX Firewall configuration. However, the keys generated by this command are saved in the persistent data file in Flash memory, which is never displayed to the user or backed up to another device.
Examples
In this example, one general purpose RSA key pair is to be generated. The selected size of the key modulus is 2048.
ca generate rsa key 2048
Note
ca identity
The ca identity command declares the CA that your PIX Firewall will use. Currently, PIX Firewall supports one CA at one time. The no ca identity command removes the ca identity command from the configuration and deletes all certificates issued by the specified CA and CRLs. The show ca identity command shows the current settings stored in RAM.
The PIX Firewall uses a subset of the HTTP protocol to contact the CA, and so must identify a particular cgi-bin script to handle CA requests. The default location and script on the CA server is /cgi-bin/pkiclient.exe. If the CA administrator has not put the CGI script in the above location, include the location and the name of the script within the ca identity command statement.
By default, querying of a certificate or a CRL is done via Cisco's PKI protocol. If the CA supports Lightweight Directory Access Protocol (LDAP), query functions may use LDAP as well. The IP address of the LDAP server must be included within the ca identity command statement.
Examples
The following example indicates that the CA myca.example.com is declared as the PIX Firewall unit's supported CA. The CA's IP address of 205.139.94.231 is provided.
ca identity myca.example.com 205.139.94.231ca save all
The ca save all commands allows you to save the PIX Firewall unit's RSA key pairs, the CA, RA and PIX Firewall unit's certificates, and the CA's CRLs in the persistent data file in Flash memory between reloads. The no ca save command removes the saved data from PIX Firewall unit's Flash memory.
The ca save command itself is not saved with the PIX Firewall configuration between reloads.
To view the current status of requested certificates, and relevant information of received certificates, such as CA and RA certificates, use the show ca certificate command. Because the certificates contain no sensitive data, any user is allowed to issue this show command.
ca zeroize rsa
The ca zeroize rsa command deletes all RSA keys that were previously generated by your PIX Firewall. If you issue this command, you must also perform two additional tasks. Perform these tasks in the following order:
•
•
To delete a specific RSA key pair, specify the name of the RSA key you want to delete using the option keypair_name within the ca zeroize rsa command statement.
Note
Examples
show ca certificate
The show ca certificate command displays the CA Server's subject name, CRL distribution point (where the PIX Firewall will obtain the CRL), and lifetime of both the CA server's root certificate and the PIX Firewall's certificates.
Examples
The following is sample output of the show ca certificate command. The CA certificate stems from a Microsoft CA server previously generated for this PIX Firewall:
show ca certificateRA Signature CertificateStatus:AvailableCertificate Serial Number:6106e08a000000000005Key Usage:SignatureCN = SCEPOU = VSECO = CiscoL = San JoseST = CAC = USEA =<16> username@example.comValidity Date:start date:17:17:09 Jul 11 2000end date:17:27:09 Jul 11 2001CertificateStatus:AvailableCertificate Serial Number:1f80655400000000000aKey Usage:General PurposeSubject NameName:pixfirewall.example.comValidity Date:start date:20:06:23 Jul 17 2000end date:20:16:23 Jul 17 2001CA CertificateStatus:AvailableCertificate Serial Number:25b81813efe58fb34726eec44ae82365Key Usage:SignatureCN = MSCAOU = CiscoO = VSECL = San JoseST = CAC = USEA =<16> username@example.comValidity Date:start date:17:07:34 Jul 11 2000RA KeyEncipher CertificateStatus:AvailableCertificate Serial Number:6106e24c000000000006Key Usage:EncryptionCN = SCEPOU = VSECO = CiscoL = San JoseST = CAC = USEA =<16> username@example.comValidity Date:start date:17:17:10 Jul 11 2000end date:17:27:10 Jul 11 01The following strings within the show ca certificate sample output are defined:
show ca crl
The show ca crl command lets you know whether there is a CRL in RAM, and where and when the CRL is downloaded.
Examples
The following is a sample output of the show ca crl command. See Table 12-1 for descriptions of the strings within the following sample output:
show ca crlCRL:CRL Issuer Name:CN = MSCA, OU = Cisco, O = VSEC, L = San Jose, ST = CA, C = US, EA=<16> username@example.comLastUpdate:17:07:40 Jul 11 2000NextUpdate:05:27:40 Jul 19 2000show ca mypubkey rsa
The show ca mypubkey rsa command displays the PIX Firewall unit's public keys in a DER/BER encoded PKCS#1 representation.
Examples
The following is sample output of the show ca mypubkey rsa command. Special usage RSA keys were previously generated for this PIX Firewall using the ca generate rsa command:
show ca mypubkey rsa% Key pair was generated at: 15:34:55 Aug 05 1999Key name: pixfirewall.example.comUsage: Signature KeyKey Data:305c300d 06092a86 4886f70d 01010105 00034b00 30480241 00c31f4a ad32f60d6e7ed9a2 32883ca9 319a4b30 e7470888 87732e83 c909fb17 fb5cae70 3de738cf6e2fd12c 5b3ffa98 8c5adc59 1ec84d78 90bdb53f 2218cfe7 3f020301 0001% Key pair was generated at: 15:34:55 Aug 05 1999Key name: pixfirewall.example.comUsage: Encryption KeyKey Data:305c300d 06092a86 4886f70d 01010105 00034b00 30480241 00d8a6ac cc64e57a48dfb2c1 234661c7 76380bd5 72ae62f7 1706bdab 0eedd0b5 2e5feef0 76319d98908f50b4 85a291de 247b6711 59b30026 453bfa3c 45234991 5d020301 0001clear Commands
Remove commands from the configuration or reset command values (All modes.)
Table 12-2 lists each mode in which the clear commands first appear. Each clear command listed in one mode can be also accessed in each subsequent more secure mode going from unprivileged to configuration mode, but not from less secure modes.
crypto dynamic-map
Create, view, or delete a dynamic crypto map entry. (Configuration mode.)
crypto dynamic-map dynamic-map-name dynamic-seq-num
no crypto dynamic-map dynamic-map-name [dynamic-seq-num]
crypto dynamic-map dynamic-map-name dynamic-seq-num match address acl_name
no crypto dynamic-map dynamic-map-name dynamic-seq-num match address acl_name
crypto dynamic-map dynamic-map-name dynamic-seq-num set peer hostname | ip-address
no crypto dynamic-map dynamic-map-name dynamic-seq-num set peer hostname | ip-address
crypto dynamic-map dynamic-map-name dynamic-seq-num set pfs [group1 | group2]
no crypto dynamic-map dynamic-map-name dynamic-seq-num set pfs
crypto dynamic-map dynamic-map-name dynamic-seq-num set security-association lifetime seconds seconds | kilobytes kilobytes
no crypto dynamic-map dynamic-map-name dynamic-seq-num set security-association lifetime seconds | kilobytes
crypto dynamic-map dynamic-map-name dynamic-seq-num set transform-set transform-set-name1 [... transform-set-name9]
no crypto dynamic-map dynamic-map-name dynamic-seq-num set transform-set transform-set-name1 [... transform-set-name9]
clear [crypto] dynamic-map [dynamic-map-name] [dynamic-seq-num]
show crypto dynamic-map [tag dynamic-map-name]
Syntax Description
Note
Usage Guidelines
The sections that follow describe each crypto dynamic-map command.
crypto dynamic-map
The crypto dynamic-map command allows you to create a dynamic crypto map entry. The no crypto dynamic-map command deletes a dynamic crypto map set or entry. The clear [crypto] dynamic-map removes all of the dynamic crypto map command statements. Specifying the name of a given crypto dynamic map removes the associated crypto dynamic map command statement(s). You can also specify the dynamic crypto map's sequence number to remove all of the associated dynamic crypto map command statements. The show crypto dynamic-map command allows you to view a dynamic crypto map set.
Dynamic crypto maps are policy templates used when processing negotiation requests for new security associations from a remote IPSec peer, even if you do not know all of the crypto map parameters required to communicate with the peer (such as the peer's IP address). For example, if you do not know about all the remote IPSec peers in your network, a dynamic crypto map allows you to accept requests for new security associations from previously unknown peers. (However, these requests are not processed until the IKE authentication has completed successfully.)
When a PIX Firewall receives a negotiation request via IKE from another peer, the request is examined to see if it matches a crypto map entry. If the negotiation does not match any explicit crypto map entry, it will be rejected unless the crypto map set includes a reference to a dynamic crypto map.
The dynamic crypto map accepts "wildcard" parameters for any parameters not explicitly stated in the dynamic crypto map entry. This allows you to set up IPSec security associations with a previously unknown peer. (The peer still must specify matching values for the "wildcard" IPSec security association negotiation parameters.)
If the PIX Firewall accepts the peer's request, at the point that it installs the new IPSec security associations it also installs a temporary crypto map entry. This entry is filled in with the results of the negotiation. At this point, the PIX Firewall performs normal processing, using this temporary crypto map entry as a normal entry, even requesting new security associations if the current ones are expiring (based upon the policy specified in the temporary crypto map entry). Once the flow expires (that is, all of the corresponding security associations expire), the temporary crypto map entry is removed.
Dynamic crypto maps are used for determining whether or not traffic should be protected.
Note
Examples
The following example configures an IPSec crypto map set.
Crypto map entry mymap 30 references the dynamic crypto map set mydynamicmap, which can be used to process inbound security association negotiation requests that do not match mymap entries 10 or 20. In this case, if the peer specifies a transform set that matches one of the transform sets specified in mydynamicmap, for a flow "permitted" by the access list 103, IPSec will accept the request and set up security associations with the remote peer without previously knowing about the peer. If accepted, the resulting security associations (and temporary crypto map entry) are established according to the settings specified by the remote peer.
The access list associated with mydynamicmap 10 is also used as a filter. Inbound packets that match a permit statement in this list are dropped for not being IPSec protected. (The same is true for access lists associated with static crypto maps entries.) Outbound packets that match a permit statement without an existing corresponding IPSec security association are also dropped.
crypto map mymap 10 ipsec-isakmpcrypto map mymap 10 match address 101crypto map mymap 10 set transform-set my_t_set1crypto map mymap 10 set peer 10.0.0.1 10.0.0.2crypto map mymap 20 ipsec-isakmpcrypto map mymap 20 match address 102crypto map mymap 20 set transform-set my_t_set1 my_t_set2crypto map mymap 20 set peer 10.0.0.3crypto dynamic-map mydynamicmap 10 match address 103crypto dynamic-map mydynamicmap 10 set transform-set my_t_set1 my_t_set2 my_t_set3crypto map mymap 30 ipsec-isakmp dynamic mydynamicmapThe following is sample output for the show crypto dynamic-map command:
show crypto dynamic-mapCrypto Map Template "dyn1" 10access-list 152 permit ip host 172.21.114.67 anyCurrent peer: 0.0.0.0Security association lifetime: 4608000 kilobytes/120 secondsPFS (Y/N): NTransform sets={ tauth, t1, }The following partial configuration was in effect when the above show crypto dynamic-map command was issued:
crypto ipsec security-association lifetime seconds 120crypto ipsec transform-set t1 esp-des esp-md5-hmaccrypto ipsec transform-set tauth ah-sha-hmaccrypto dynamic-map dyn1 10crypto dynamic-map dyn1 set transform-set tauth t1crypto dynamic-map dyn1 match address 152crypto map to-firewall local-address Ethernet0crypto map to-firewall 10 ipsec-isakmpcrypto map to-firewall 10 set peer 172.21.114.123crypto map to-firewall 10 set transform-set tauth t1crypto map to-firewall 10 match address 150crypto map to-firewall 20 ipsec-isakmp dynamic dyn1access-list 150 permit ip host 172.21.114.67 host 172.21.114.123access-list 150 permit ip host 15.15.15.1 host 172.21.114.123access-list 150 permit ip host 15.15.15.1 host 8.8.8.1access-list 152 permit ip host 172.21.114.67 anycrypto dynamic-map match address
See the crypto map match address command within the crypto map command page for information about this command.
crypto dynamic-map set peer
See the crypto map set peer command within the crypto map command page for information about this command.
crypto dynamic-map set pfs
See the crypto map set pfs command within the crypto map command page for information about this command.
crypto dynamic-map set security-association lifetime
See the crypto map set security-association lifetime command within the crypto map command page for information about this command.
crypto dynamic-map set transform-set
See the crypto map set transform-set command within the crypto map command page for information about this command.
Note
crypto ipsec
Create, view, or delete IPSec security associations, security association global lifetime values, and global transform sets. (Configuration mode.)
crypto ipsec security-association lifetime seconds seconds | kilobytes kilobytes
no crypto ipsec security-association lifetime seconds | kilobytes
show crypto ipsec security-association lifetime
crypto ipsec transform-set transform-set-name transform1 [transform2 [transform3]]
no crypto ipsec transform-set transform-set-name
show crypto ipsec transform-set [tag transform-set-name]
clear [crypto] ipsec sa
clear [crypto] ipsec sa counters
clear [crypto] ipsec sa entry destination-address protocol spi
clear [crypto] ipsec sa map map-name
clear [crypto] ipsec sa peer
show crypto ipsec sa [map map-name | address | identity] [detail]
Syntax Description
Usage Guidelines
The sections that follow describe each crypto ipsec command.
crypto ipsec security-association lifetime
The crypto ipsec security-association lifetime command is used to change global lifetime values used when negotiating IPSec security associations. To reset a lifetime to the default value, use the no crypto ipsec security-association lifetime command. The show crypto ipsec security-association lifetime command allows you to view the security-association lifetime value configured for a particular crypto map entry.
IPSec security associations use shared secret keys. These keys and their security associations time out together.
Assuming that the particular crypto map entry does not have lifetime values configured, when the PIX Firewall requests new security associations during security association negotiation, it will specify its global lifetime value in the request to the peer; it will use this value as the lifetime of the new security associations. When the PIX Firewall receives a negotiation request from the peer, it will use the smaller of the lifetime value proposed by the peer or the locally configured lifetime value as the lifetime of the new security associations.
There are two lifetimes: a "timed" lifetime and a "traffic-volume" lifetime. The security association expires after the first of these lifetimes is reached.
If you change a global lifetime, the change is only applied when the crypto map entry does not have a lifetime value specified. The change will not be applied to existing security associations, but will be used in subsequent negotiations to establish new security associations. If you want the new settings to take effect sooner, you can clear all or part of the security association database by using the clear [crypto] ipsec sa command. See the clear [crypto] ipsec sa command for more information.
To change the global timed lifetime, use the crypto ipsec security-association lifetime seconds command. The timed lifetime causes the security association to time out after the specified number of seconds have passed.
To change the global traffic-volume lifetime, use the crypto ipsec security-association lifetime kilobytes command. The traffic-volume lifetime causes the security association to time out after the specified amount of traffic (in kilobytes) has been protected by the security associations' key.
Shorter lifetimes can make it harder to mount a successful key recovery attack, because the attacker has less data encrypted under the same key to work with. However, shorter lifetimes require more CPU processing time for establishing new security associations. The lifetime values are ignored for manually established security associations (security associations installed using an ipsec-manual crypto map command entry).
The security association (and corresponding keys) will expire according to whichever occurs sooner, either after the number of seconds has passed (specified by the seconds keyword) or after the amount of traffic in kilobytes has passed (specified by the kilobytes keyword).
A new security association is negotiated before the lifetime threshold of the existing security association is reached, to ensure that a new security association is ready for use when the old one expires. The new security association is negotiated either 30 seconds before the seconds lifetime expires or when the volume of traffic through the tunnel reaches 256 kilobytes less than the kilobytes lifetime (whichever occurs first).
If no traffic has passed through the tunnel during the entire life of the security association, a new security association is not negotiated when the lifetime expires. Instead, a new security association will be negotiated only when IPSec sees another packet that should be protected.
Examples
This example shortens both lifetimes, because the administrator feels there is a higher risk that the keys could be compromised. The timed lifetime is shortened to 2,700 seconds (45 minutes), and the traffic-volume lifetime is shortened to 2,304,000 kilobytes (10 megabytes per second for one half hour).
crypto ipsec security-association lifetime seconds 2700crypto ipsec security-association lifetime kilobytes 2304000The following is sample output for the show crypto ipsec security-association lifetime command:
show crypto ipsec security-association lifetimeSecurity-association lifetime: 4608000 kilobytes/120 secondsThe following configuration was in effect when the preceding show crypto ipsec security-association lifetime command was issued:
crypto ipsec security-association lifetime seconds 120crypto ipsec transform-set
The crypto ipsec transform-set command defines a transform set. To delete a transform set, use the no crypto ipsec transform-set command. To view the configured transform sets, use the show crypto ipsec transform-set command.
A transform set specifies one or two IPSec security protocols (either ESP or AH or both) and specifies which algorithms to use with the selected security protocol. During the IPSec security association negotiation, the peers agree to use a particular transform set when protecting a particular data flow.
You can configure multiple transform sets, and then specify one or more of these transform sets in a crypto map entry. The transform set defined in the crypto map entry is used in the IPSec security association negotiation to protect the data flows specified by that crypto map entry's access list. During the negotiation, the peers search for a transform set that is the same at both peers. When such a transform set is found, it is selected and is applied to the protected traffic as part of both peer's IPSec security associations.
When security associations are established manually, a single transform set must be used. The transform set is not negotiated.
Before a transform set can be included in a crypto map entry, it must be defined using the crypto ipsec transform-set command.
To define a transform set, you specify one to three "transforms"—each transform represents an IPSec security protocol (ESP or AH) plus the algorithm you want to use. When the particular transform set is used during negotiations for IPSec security associations, the entire transform set (the combination of protocols, algorithms, and other settings) must match a transform set at the remote peer.
In a transform set you could specify the AH protocol, the ESP protocol, or both. If you specify an ESP protocol in a transform set, you can specify just an ESP encryption transform or both an ESP encryption transform and an ESP authentication transform.
Examples of acceptable transform combinations are as follows:
•
•
•
•
If one or more transforms are specified in the crypto ipsec transform-set command for an existing transform set, the specified transforms will replace the existing transforms for that transform set.
If you change a transform set definition, the change is only applied to crypto map entries that reference the transform set. The change will not be applied to existing security associations, but will be used in subsequent negotiations to establish new security associations. If you want the new settings to take effect sooner, you can clear all or part of the security association database by using the clear [crypto] ipsec sa command.
For more information about transform sets, see "Transform Sets" within the "About IPSec."
Examples
This example defines one transform set (named "standard"), which will be used with an IPSec peer that supports the ESP protocol. Both an ESP encryption transform and an ESP authentication transform are specified in this example:
crypto ipsec transform-set standard esp-des esp-md5-hmacThe following is sample output for the show crypto ipsec transform-set command:
show crypto ipsec transform-setTransform set combined-des-sha: { esp-des esp-sha-hmac }will negotiate = { Tunnel, },Transform set combined-des-md5: { esp-des esp-md5-hmac }will negotiate = { Tunnel, },Transform set t1: { esp-des esp-md5-hmac }will negotiate = { Tunnel, },Transform set t100: { ah-sha-hmac }will negotiate = { Tunnel, },Transform set t2: { ah-sha-hmac }will negotiate = { Tunnel, },{ esp-des }will negotiate = { Tunnel, },The following configuration was in effect when the above show crypto ipsec transform-set command was issued:
crypto ipsec transform-set combined-des-sha esp-des esp-sha-hmaccrypto ipsec transform-set combined-des-md5 esp-des esp-md5-hmaccrypto ipsec transform-set t1 esp-des esp-md5-hmaccrypto ipsec transform-set t100 ah-sha-hmaccrypto ipsec transform-set t2 ah-sha-hmac esp-desclear [crypto] ipsec sa
The clear [crypto] ipsec sa command allows you to delete IPSec security associations. The keyword crypto is optional. If the security associations were established via IKE, they are deleted and future IPSec traffic will require new security associations to be negotiated. When IKE is used, the IPSec security associations are established only when needed.
If the security associations are manually established, the security associations are deleted.
If the peer, map, entry, or counters keywords are not used, all IPSec security associations will be deleted. This command clears (deletes) IPSec security associations.
If the security associations were established via IKE, they are deleted and future IPSec traffic will require new security associations to be negotiated. (When IKE is used, the IPSec security associations are established only when needed.)
If the security associations are manually established, the security associations are deleted and reinstalled. (When IKE is not used, the IPSec security associations are created as soon as the configuration is completed.)
If the peer, map, entry, or counters keywords are not used, all IPSec security associations will be deleted.
The peer keyword deletes any IPSec security associations for the specified peer.
The map keyword deletes any IPSec security associations for the named crypto map set.
The entry keyword deletes the IPSec security association with the specified address, protocol, and SPI.
If any of the previous commands cause a particular security association to be deleted, all the "sibling" security associations—that were established during the same IKE negotiation—are deleted as well.
The counters keyword simply clears the traffic counters maintained for each security association; it does not clear the security associations themselves.
If you make configuration changes that affect security associations, these changes will not apply to existing security associations but to negotiations for subsequent security associations. You can use the clear [crypto] ipsec sa command to restart all security associations so they will use the most current configuration settings. In the case of manually established security associations, if you make changes that affect security associations you must use the clear [crypto] ipsec sa command before the changes take effect.
Note
If the PIX Firewall is processing active IPSec traffic, Cisco recommends that you only clear the portion of the security association database that is affected by the changes to avoid causing active IPSec traffic to temporarily fail.
Note
Examples
The following example clears (and re initializes if appropriate) all IPSec security associations at the PIX Firewall:
clear crypto ipsec saThe following example clears (and re initializes if appropriate) the inbound and outbound IPSec security associations established along with the security association established for address 10.0.0.1 using the AH protocol with the SPI of 256:
clear crypto ipsec sa entry 10.0.0.1 AH 256show crypto ipsec sa
The show crypto ipsec sa command allows you to view the settings used by current security associations. If no keyword is used, all security associations are displayed. They are sorted first by interface, and then by traffic flow (for example, source/destination address, mask, protocol, port). Within a flow, the security associations are listed by protocol (ESP/AH) and direction (inbound/outbound).
Note
Note
Examples
The following is a sample output for the show crypto ipsec sa command:
show crypto ipsec sainterface: outsideCrypto map tag: firewall-alice, local addr. 172.21.114.123local ident (addr/mask/prot/port): (172.21.114.123/255.255.255.255/0/0)remote ident (addr/mask/prot/port): (172.21.114.67/255.255.255.255/0/0)current_peer: 172.21.114.67PERMIT, flags={origin_is_acl,}#pkts encaps: 10, #pkts encrypt: 10, #pkts digest 10#pkts decaps: 10, #pkts decrypt: 10, #pkts verify 10#send errors 10, #recv errors 0local crypto endpt.: 172.21.114.123, remote crypto endpt.: 172.21.114.67path mtu 1500, media mtu 1500current outbound spi: 20890A6Finbound esp sas:spi: 0x257A1039(628756537)transform: esp-des esp-md5-hmac ,in use settings ={Tunnel, }slot: 0, conn id: 26, crypto map: firewall-alicesa timing: remaining key lifetime (k/sec): (4607999/90)IV size: 8 bytesreplay detection support: Yinbound ah sas:outbound esp sas:spi: 0x20890A6F(545852015)transform: esp-des esp-md5-hmac ,in use settings ={Tunnel, }slot: 0, conn id: 27, crypto map: firewall-alicesa timing: remaining key lifetime (k/sec): (4607999/90)IV size: 8 bytesreplay detection support: Youtbound ah sas:interface: insideCrypto map tag: firewall-alice, local addr. 172.21.114.123local ident (addr/mask/prot/port): (172.21.114.123/255.255.255.255/0/0)remote ident (addr/mask/prot/port): (172.21.114.67/255.255.255.255/0/0)current_peer: 172.21.114.67PERMIT, flags={origin_is_acl,}#pkts encaps: 10, #pkts encrypt: 10, #pkts digest 10#pkts decaps: 10, #pkts decrypt: 10, #pkts verify 10#send errors 10, #recv errors 0local crypto endpt.: 172.21.114.123, remote crypto endpt.: 172.21.114.67path mtu 1500, media mtu 1500current outbound spi: 20890A6Finbound esp sas:spi: 0x257A1039(628756537)transform: esp-des esp-md5-hmac ,in use settings ={Tunnel, }slot: 0, conn id: 26, crypto map: firewall-alicesa timing: remaining key lifetime (k/sec): (4607999/90)IV size: 8 bytesreplay detection support: Yinbound ah sas:outbound esp sas:spi: 0x20890A6F(545852015)transform: esp-des esp-md5-hmac ,in use settings ={Tunnel, }slot: 0, conn id: 27, crypto map: firewall-alicesa timing: remaining key lifetime (k/sec): (4607999/90)IV size: 8 bytesreplay detection support: Youtbound ah sas:crypto map
To create, modify, view or delete a crypto map entry. Also used to delete a crypto map set. (Configuration mode.)
Note
crypto map map-name client [token] authentication aaa-server-name
no crypto map map-name client [token] authentication aaa-server-name
crypto map map-name client configuration address initiate | respond
no crypto map map-name client configuration address initiate | respond
crypto map map-name interface interface-name
no crypto map map-name interface interface-name
show crypto map [interface interface-name | tag map-name]
crypto map map-name seq-num ipsec-isakmp | ipsec-manual [dynamic dynamic-map-name]
no crypto map map-name seq-num
crypto map map-name seq-num match address acl_name
no crypto map map-name seq-num match address acl_name
crypto map map-name seq-num set peer hostname | ip-address
no crypto map map-name seq-num set peer hostname | ip-address
crypto map map-name seq-num set pfs [group1 | group2]
no crypto map map-name seq-num set pfs
crypto map map-name seq-num set security-association lifetime seconds seconds | kilobytes kilobytes
no crypto map map-name seq-num set security-association lifetime seconds seconds | kilobytes kilobytes
crypto map map-name set session-key inbound | outbound ah spi hex-key-string
no crypto map map-name seq-num set session-key inbound | outbound ah
crypto map map-name set session-key inbound | outbound esp spi cipher hex-key-string [authenticator hex-key-string]
no crypto map map-name seq-num set session-key inbound | outbound esp
crypto map map-name seq-num set transform-set transform-set-name1
[... transform-set-name6]no crypto map map-name seq-num set transform-set transform-set-name1
[... transform-set-name6]Syntax Description
Usage Guidelines
The sections that follow describe each crypto map command.
crypto map client authentication
The crypto map client authentication command enables the Extended Authentication (Xauth) feature, which allows you to prompt for a TACAC+/RADIUS username and password during IKE authentication. You must first have your basic AAA Server set up to be able to use this feature. This command tells the PIX Firewall during Phase 1 of IKE to use the Xauth (RADIUS/TACACS+) challenge to authenticate IKE. If the Xauth fails, the IPSec security association will not be established, and the IKE security association will be deleted. Use the no crypto map client authentication command to restore the default value. The Xauth feature is not enabled by default.
Note
The crypto map client token authentication command enables the PIX Firewall to interoperate with a Cisco VPN 3000 Client that is set up to use a token-based server for user authentication. The keyword token tells the PIX Firewall that the AAA Server uses a token-card system and to prompt the user for username and password during IKE authentication. Use the no crypto map client token authentication command to restore the default value.
Note
Cisco Secure VPN Client, version 1.1 or later
Cisco VPN 3000 Client, version 2.5 or laterExamples
The following example shows how the crypto map client authentication command is used. This example sets up the IPSec rules for VPN encryption IPSec. The ip, nat, aaa-server command statements establish the context for the IPSec-related commands.
ip address inside 10.0.0.1 255.255.255.0ip address outside 168.20.1.5 255.255.255.0ip local pool dealer 10.1.2.1-10.1.2.254nat (inside) 0 access-list 80aaa-server TACACS+ protocol tacacs+aaa-server TACACS+ (inside) host 10.0.0.2 secret123crypto ipsec transform-set pc esp-des esp-md5-hmaccrypto dynamic-map cisco 4 set transform-set pccrypto map partner-map 20 ipsec-isakmp dynamic ciscocrypto map partner-map client configuration address initiatecrypto map partner-map client authentication TACACS+crypto map partner-map interface outsideisakmp key cisco1234 address 0.0.0.0 netmask 0.0.0.0isakmp client configuration address-pool local dealer outsideisakmp policy 8 authentication pre-shareisakmp policy 8 encryption desisakmp policy 8 hash md5isakmp policy 8 group 1isakmp policy 8 lifetime 86400The following example shows how the crypto map client token authentication command is used. This example sets up the IPSec rules for VPN encryption IPSec. The ip, nat, aaa-server command statements establish the context for the IPSec-related commands.
ip address inside 10.0.0.1 255.255.255.0ip address outside 168.20.1.5 255.255.255.0ip local pool dealer 10.1.2.1-10.1.2.254nat (inside) 0 access-list 80aaa-server RADIUS protocol radiusaaa-server RADIUS (inside) host 10.0.0.2 secret123crypto ipsec transform-set pc esp-des esp-md5-hmaccrypto dynamic-map cisco 4 set transform-set pccrypto map partner-map 20 ipsec-isakmp dynamic ciscocrypto map partner-map client configuration address initiatecrypto map partner-map client token authentication RADIUScrypto map partner-map interface outsideisakmp key cisco1234 address 0.0.0.0 netmask 0.0.0.0isakmp client configuration address-pool local dealer outsideisakmp policy 8 authentication pre-shareisakmp policy 8 encryption desisakmp policy 8 hash md5isakmp policy 8 group 1isakmp policy 8 lifetime 86400crypto map client configuration address
Use the crypto map client configuration address command to configure IKE Mode Configuration on your PIX Firewall. The IKE Mode Configuration allows the PIX Firewall to download an IP address to the remote peer (client) as part of an IKE negotiation. With crypto map client configuration address command, you define the crypto map(s) that should attempt to configure the peer.
Use the no crypto map client configuration address command to restore the default value. The IKE Mode Configuration is not enabled by default.
The keyword initiate indicates that the PIX Firewall will attempt to set IP addresses for each peer. The respond keyword indicates that the PIX Firewall will accept requests for IP addresses from any requesting peer.
Note
See "Advanced Configurations," for more information about the IKE Mode Configuration.
Examples
The following examples configure IKE Mode Configuration on your PIX Firewall:
crypto map mymap client configuration address initiatecrypto map mymap client configuration address respondcrypto map interface
The crypto map interface command applies a previously defined crypto map set to an interface. Use the no crypto map interface command to remove the crypto map set from the interface. Use the show crypto map [interface | tag] to view the crypto map configuration.
Use this command to assign a crypto map set to any active PIX Firewall interface. The PIX Firewall supports IPSec termination on any and all active interfaces. You must assign a crypto map set to an interface before that interface can provide IPSec services. Only one crypto map set can be assigned to an interface. If multiple crypto map entries have the same map-name but a different seq-num, they are considered to be part of the same set and will all be applied to the interface. The crypto map entry with the lowest seq-num is considered the highest priority and will be evaluated first. A single crypto map set can contain a combination of ipsec-isakmp and ipsec-manual crypto map entries.
Note
Examples
The following example assigns the crypto map set "mymap" to the outside interface. When traffic passes through the outside interface, the traffic will be evaluated against all the crypto map entries in the "mymap" set. When outbound traffic matches an access list in one of the "mymap" crypto map entries, a security association (if IPSec) will be established per that crypto map entry's configuration (if no security association or connection already exists).
crypto map mymap interface outsideThe following is sample output for the show crypto map command:
show crypto mapCrypto Map: "firewall-alice" pif: outside local address: 172.21.114.123Crypto Map "firewall-alice" 10 ipsec-isakmpPeer = 172.21.114.67access-list 141 permit ip host 172.21.114.123 host 172.21.114.67Current peer: 172.21.114.67Security-association lifetime: 4608000 kilobytes/120 secondsPFS (Y/N): NTransform sets={ t1, }The following configuration was in effect when the preceding show crypto map command was issued:
crypto map firewall-alice 10 ipsec-isakmpcrypto map firewall-alice 10 set peer 172.21.114.67crypto map firewall-alice 10 set transform-set t1crypto map firewall-alice 10 match address 141The following is sample output for the show crypto map command when manually established security associations are used:
show crypto mapCrypto Map "multi-peer" 20 ipsec-manualPeer = 172.21.114.67access-list 120 permit ip host 1.1.1.1 host 1.1.1.2Current peer: 172.21.114.67Transform sets={ t2, }Inbound esp spi: 0,cipher key: ,auth_key: ,Inbound ah spi: 256,key: 010203040506070809010203040506070809010203040506070809,Outbound esp spi: 0cipher key: ,auth key: ,Outbound ah spi: 256,key: 010203040506070809010203040506070809010203040506070809,The following configuration was in effect when the above show crypto map command was issued:
crypto map multi-peer 20 ipsec-manualcrypto map multi-peer 20 set peer 172.21.114.67crypto map multi-peer 20 set session-key inbound ah 256010203040506070809010203040506070809010203040506070809crypto map multi-peer 20 set session-key outbound ah 256010203040506070809010203040506070809010203040506070809crypto map multi-peer 20 set transform-set t2crypto map multi-peer 20 match address 120crypto map ipsec-manual | ipsec-isakmp
To create or modify a crypto map entry, use the crypto map ipsec-manual | ipsec-isakmp command. To create or modify an ipsec-manual crypto map entry, use the ipsec-manual option of the command. To create or modify an ipsec-isakmp crypto map entry, use the ipsec-isakmp option of the command. Use the no crypto map command to delete a crypto map entry or set.
Note
After you define crypto map entries, you can use the crypto map interface command to assign the crypto map set to interfaces.
Crypto maps provide two functions: filtering/classifying traffic to be protected, and defining the policy to be applied to that traffic. The first use affects the flow of traffic on an interface; the second affects the negotiation performed (via IKE) on behalf of that traffic.
IPSec crypto maps link together definitions of the following:
•
•
•
•
A crypto map set is a collection of crypto map entries each with a different seq-num but the same map-name. Therefore, for a given interface, you could have certain traffic forwarded to one peer with specified security applied to that traffic, and other traffic forwarded to the same or a different peer with different IPSec security applied. To accomplish this you would create two crypto map entries, each with the same map-name, but each with a different seq-num.
The number you assign to the seq-num argument should not be arbitrary. This number is used to rank multiple crypto map entries within a crypto map set. Within a crypto map set, a crypto map entry with a lower seq-num is evaluated before a map entry with a higher seq-num; that is, the map entry with the lower number has a higher priority.
Examples
The following example shows the minimum required crypto map configuration when IKE will be used to establish the security associations:
crypto map mymap 10 ipsec-isakmpcrypto map mymap 10 match address 101crypto map mymap set transform-set my_t_set1crypto map mymap set peer 10.0.0.1The following example shows the minimum required crypto map configuration when the security associations are manually established:
crypto transform-set someset ah-md5-hmac esp-descrypto map mymap 10 ipsec-manualcrypto map mymap 10 match address 102crypto map mymap 10 set transform-set somesetcrypto map mymap 10 set peer 10.0.0.5crypto map mymap 10 set session-key inbound ah 256 98765432109876549876543210987654crypto map mymap 10 set session-key outbound ah 256 fedcbafedcbafedcfedcbafedcbafedccrypto map mymap 10 set session-key inbound esp 256 cipher 0123456789012345crypto map mymap 10 set session-key outbound esp 256 cipher abcdefabcdefabcdcrypto map ipsec-isakmp dynamic
To specify that a given crypto map entry is to reference a pre-existing dynamic crypto map, use the crypto map ipsec-isakmp dynamic command.
Use the crypto dynamic-map command to create dynamic crypto map entries. After you create a dynamic crypto map set, use the crypto map ipsec-isakmp dynamic command to add the dynamic crypto map set to a static crypto map.
Give crypto map entries which reference dynamic map sets the lowest priority map entries so that inbound security association negotiation requests will try to match the static maps first. Only after the request does not match any of the static maps do you want it to be evaluated against the dynamic map set.
To make a crypto map entry that references a dynamic crypto map to be set to the lowest priority map entry, give the map entry the highest seq-num of all the map entries in a crypto map set.
For more information about dynamic maps, see "About IPSec."
Examples
The following example configures an IPSec crypto map set that includes a reference to a dynamic crypto map set.
Crypto map "mymap 10" allows security associations to be established between the PIX Firewall and either (or both) of two remote IPSec peers for traffic matching access list 101. Crypto map "mymap 20" allows either of two transform sets to be negotiated with the peer for traffic matching access list 102.
Crypto map entry "mymap 30" references the dynamic crypto map set "mydynamicmap," which can be used to process inbound security association negotiation requests that do not match "mymap" entries 10 or 20. In this case, if the peer specifies a transform set that matches one of the transform sets specified in "mydynamicmap" for a flow "permitted" by the access list 103, IPSec will accept the request and set up security associations with the peer without previously knowing about the peer. If accepted, the resulting security associations (and temporary crypto map entry) are established according to the settings specified by the peer.
The access list associated with "mydynamicmap 10" is also used as a filter. Inbound packets that match a permit statement in this list are dropped for not being IPSec protected. (The same is true for access lists associated with static crypto maps entries.) Outbound packets that match a permit statement without an existing corresponding IPSec security association are also dropped.
crypto map mymap 10 ipsec-isakmpcrypto map mymap 10 match address 101crypto map mymap 10 set transform-set my_t_set1crypto map mymap 10 set peer 10.0.0.1crypto map mymap 10 set peer 10.0.0.2crypto map mymap 20 ipsec-isakmpcrypto map mymap 10 match address 102crypto map mymap 10 set transform-set my_t_set1 my_t_set2crypto map mymap 10 set peer 10.0.0.3crypto dynamic-map mydynamicmap 10crypto dynamic-map mydynamicmap 10 match address 103crypto dynamic-map mydynamicmap 10 set transform-set my_t_set1 my_t_set2 my_t_set3crypto map mymap 30 ipsec-isakmp dynamic mydynamicmapcrypto map match address
To assign an access list to a crypto map entry, use the crypto map match address command. Use the no crypto map match address command to remove the access list from a crypto map entry.
This command is required for all static crypto map entries. If you are defining a dynamic crypto map entry (with the crypto dynamic-map command), this command is not required but is strongly recommended.
Use the access-list command to define this access list.
The access list specified with this command will be used by IPSec to determine which traffic should be protected by IPSec crypto and which traffic does not need protection. (Traffic that is permitted by the access list will be protected. Traffic that is denied by the access list will not be protected in the context of the corresponding crypto map entry.)
Note
The crypto access list specified by this command is used when evaluating both inbound and outbound traffic. Outbound traffic is evaluated against the crypto access lists specified by the interface's crypto map entries to determine if it should be protected by crypto, and if so (if traffic matches a permit entry), which crypto policy applies. (If necessary, in the case of static IPSec crypto maps, new security associations are established using the data flow identity as specified in the permit entry; in the case of dynamic crypto map entries, if no security association exists, the packet is dropped.) Inbound traffic is evaluated against the crypto access lists specified by the entries of the interface's crypto map set to determine if it should be protected by crypto and, if so, which crypto policy applies. (In the case of IPSec, unprotected traffic is discarded because it should have been protected by IPSec.)
The access list is also used to identify the flow for which the IPSec security associations are established. In the outbound case, the permit entry is used as the data flow identity (in general), while in the inbound case the data flow identity specified by the peer must be "permitted" by the crypto access list.
Examples
The following example shows the minimum required crypto map configuration when IKE will be used to establish the security associations. (This example is for a static crypto map.)
crypto map mymap 10 ipsec-isakmpcrypto map mymap 10 match address 101crypto map mymap 10 set transform-set my_t_set1crypto map mymap 10 set peer 10.0.0.1crypto map set peer
Use the crypto map set peer command to specify an IPSec peer in a crypto map entry. Use the no crypto map set peer command to remove an IPSec peer from a crypto map entry.
This command is required for all static crypto maps. If you are defining a dynamic crypto map (with the crypto dynamic-map command), this command is not required, and in most cases is not used because, in general, the peer is unknown.
For ipsec-isakmp crypto map entries, you can specify multiple peers by repeating this command. The peer that packets are actually sent to is determined by the last peer that the PIX Firewall received either traffic or a negotiation request from for a given data flow. If the attempt fails with the first peer, IKE tries the next peer on the crypto map list.
For ipsec-manual crypto entries, you can specify only one peer per crypto map. If you want to change the peer, you must first delete the old peer and then specify the new peer.
Examples
The following example shows a crypto map configuration when IKE will be used to establish the security associations. In this example, a security association could be set up to either the peer at 10.0.0.1 or the peer at 10.0.0.2.
crypto map mymap 10 ipsec-isakmpcrypto map mymap 10 match address 101crypto map mymap 10 set transform-set my_t_set1crypto map mymap 10 set peer 10.0.0.1 10.0.0.2crypto map set pfs
The crypto map set pfs command sets IPSec to ask for perfect forward secrecy (PFS) when requesting new security associations for this crypto map entry, or that IPSec requires PFS when receiving requests for new security associations. To specify that IPSec should not request PFS, use the no crypto map set pfs command. This command is only available for ipsec-isakmp crypto map entries and dynamic crypto map entries.
By default, PFS is not requested.
With PFS, every time a new security association is negotiated, a new Diffie-Hellman exchange occurs, which requires additional processing time. PFS adds another level of security because if one key is ever cracked by an attacker, only the data sent with that key will be compromised.
During negotiation, this command causes IPSec to request PFS when requesting new security associations for the crypto map entry. The default (group1) is sent if the set pfs statement does not specify a group.
If the peer initiates the negotiation and the local configuration specifies PFS, the peer must perform a PFS exchange or the negotiation will fail. If the local configuration does not specify a group, a default of group1 will be assumed, and an offer of either group1 or group2 will be accepted. If the local configuration specifies group2, that group must be part of the peer's offer or the negotiation will fail. If the local configuration does not specify PFS, it will accept any offer of PFS from the peer.
The 1024-bit Diffie-Hellman prime modulus group, group2, provides more security than group1, but requires more processing time than group1.
Note
Examples
This example specifies that PFS should be used whenever a new security association is negotiated for the crypto map "mymap 10":
crypto map mymap 10 ipsec-isakmpcrypto map mymap 10 set pfs group2crypto map set security-association lifetime
To override (for a particular crypto map entry) the global lifetime value, which is used when negotiating IPSec security associations, use the crypto map set security-association lifetime command. To reset a crypto map entry's lifetime value to the global value, use the no crypto map set security-association lifetime command.
The crypto map's security associations are negotiated according to the global lifetimes.
This command is only available for ipsec-isakmp crypto map entries and dynamic crypto map entries.
IPSec security associations use shared secret keys. These keys and their security associations time out together.
Assuming that the particular crypto map entry has lifetime values configured, when the PIX Firewall requests new security associations during security association negotiation, it will specify its crypto map lifetime value in the request to the peer; it will use this value as the lifetime of the new security associations. When the PIX Firewall receives a negotiation request from the peer, it will use the smaller of the lifetime value proposed by the peer or the locally configured lifetime value as the lifetime of the new security associations.
There are two lifetimes: a "timed" lifetime and a "traffic-volume" lifetime. The session keys/security association expires after the first of these lifetimes is reached.
If you change a lifetime, the change will not be applied to existing security associations, but will be used in subsequent negotiations to establish security associations for data flows supported by this crypto map entry. If you want the new settings to take effect sooner, you can clear all or part of the security association database by using the clear [crypto] ipsec sa command. See the clear [crypto] ipsec sa command for more details.
To change the timed lifetime, use the crypto map set security-association lifetime seconds command. The timed lifetime causes the keys and security association to time out after the specified number of seconds have passed.
To change the traffic-volume lifetime, use the crypto map set security-association lifetime kilobytes command. The traffic-volume lifetime causes the key and security association to time out after the specified amount of traffic (in kilobytes) has been protected by the security association's key.
Shorter lifetimes can make it harder to mount a successful key recovery attack, because the attacker has less data encrypted under the same key to work with.
However, shorter lifetimes require more CPU processing time.
The lifetime values are ignored for manually established security associations (security associations installed via an ipsec-manual crypto map entry).
For more information about lifetimes, see "About IPSec."
Examples
This example shortens the timed lifetime for a particular crypto map entry, because there is a higher risk that the keys could be compromised for security associations belonging to the crypto map entry. The traffic-volume lifetime is not changed because there is not a high volume of traffic anticipated for these security associations. The timed lifetime is shortened to 2,700 seconds (45 minutes).
crypto map mymap 10 ipsec-isakmpset security-association lifetime seconds 2700crypto map set session-key
To manually specify the IPSec session keys within a crypto map entry, use the crypto map set session-key command. Use the no crypto map set session-key command to remove IPSec session keys from a crypto map entry. This command is only available for ipsec-manual crypto map entries.
If the crypto map's transform set includes an AH protocol, you must define IPSec keys for AH for both inbound and outbound traffic. If the crypto map's transform set includes an ESP encryption protocol, you must define IPSec keys for ESP encryption for both inbound and outbound traffic. If the crypto map's transform set includes an ESP authentication protocol, you must define IPSec keys for ESP authentication for inbound and outbound traffic.
When you define multiple IPSec session keys within a single crypto map, you can assign the same security parameter index (SPI) number to all the keys. The SPI is used to identify the security association used with the crypto map. However, not all peers have the same flexibility in SPI assignment.
You may have to coordinate SPI assignment with the peer's network administrator, making certain that the same SPI is not used more than once for the same destination address/protocol combination.
Security associations established using this command do not expire (unlike security associations established using IKE).
The PIX Firewall unit's session keys must match its peer's session keys.
If you change a session key, the security association using the key will be deleted and reinitialized.
Examples
The following example shows a crypto map entry for manually established security associations. The transform set "t_set" includes only an AH protocol.
crypto ipsec transform-set t_set ah-sha-hmaccrypto map mymap 20 ipsec-manualcrypto map mymap 20 match address 102crypto map mymap 20 set transform-set t_setcrypto map mymap 20 set peer 10.0.0.21crypto map mymap 20 set session-key inbound ah 300 1111111111111111111111111111111111111111crypto map mymap 20 set session-key outbound ah 300 2222222222222222222222222222222222222222The following example shows a crypto map entry for manually established security associations. The transform set "someset" includes both an AH and an ESP protocol, so session keys are configured for both AH and ESP for both inbound and outbound traffic. The transform set includes both encryption and authentication ESP transforms, so session keys are created for both using the cipher and authenticator keywords.
crypto ipsec transform-set someset ah-sha-hmac esp-des esp-sha-hmaccrypto map mymap 10 ipsec-manualcrypto map mymap 10 match address 101crypto map mymap 10 set transform-set somesetcrypto map mymap 10 set peer 10.0.0.1crypto map mymap 10 set session-key inbound ah 300 9876543210987654321098765432109876543210crypto map mymap 10 set session-key outbound ah 300 fedcbafedcbafedcbafedcbafedcbafedcbafedccrypto map mymap 10 set session-key inbound esp 300 cipher 0123456789012345authenticator 0000111122223333444455556666777788889999crypto map mymap 10 set session-key outbound esp 300 cipher abcdefabcdefabcdauthenticator 9999888877776666555544443333222211110000crypto map set transform-set
To specify which transform sets can be used with the crypto map entry, use the crypto map set transform-set command. Use the no crypto map set transform-set command to remove all transform sets from a crypto map entry.
This command is required for all static and dynamic crypto map entries.
For an ipsec-isakmp crypto map entry, you can list up to six transform sets with this command. List the higher priority transform sets first.
If the local PIX Firewall initiates the negotiation, the transform sets are presented to the peer in the order specified in the crypto map command statement. If the peer initiates the negotiation, the local PIX Firewall accepts the first transform set that matches one of the transform sets specified in the crypto map entry.
The first matching transform set that is found at both peers is used for the security association. If no match is found, IPSec will not establish a security association. The traffic will be dropped because there is no security association to protect the traffic.
For an ipsec-manual crypto map command statement, you can specify only one transform set. If the transform set does not match the transform set at the remote peer's crypto map, the two peers will fail to correctly communicate because the peers are using different rules to process the traffic.
If you want to change the list of transform sets, respecify the new list of transform sets to replace the old list. This change is only applied to crypto map command statements that reference this transform set. The change will not be applied to existing security associations, but will be used in subsequent negotiations to establish new security associations. If you want the new settings to take effect sooner, you can clear all or part of the security association database by using the clear [crypto] ipsec sa command.
Any transform sets included in a crypto map command statement must previously have been defined using the crypto ipsec transform-set command.
Examples
The following example defines two transform sets and specifies that they can both be used within a crypto map entry. (This example applies only when IKE is used to establish security associations. With crypto maps used for manually established security associations, only one transform set can be included in a given crypto map command statement.)
crypto ipsec transform-set my_t_set1 esp-des esp-sha-hmaccrypto ipsec transform-set my_t_set2 ah-sha-hmac esp-des esp-sha-hmaccrypto map mymap 10 ipsec-isakmpcrypto map mymap 10 match address 101crypto map mymap 10 set transform-set my_t_set1 my_t_set2crypto map mymap set peer 10.0.0.1 10.0.0.2In this example, when traffic matches access list 101 the security association can use either transform set "my_t_set1" (first priority) or "my_t_set2" (second priority) depending on which transform set matches the remote peer's transform sets.
debug
Debug packets or ICMP tracings through the PIX Firewall. (Configuration mode.)
debug crypto ca [level]
no debug crypto ca [level]
debug crypto ipsec [level]
no debug crypto ipsec [level]
debug crypto isakmp [level]
no debug crypto isakmp [level]
debug dhcpd packet
no debug dhcpd packet
debug dhcpd event
no debug dhcpd event
show debug
Syntax Description
Usage Guidelines
The debug command lets you view debug information. The show debug command displays the current state of tracing. You can debug the contents of network layer protocol packets with the debug packet command.
The debug crypto ipsec, debug crypto isakmp, and debug crypto ca commands let you debug IPSec connections. Use the no form of the command to disable debugging.
The debug dhcpd event command displays event information about the DHCP server. The debug dhcpd packet command displays packet information about the DHCP server. Use the no form of the debug dhcpd commands to disable debugging.
Use of the debug commands can slow down busy networks.
The debug commands are shared between all Telnet and serial console sessions.
Additional debug Command Information
Note
Note
Examples
The following is sample output from the show debug command:
show debugdebug ppp errordebug vpdn eventdebug crypto ipsec 1debug crypto isakmp 1debug crypto ca 1debug icmp tracedebug packet outside bothdebug sqlnetThe trailing 1 at the end of the debug crypto commands is the debugging level, which is described in the "Syntax Description" section at the start of this command page.
domain-name
Change the IPSec domain name. (Configuration mode.)
domain-name name
Syntax Description
Usage Guidelines
The domain-name command lets you change the IPSec domain name.
Note
Examples
The following example shows use of the domain-name command:
domain-name example.com
dynamic-map
Create, view, or delete a dynamic crypto map entry. (Configuration mode.)
clear dynamic-map
show dynamic-map
Usage Guidelines
The clear dynamic-map command removes dynamic-map commands from the configuration. The show dynamic-map command lists the dynamic-map commands in the configuration.
Note
ip local pool
Identify addresses for a local pool to be used for dynamic assignment to remove VPN Clients. (Configuration mode)
ip local pool pool_name pool_start-address[-pool_end-address]
no ip local pool pool_name pool_start-address[-pool_end-address]
show ip local pool pool_name ip_address[-ip_address]
Syntax Description
pool_name
Local pool name.
pool_start_address
pool_end_addressLocal pool IP address range.
ip_address
[-ip_address]Local pool IP address range.
Usage Guidelines
The ip local pool command lets you create a pool of local addresses to be used for assigning dynamic IP addresses to remote VPN Clients. The address range of this pool of local addresses must not overlap with any command statement that lets you specify an IP address. To delete an address pool, use the no ip local pool command. Use the show ip local pool command to view usage information about the pool of local addresses.
When a pool of addresses set by the ip local pool command is empty, the following syslog message appears:
%PIX-4-404101: ISAKMP: Failed to allocate address for client from pool poolname
To reference this pool of local addresses, use the isakmp client configuration address-pool command. See the isakmp command page for more information.
Examples
The following example creates a pool of IP addresses and then displays the pool contents:
ip local pool mypool 10.0.0.10-10.0.0.20show ip local pool mypoolPool Begin End Free In usemypool 10.0.0.10 10.0.0.20 11 0Available Addresses:10.0.0.1010.0.0.1110.0.0.1210.0.0.1310.0.0.1410.0.0.1510.0.0.1610.0.0.1710.0.0.1810.0.0.1910.0.0.20ipsec
The ipsec command is a shortened form of the crypto ipsec command. (Configuration mode.)
clear ipsec
show ipsec
Usage Guidelines
The clear ipsec command removes all ipsec commands from the configuration. The show ipsec command lists all the ipsec commands in the configuration.
Note
isakmp
Negotiate IPSec security associations and enable IPSec secure communications.
(Configuration mode.)isakmp client configuration address-pool local pool-name [interface-name]
no isakmp client configuration address-pool local pool-name
isakmp enable interface-name
no isakmp enable interface-name
isakmp identity address | hostname
no isakmp identity address | hostname
isakmp key keystring address peer-address [netmask mask] [no-xauth] [no-config-mode]
no isakmp key keystring address peer-address [netmask mask][no-xauth] [no-config-mode]
isakmp peer fqdn fqdn no-xauth no-config-mode
no isakmp peer fqdn fqdn no-xauth no-config-mode
isakmp policy priority authentication pre-share | rsa-sig
no isakmp policy priority authentication pre-share | rsa-sig
isakmp policy priority encryption des | 3des
no isakmp policy priority encryption des | 3des
isakmp policy priority group 1 | 2
no isakmp policy priority group 1 | 2
isakmp policy priority hash md5 | sha
no isakmp policy priority hash md5 | sha
isakmp policy priority lifetime seconds
no isakmp policy priority lifetime seconds
show isakmp policy
show isakmp sa
clear [crypto] isakmp sa
clear isakmp
Syntax Description
Usage Guidelines
The sections that follow describe each isakmp command.
isakmp client configuration address-pool local
The isakmp client configuration address-pool local command is used to configure the IP address local pool to reference IKE. Use the no crypto isakmp client configuration address-pool local command to restore to the default value.
Before using this command, use the ip local pool command to define a pool of local addresses to be assigned to a remote IPSec peer.
Examples
The following example references IP address local pools to IKE with "mypool" as the pool-name:
isakmp client configuration address-pool local mypool outsideisakmp enable
The isakmp enable command is used to enable ISAKMP negotiation on the interface on which the IPSec peer will communicate with the PIX Firewall. ISAKMP is enabled by default. Use the no isakmp enable command to disable IKE.
Examples
The following example shows how to disable IKE on the inside interface:
no isakmp enable insideisakmp identity address | hostname
To define the ISAKMP identity the PIX Firewall uses when participating in the IKE protocol, use the isakmp identity address | hostname command. Use no isakmp identity address | hostname command to reset the ISAKMP identity to the default value of IP address.
When two peers use IKE to establish IPSec security associations, each peer sends its ISAKMP identity to the remote peer. It will send either its IP address or hostname depending on how each has its ISAKMP identity set. By default, the PIX Firewall unit's ISAKMP identity is set to the IP address. As a general rule, set the PIX Firewall and its peer's identities in the same way to avoid an IKE negotiation failure. This failure could be due to either the PIX Firewall or its peer not recognizing its peer's identity.
Note
The following example uses pre-shared keys between the two PIX Firewall units (PIX Firewall 1 and PIX Firewall 2) that are peers and sets both their ISAKMP identities to host name.
At the PIX Firewall 1, the ISAKMP identity is set to host name:
isakmp identity hostnameAt the PIX Firewall 2, the ISAKMP identity is set to hostname:
isakmp identity hostnameisakmp key address
To configure a pre-shared authentication key and associate the key with an IPSec peer address or host name, use the isakmp key address command. Use the no isakmp key address command to delete a pre-shared authentication key and its associated IPSec peer address.
You would configure the pre-shared key at both peers whenever you specify pre-shared key in an IKE policy. Otherwise the policy cannot be used because it will not be submitted for matching by the IKE process.
A netmask of 0.0.0.0. can be entered as a wildcard indicating that any IPSec peer with a given valid pre-shared key is a valid peer.
Note
Note
The no-xauth or no-config-mode command options are to be used only if the following criteria are met:
•
•
•
The isakmp key keystring address ip-address [no-xauth] [no-config-mode] command allows you to configure a pre-shared authentication key, associate the key with a given security gateway's address, and make an exception to the enabled Xauth feature, IKE Mode Configuration feature, or both (the most common case) for this peer.
Both the Xauth and IKE Mode Configuration features are specifically designed for remote VPN Clients. The Xauth feature allows the PIX Firewall to challenge the peer for a username and password during IKE negotiation. The IKE Mode Configuration enables the PIX Firewall to download an IP address to the peer for dynamic IP address assignment. Most security gateways do not support the Xauth and IKE Mode Configuration features.
If you have the no-xauth command option configured, the PIX Firewall will not challenge the peer for a username and password. Similarly, if you have the no-config-mode command option configured, the PIX Firewall will not attempt to download an IP address to the peer for dynamic IP address assignment.
Use the no key keystring address ip-address [no-xauth] [no-config-mode] command to disable the key keystring address ip-address [no-xauth] [no-config-mode] command that you previously enabled.
See the crypto map client authentication command within the crypto map command page in this chapter for more information about the Xauth feature. See the crypto map client configuration address command within the crypto map command page in this chapter for more information about the IKE Mode Config feature.
Examples
The following example shows "sharedkeystring" as the authentication key to share between the PIX Firewall and its peer specified by an IP address of 10.1.0.0:
isakmp key sharedkeystring address 10.1.0.0The following example shows use of a wildcard, pre-shared key. The "sharedkeystring" is the authentication key to share between the PIX Firewall and its peer (in this case a VPN Client) specified by an IP address of 0.0.0.0. and a netmask of 0.0.0.0.
isakmp key sharedkeystring address 0.0.0.0 netmask 0.0.0.0The following example shows use of the command options no-xauth and no-config-mode in relation to three PIX Firewall peers that are security gateways. These security gateways terminate IPSec on the same interface as the VPN Clients. Both the Xauth and IKE Mode Config features are enabled. This means there is a need to make an exception to these two features for each security gateway. The example shows each security gateway peer has a unique pre-shared key to share with the PIX Firewall. The peers' IP addresses are 10.1.1.1, 10.1.1.2, 10.1.1.3, and the netmask of 255.255.255.255 is specified.
isakmp key secretkey1234 address 10.1.1.1 netmask 255.255.255.255 no-xauth no-config-modeisakmp key secretkey4567 address 10.1.1.2 netmask 255.255.255.255 no-xauth no-config-modeisakmp key secretkey7890 address 10.1.1.3 netmask 255.255.255.255 no-xauth no-config-modeisakmp peer fqdn no-xauth | no-config-mode
The isakmp peer fqdn fqdn no-xauth | no-config-mode command is to be used only if the following criteria are met:
•
•
•
The isakmp peer fqdn fqdn no-xauth | no-config-mode command allows you identify a peer that is a security gateway and make an exception to the enabled Xauth feature, IKE Mode Configuration feature, or both (the most common case) for this peer.
Both the Xauth and IKE Mode Configuration features are specifically designed for remote VPN Clients. The Xauth feature allows the PIX Firewall to challenge the peer for a username and password during IKE negotiation. The IKE Mode Configuration feature enables the PIX Firewall to download an IP address to the peer for dynamic IP address assignment. Most security gateways do not support the Xauth and IKE Mode Configuration features.
If you have the no-xauth command option configured, the PIX Firewall will not challenge the peer for a username and password. Similarly, if you have the no-config-mode command option configured, the PIX Firewall will not attempt to download an IP address to the peer for dynamic IP address assignment.
Note
Use the no isakmp peer fqdn fqdn no-xauth | no-config-mode command to disable the isakmp peer fqdn fqdn no-xauth | no-config-mode command that you previously enabled.
See the crypto map client authentication within the crypto map command page in this chapter for more information about the Xauth feature. See the crypto map client configuration address command within the crypto map command page in this chapter for more information about the IKE Mode Config feature.
Examples
The following example shows use of the command options no-xauth and no-config-mode in relation to three PIX Firewall peers that are security gateways. These security gateways terminate IPSec on the same interface as the VPN Clients. Both the Xauth and IKE Mode Config features are enabled. This means there is a need to make an exception to these two features for each security gateway. Each security gateway peer's fully qualified domain name is specified.
isakmp peer fqdn hostname1.example.com no-xauth no-config-modeisakmp peer fqdn hostname2.example.com no-xauth no-config-modeisakmp peer fqdn hostname3.example.com no-xauth no-config-modeisakmp policy authentication
The isakmp policy authentication command allows you to specify the authentication method within an IKE policy. IKE policies define a set of parameters to be used during IKE negotiation.
If you specify RSA signatures, you must configure the PIX Firewall and its peer to obtain certificates from a CA. If you specify pre-shared keys, you must separately configure these pre-shared keys within the PIX Firewall and its peer.
Use the no isakmp policy authentication command to reset the authentication method to the default value of RSA signatures.
Examples
The following example shows use of the isakmp policy authentication command. This example sets the authentication method of rsa-signatures to be used within the IKE policy with the priority number of 40.
isakmp policy 40 authentication rsa-sigisakmp policy encryption
To specify the encryption algorithm within an IKE policy, use the isakmp policy encryption command. IKE policies define a set of parameters to be used during IKE negotiation.
DES and 3DES are the two encryption algorithm options available.
Use the no isakmp policy encryption command to reset the encryption algorithm to the default value, which is des.
Examples
The following example shows use of the isakmp policy encryption command. This example sets the Triple DES algorithm to be used within the IKE policy with the priority number of 40.
isakmp policy 40 encryption 3desisakmp policy group
Use the isakmp policy group command to specify the Diffie-Hellman group to be used in an IKE policy. IKE policies define a set of parameters to be used during IKE negotiation.
There are two group options: 768-bit or 1024-bit. The 1024-bit Diffie Hellman provides stronger security, but it requires more CPU time to execute.
Use the no isakmp policy group command to reset the Diffie-Hellman group identifier to the default value of group 1, 768-bit Diffie Hellman.
Examples
The following example shows use of the isakmp policy group command. This example sets group 2, the 1024-bit Diffie Hellman, to be used within the IKE policy with the priority number of 40.
isakmp policy 40 group 2isakmp policy hash
Use the isakmp policy hash command to specify the hash algorithm to be used in an IKE policy. IKE policies define a set of parameters to be used during IKE negotiation.
There are two hash algorithm options: SHA-1 and MD5. MD5 has a smaller digest and is considered to be slightly faster than SHA-1.
To reset the hash algorithm to the default value of SHA-1, use the no isakmp policy hash command.
Examples
The following example shows use of the isakmp policy hash command. This example sets the MD5 hash algorithm to be used within the IKE policy with the priority number of 40.
isakmp policy 40 hash md5isakmp policy lifetime
To specify the lifetime of an IKE security association before it expires, use the isakmp policy lifetime command. Use the no isakmp policy lifetime command to reset the security association lifetime to the default value of 86,400 seconds (one day).
When IKE begins negotiations, it looks to agree upon the security parameters for its own session. The agreed-upon parameters are then referenced by a security association at each peer. The security association is retained by each peer until the security association's lifetime expires. Before a security association expires, it can be reused by subsequent IKE negotiations, which can save time when setting up new IPSec security associations. New security associations are negotiated before current security associations expire.
To save setup time for IPSec, configure a longer IKE security association lifetime. However, the shorter the lifetime (up to a point), the more secure the IKE negotiation is likely to be.
Note
Examples
The following example shows use of the isakmp policy lifetime command. This example sets the lifetime of the IKE security association to 50,400 seconds (14 hours) within the IKE policy with the priority number of 40.
isakmp policy 40 lifetime 50400show isakmp policy
To view the parameters for each IKE policy including the default parameters, use the show isakmp policy command.
Examples
The following is sample output from the show isakmp policy command after two IKE policies were configured (with priorities 70 and 90 respectively):
show isakmp policyProtection suite priority 70encryption algorithm: DES - Data Encryption Standard (56 bit keys)hash algorithm: Message Digest 5authentication method: Rivest-Shamir-Adleman SignatureDiffie-Hellman group: #2 (1024 bit)lifetime: 5000 seconds, no volume limitProtection suite priority 90encryption algorithm: DES - Data Encryption Standard (56 bit keys)hash algorithm: Secure Hash Standardauthentication method: Pre-Shared KeyDiffie-Hellman group: #1 (768 bit)lifetime: 10000 seconds, no volume limitDefault protection suiteencryption algorithm: DES - Data Encryption Standard (56 bit keys)hash algorithm: Secure Hash Standardauthentication method: Rivest-Shamir-Adleman SignatureDiffie-Hellman group: #1 (768 bit)lifetime: 86400 seconds, no volume limit
Note
show isakmp sa
To view all current IKE security associations between the PIX Firewall and its peer, use the show isakmp sa command.
Examples
The following is sample output from the show isakmp sa command after IKE negotiations were successfully completed between the PIX Firewall and its peer:
show isakmp sadst src state pending created16.132.40.2 16.132.30.2 QM_IDLE 0 1clear isakmp
The clear isakmp command removes all isakmp command statements from the configuration.
clear [crypto] isakmp sa
The clear [crypto] isakmp sa command deletes active IKE security associations. The keyword crypto is optional.
sysopt
Change PIX Firewall system options. (Configuration mode.)
sysopt connection permit-ipsec
no sysopt connection permit-ipsec
sysopt ipsec pl-compatible
no sysopt ipsec pl-compatible
sysopt uauth allow-http-cache
no sysopt uauth allow-http-cache
clear sysopt
show sysopt
Syntax Description
Usage Guidelines
The sysopt commands let you tune various PIX Firewall security and configuration features. In addition, you can use this command to disable the PIX Firewall IP Frag Guard feature.
sysopt connection permit-ipsec
Use the sysopt connection permit-ipsec command in IPSec configurations to permit IPSec traffic to pass through the PIX Firewall without a check of conduit or access-list command statements.
An access-list or conduit command statement must be available for inbound sessions.
By default, any inbound session must be explicitly permitted by a conduit or access-list command statement. With IPSec protected traffic, the secondary access list check could be redundant. To enable IPSec authenticated/cipher inbound sessions to always be permitted, use the sysopt connection permit-ipsec command.
The no sysopt connection permit-ipsec command disables the option.
Note
Note
Examples
The following is a minimal IPSec configuration to enable a session to be connected from host 172.21.100.123 to host 172.21.200.67 across an IPSec tunnel that terminates from peer 209.165.201.1 to peer 201.165.200.225.
With sysopt connection permit-ipsec and access-list command statements:
On peer 209.165.201.1:
static 172.21.100.123 172.21.100.123access-list 10 permit ip host 172.21.200.67 host 172.21.100.123crypto ipsec transform-set t1 esp-des esp-md5-hmaccrypto map mymap 10 ipsec-isakmpcrypto map mymap 10 match address 10crypto map mymap 10 set transform-set t1crypto map mymap 10 set peer 172.21.200.1crypto map mymap interface outsideOn peer 201.165.200.225:
static 172.21.200.67 172.21.200.67access-list 10 permit ip host 172.21.100.123 host 172.21.200.67crypto ipsec transform-set t1 esp-des esp-md5-hmaccrypto map mymap 10 ipsec-isakmpcrypto map mymap 10 match address 10crypto map mymap 10 set transform-set t1crypto map mymap 10 set peer 172.21.100.1crypto map mymap interface outsideWith sysopt connection permit-ipsec and without conduit command statements:
On peer 209.165.201.1:
static 172.21.100.123 172.21.100.123access-list 10 permit ip host 172.21.200.67 host 172.21.100.123crypto ipsec transform-set t1 esp-des esp-md5-hmaccrypto map mymap 10 ipsec-isakmpcrypto map mymap 10 match address 10crypto map mymap 10 set transform-set t1crypto map mymap 10 set peer 172.21.200.1crypto map mymap interface outsidesysopt connection permit-ipsecOn peer 201.165.200.225:
static 172.21.200.67 172.21.200.67access-list 10 permit ip host 172.21.100.123 host 172.21.200.67crypto ipsec transform-set t1 esp-des esp-md5-hmaccrypto map mymap 10 ipsec-isakmpcrypto map mymap 10 match address 10crypto map mymap 10 set transform-set t1crypto map mymap 10 set peer 172.21.100.1crypto map mymap interface outsidesysopt connection permit-ipsecsysopt ipsec pl-compatible
Note
The sysopt ipsec pl-compatible command enables the IPSec feature to simulate the Private Link feature supported in PIX Firewall version 4. The Private Link feature provides encrypted tunnels to be established across an unsecured network between Private-Link equipped PIX Firewall units. The sysopt ipsec pl-compatible command allows IPSec packets to bypass the NAT and ASA features and enables incoming IPSec packets to terminate on the sending interface.
The no sysopt ipsec pl-compatible command disables the option, which is off by default.
Note
Note
Note
Examples
For an example of the use of the sysopt ipsec pl-compatible command, see the "Converting Private Link to IPSec" section in "Advanced Configurations."
sysopt uauth allow-http-cache
The sysopt uauth allow http-cache command allows the web browser to supply a username and password from its cache for AAA authentication. If the sysopt uauth allow http-cache command is not enabled, then the default behavior of the PIX Firewall is to require the web browser to prompt the user each time the uauth timer expires.
Examples
The following example shows use of the sysopt uauth allow-http-cache command:
sysopt uauth allow-http-cachevpngroup
This implements support for the Cisco VPN 3000 Client. (Configuration mode.)
vpngroup group_name address-pool ip pool name
no vpngroup group_name address-pool ip pool name
vpngroup group_name default-domain domain_name
no vpngroup group_name default-domain domain_name
vpngroup group_name dns-server dns_ip_prim [dns_ip_sec]
no vpngroup group_name dns-server dns_ip_prim [dns_ip_sec]
vpngroup group_name idle-time idle_seconds
no vpngroup group_name idle-time idle_seconds
vpngroup group_name max-time max_seconds
no vpngroup group_name max-time max_seconds
vpngroup group_name password preshared_key
no vpngroup group_name password preshared_key
vpngroup group_name split-tunnel acl_name
no vpngroup group_name split-tunnel acl_name
vpngroup group_name wins-server wins_ip_prim [wins_ip_sec]
no vpngroup group_name wins-server wins_ip_prim [wins_ip_sec]
Syntax Description
Usage Guidelines
Note
Note
Note
The vpngroup command set allows you to configure Cisco VPN 3000 Client policy attributes to be associated with a VPN group name and downloaded to the Cisco VPN 3000 Client(s) that are part of the given group. The same VPN group name is configured in the Cisco VPN 3000 Client to ensure the matching of VPN Client policy.
Configure a VPN group name of "default" to create a VPN group policy that matches any group name. The PIX Firewall selects the VPN group name "default," if there is no other policy match.
The vpngroup address-pool command lets you define a pool of local addresses to be assigned to a VPN group.
Note
The vpngroup dns-server command enables the PIX Firewall to download an IP address of a DNS server to a Cisco VPN 3000 Client as part of an IKE negotiation.
The vpngroup wins-server command allows the PIX Firewall to download an IP address of a WINS server to a Cisco VPN 3000 Client as part of an IKE negotiation.
To enable the PIX Firewall to download a default domain name to a Cisco VPN 3000 Client as part of IKE negotiation, use the vpngroup default-domain command.
Use the vpngroup split-tunnel command to enable split tunneling on the PIX Firewall. Split tunneling allows a remote VPN client simultaneous encrypted access to the corporate network and clear access to the Internet. Using the vpngroup split-tunnel command, specify the access-list name to which to associate the split tunnelling of traffic. With split tunnelling enabled, the PIX Firewall downloads its local network IP address and netmask specified within the associated access-list to the VPN Client as part of the policy push to the client. In turn, the VPN Client sends the traffic destined to the specified local PIX Firewall network via an IPSec tunnel and all other traffic in the clear. The PIX Firewall receives the IPSec-protected packet on its outside interface, decrypts it, and then sends it to its specified local network.
Note
Note
Note
The vpngroup idle-time command sets the inactivity timeout for a Cisco VPN 3000 Client. When the inactivity timeout for all IPSec SAs have expired for a given VPN Client, the tunnel is terminated. The default inactivity timeout is 30 minutes.
The vpngroup max-time command sets the maximum connection time for a Cisco VPN 3000 Client. When the maximum connection time is reached for a given VPN Client, the tunnel is terminated. This means the connection between the Cisco VPN 3000 Client and the PIX Firewall will have to be reestablished. The default maximum connection time is set to an unlimited amount of time.
Note
Configure the VPN group's pre-shared key employing the vpngroup password command to be used during IKE authentication. This pre-shared key is equivalent to the password that you enter within the Group Password field of the Cisco VPN 3000 Client while configuring your group access information for a connection entry.
The PIX Firewall configured password displays in asterisks within the file configuration.
Note
Examples
The following example show use of the vpngroup commands. The VPN Client(s) within the VPN group named as "myVpnGroup" will be dynamically assigned one of the IP addresses from the pool of addresses ranging from 10.140.40.0 to 10.140.40.7. The policy attributes for the group "myVpnGroup" will be downloaded to a given VPN Client during the policy push to the client. Split tunnelling is enabled. In the example, all traffic destined for the 10.130.38.0 255.255.255.0 PIX Firewall network from the VPN Client will be IPSec protected.
access-list 90 permit ip 10.130.38.0 255.255.255.0 10.140.40.0 255.255.255.248ip local pool vpnpool 10.140.40.1-10.140.40.7crypto ipsec transform-set esp-sha esp-null esp-sha-hmaccrypto dynamic-map dynmap 50 set transform-set esp-shacrypto map mapName 10 ipsec-isakmp dynamic dynmapcrypto map mapName client configuration address initiatecrypto map mapName interface outsideisakmp enable outsideisakmp identity hostnameisakmp policy 7 authentication pre-shareisakmp policy 7 encryption 3desisakmp policy 7 hash md5isakmp policy 7 group 1vpngroup myVpnGroup address-pool vpnpoolvpngroup myVpnGroup dns-server 10.131.31.11vpngroup myVpnGroup wins-server 10.131.31.11vpngroup myVpnGroup default-domain example.comvpngroup myVpnGroup split-tunnel 90vpngroup myVpnGroup idle-time 1800vpngroup myVpnGroup max-time 86400vpngroup myVpnGroup password ********
