Table of Contents

ca
clear Commands
crypto dynamic-map
crypto ipsec
crypto map
debug
domain-name
dynamic-map
ip local pool
ipsec
isakmp
sysopt
vpdn
vpngroup

Command Reference

This chapter provides detailed descriptions of the IPSec-related PIX Firewall commands. For all other PIX Firewall commands, see the "Command Reference" chapter of the Configuration Guide for the Cisco Secure PIX Firewall Version 6.0.

The following notes can help you as you configure the PIX Firewall:

• View your configuration at any time with the write terminal command.

• Save your configuration frequently with the write memory command.

• Always check the syntax before entering a command. Enter a command and press the Enter key to view a quick summary, or precede a command with help, as in, help aaa.

• View syslog messages as you work on the PIX Firewall. Start accumulating messages with the logging buffered debugging command, view messages with the show logging command, and clear the message buffer with the clear logging command. Syslog messages are described in System Log Messages for the Cisco Secure PIX Firewall Version 6.0.

• Abbreviate commands, such as, using the con te command statement to start configuration mode, the wr t command statement to list the configuration, and wr m to write to Flash memory. Start logging with the lo b 7 command statement and show logging messages with the sh lo command statement.

• After changing or removing the alias, access-list, conduit, global, nat, outbound, and static commands, use the clear xlate command to make the IP addresses available for access.

• You can view possible port and protocol numbers at the following IANA web sites:

http://www.isi.edu/in-notes/iana/assignments/port-numbers
http://www.isi.edu/in-notes/iana/assignments/protocol-numbers

• Create your configuration on a text editor and then cut and paste it into the configuration. PIX  Firewall allows you to paste in a line at a time or the whole configuration. Always check your configuration after pasting large blocks of text to be sure everything copied.

ca

Configure the PIX Firewall to interoperate with a certification authority (CA). (Configuration mode.)

show ca crl

show ca mypubkey rsa

Syntax Description

ca_nickname	The name of the certification authority (CA). Enter any string that you desire. (If you previously declared the CA and just want to update its characteristics, specify the name you previously created.) The CA might require a particular name, such as its domain name. Currently the PIX Firewall supports only one CA at a time.
fingerprint	A key consisting of alphanumeric characters the PIX Firewall uses to authenticate CA's certificate.
ca | ra	Indicates whether to contact the CA or Registration Authority (RA) when using the ca configure command. Some CA systems provide an RA, which the PIX Firewall contacts instead of the CA.
retry_period	Specify the number of minutes the PIX Firewall waits before resending a certificate request to the CA when it does not receive a response from the CA to its previous request. Specify from 1 to 60 minutes. By default, the PIX  Firewall retries every 1 minute.
retry_count	Specify how many times the PIX Firewall will resend a certificate request when it does not receive a certificate from the CA from the previous request. Specify from 1 to 100. The default is 0, which indicates that there is no limit to the number of times the PIX Firewall should contact the CA to obtain a pending certificate.
crloptional	Allows other peers' certificates be accepted by your PIX Firewall even if the appropriate Certificate Revocation List (CRL) is not accessible to your PIX  Firewall. The default is without crloptional.
challenge_password	A required password that gives the CA administrator some authentication when a user calls to ask for a certificate to be revoked. It can be up to 80 characters in length.
serial	Return the PIX Firewall unit's serial number in the certificate.
ipaddress	Return the PIX Firewall unit's IP address in the certificate.
key	This specifies that one general-purpose RSA key pair will be generated.
specialkey	This specifies that two special-purpose RSA key pairs will be generated instead of one general-purpose key.
key_modulus_size	The size of the key modulus, which is between 512 and 2048 bits. Choosing a size greater than 1024 bits may cause key generation to take a few minutes.
ca_ipaddress	The CA's IP address.
:ca_script_location	The default location and script on the CA server is /cgi-bin/pkiclient.exe. If the CA administrator has not put the CGI script in this location, provide the location and the name of the script in the ca identity command. A PIX Firewall uses a subset of the HTTP protocol to contact the CA, and so it must identify a particular cgi-bin script to handle CA requests.
ldap_ipaddress	The IP address of the Lightweight Directory Access Protocol (LDAP) server. By default, querying of a certificate or a CRL is done via Cisco's PKI protocol. If the CA supports LDAP, query functions may also use LDAP.

Usage Guidelines

The sections that follow describe each ca command.

---

Note   The PIX Firewall currently supports the CA servers from VeriSign, Entrust, Baltimore Technologies, and Microsoft. See "CA Configuration Examples," for a list of specific CA server versions the PIX Firewall supports.

---

---

Note   If you are using the VeriSign CA, you must use the crloptional parameter with the ca configure command.

---

---

Note   The lifetime of a certificate and the Certificate Revocation List (CRL) is checked in GMT. Set the PIX Firewall clock to GMT to ensure that CRL checking works correctly. Use the clock command to set the PIX Firewall clock.

---

ca authenticate

The ca authenticate command allows the PIX Firewall to authenticate its certification authority (CA) by obtaining the CA's self-signed certificate, which contains the CA's public key.

If you are using RA mode (within the ca configure command), when you issue the ca authenticate command, the RA signing and encryption certificates will be returned from the CA, as well as the CA certificate.

The ca authenticate command is not saved to the PIX Firewall configuration. However, the public keys embedded in the received CA (and RA) certificates are saved in the configuration as part of the RSA public key record (called the "RSA public key chain"). To save the public keys permanently to Flash memory, use the ca save all command.

To view the CA's certificate, use the show ca certificate command.

---

Note   If the CA does not respond by a timeout period after this command is issued, the terminal control will be returned so it will not be tied up. If this happens, you must re-enter the command.

---

Examples

In this example, a request for the CA's certificate was sent to the CA. The fingerprint was not included in the command. The CA sends its certificate and the PIX Firewall prompts for verification of the CA's certificate by checking the CA certificate's fingerprint. Using the fingerprint associated with the CA's certificate retrieved in some out-of-band process from a CA administrator, compare the two fingerprints. If both fingerprints match, then the certificate is considered valid.

ca authenticate myca

Certificate has the following attributes:
Fingerprint: 0123 4567 89AB CDEF 0123
 

The following example shows the error message. This time, the fingerprint is included in the command. The two fingerprints do not match, and therefore the certificate is not valid.

ca authenticate myca 0123456789ABCDEF0123

Certificate has the following attributes:
Fingerprint: 0123 4567 89AB CDEF 5432
%Error in verifying the received fingerprint. Type help or '?' for a list of

available commands.

ca configure

The ca configure command is used to specify the communication parameters between the PIX Firewall and the CA.

Use the no ca configure command to reset each of the communication parameters to the default value. If you want to show the current settings stored in RAM, use the show ca configure command.

---

Note   When using VeriSign as your CA, always use the crloptional option with the ca configure command. Without the crloptional option, an error occurs when the PIX Firewall validates the certificate during main mode, which causes the peer PIX Firewall to fail. This problem occurs because the PIX Firewall is not able to poll the CRL from the VeriSign CA.

---

Examples

The following example indicates that myca is the name of the CA and the CA will be contacted rather than the RA. It also indicates that the PIX Firewall will wait 5 minutes before sending another certificate request, if it does not receive a response, and will resend a total of 15 times before dropping its request. If the CRL is not accessible, crloptional tells the PIX Firewall to accept other peer's certificates.

ca configure myca ca 5 15 crloptional

ca crl request

The ca crl request command allows the PIX Firewall to obtain an updated CRL from the CA at any time. The no ca crl command deletes the CRL within the PIX Firewall.

The following example indicates the PIX Firewall will obtain an updated CRL from the CA with the name myca:

ca crl request myca

The ca enroll command is used to send an enrollment request to the CA requesting a certificate for all of your PIX Firewall unit's key pairs. This is also known as "enrolling" with the CA. (Technically, enrolling and obtaining certificates are two separate events, but they both occur when this command is issued.)

The required challenge password is necessary in the event that you need to revoke your PIX Firewall unit's certificate(s). When you ask the CA administrator to revoke your certificate, you must supply this challenge password as a protection against fraudulent or mistaken revocation requests.

---

Note   This password is not stored anywhere, so you need to remember this password.

---

If you lose the password, the CA administrator may still be able to revoke the PIX Firewall's certificate but will require further manual authentication of the PIX Firewall administrator identity.

The PIX Firewall unit's serial number is optional. If you provide the serial option, the serial number will be included in the obtained certificate. The serial number is not used by IPSec or IKE but may be used by the CA to either authenticate certificates or to later associate a certificate with a particular device. Ask your CA administrator if serial numbers should be included in the certificate. If you are in doubt, specify the serial option.

The PIX Firewall unit's IP address is optional. If you provide the ipaddress option, the IP address will be included in the obtained certificate. Normally, you would not include the ipaddress option because the IP address binds the certificate more tightly to a specific entity. Also, if the PIX Firewall is moved, you would need to issue a new certificate.

---

Note   When configuring ISAKMP for certificate-based authentication, it is important to match the ISAKMP identity type with the certificate type. The ca enroll command used to acquire certificates will, by default, get a certificate with the identity based on host name. The default identity type for the isakmp identity command is based on address instead of host name. You can reconcile this disparity of identity types by using the isakmp identity address command. See the isakmp command page for information about the isakmp identity address command.

---

Examples

The following example indicates that the PIX Firewall will send an enrollment request to the CA myca.example.com. The password 1234567890 is specified, as well as a request for the PIX Firewall unit's serial number to be embedded in the certificate.

ca enroll myca.example.com 1234567890 serial

ca generate rsa

The ca generate rsa command generates RSA key pairs for your PIX Firewall. RSA keys are generated in pairs—one public RSA key and one private RSA key. If your PIX Firewall already has RSA keys when you issue this command, you will be warned and prompted to replace the existing keys with new keys.

---

Note   Before issuing this command, make sure your PIX Firewall has a hostname and domain name configured (using the hostname and domain-name commands). You will be unable to complete the ca generate rsa command without a hostname and domain name.

---

The ca generate rsa command is not saved in the PIX Firewall configuration. However, the keys generated by this command are saved in the persistent data file in Flash memory, which is never displayed to the user or backed up to another device.

Examples

In this example, one general purpose RSA key pair is to be generated. The selected size of the key modulus is 2048.

ca generate rsa key 2048

---

Note   You cannot generate both special usage and general purpose keys; you can only generate one or the other.

---

ca identity

The ca identity command declares the CA that your PIX Firewall will use. Currently, PIX Firewall supports one CA at one time. The no ca identity command removes the ca identity command from the configuration and deletes all certificates issued by the specified CA and CRLs. The show ca identity command shows the current settings stored in RAM.

The PIX Firewall uses a subset of the HTTP protocol to contact the CA, and so must identify a particular cgi-bin script to handle CA requests. The default location and script on the CA server is /cgi-bin/pkiclient.exe. If the CA administrator has not put the CGI script in the above location, include the location and the name of the script within the ca identity command statement.

By default, querying of a certificate or a CRL is done via Cisco's PKI protocol. If the CA supports Lightweight Directory Access Protocol (LDAP), query functions may use LDAP as well. The IP address of the LDAP server must be included within the ca identity command statement.

ca identity myca.example.com 205.139.94.231 

The ca save all commands allows you to save the PIX Firewall unit's RSA key pairs, the CA, RA and PIX Firewall unit's certificates, and the CA's CRLs in the persistent data file in Flash memory between reloads. The no ca save command removes the saved data from PIX Firewall unit's Flash memory.

The ca zeroize rsa command deletes all RSA keys that were previously generated by your PIX Firewall. If you issue this command, you must also perform two additional tasks. Perform these tasks in the following order:

• Use the no ca identity command to manually remove the PIX Firewall unit's certificates from the configuration. This will delete all the certificates issued by the CA.

• Ask the CA administrator to revoke your PIX Firewall unit's certificates at the CA. Supply the challenge password you created when you originally obtained the PIX Firewall unit's certificates using the crypto ca enroll command.

To delete a specific RSA key pair, specify the name of the RSA key you want to delete using the option keypair_name within the ca zeroize rsa command statement.

---

Note   You may have more than one pair of RSA keys due to SSH. See the ssh command page within Chapter 5, "Command Reference," of the Configuration Guide for the Cisco Secure PIX Firewall Version 6.0.

---

show ca certificate

The show ca certificate command displays the CA Server's subject name, CRL distribution point (where the PIX Firewall will obtain the CRL), and lifetime of both the CA server's root certificate and the PIX  Firewall's certificates.

show ca certificate

 
RA Signature Certificate
  Status:Available
  Certificate Serial Number:6106e08a000000000005
  Key Usage:Signature
    CN = SCEP
     OU = VSEC
     O = Cisco
     L = San Jose
     ST = CA
     C = US
     EA =<16> username@example.com
  Validity Date:
    start date:17:17:09 Jul 11 2000
 
    end   date:17:27:09 Jul 11 2001
 
 
Certificate
  Status:Available
  Certificate Serial Number:1f80655400000000000a
  Key Usage:General Purpose
  Subject Name
    Name:pixfirewall.example.com
  Validity Date:
    start date:20:06:23 Jul 17 2000
 
    end   date:20:16:23 Jul 17 2001
 
 
CA Certificate
  Status:Available
  Certificate Serial Number:25b81813efe58fb34726eec44ae82365
  Key Usage:Signature
    CN = MSCA
     OU = Cisco
     O = VSEC
     L = San Jose
     ST = CA
     C = US
     EA =<16> username@example.com
  Validity Date:
    start date:17:07:34 Jul 11 2000
RA KeyEncipher Certificate
  Status:Available
  Certificate Serial Number:6106e24c000000000006
  Key Usage:Encryption
    CN = SCEP
     OU = VSEC
     O = Cisco
     L = San Jose
     ST = CA
     C = US
     EA =<16> username@example.com
  Validity Date:
    start date:17:17:10 Jul 11 2000
 
    end   date:17:27:10 Jul 11 01 
 

The show ca crl command lets you know whether there is a CRL in RAM, and where and when the CRL is downloaded.

The following is a sample output of the show ca crl command. See Table 12-1 for descriptions of the strings within the following sample output:

show ca crl

 
CRL:
    CRL Issuer Name:
        CN = MSCA, OU = Cisco, O = VSEC, L = San Jose, ST = CA, C = US, EA
=<16> username@example.com
    LastUpdate:17:07:40 Jul 11 2000
 
    NextUpdate:05:27:40 Jul 19 2000

show ca mypubkey rsa

The show ca mypubkey rsa command displays the PIX Firewall unit's public keys in a DER/BER encoded PKCS#1 representation.

show ca mypubkey rsa

 
% Key pair was generated at: 15:34:55 Aug 05 1999
 
Key name: pixfirewall.example.com
 Usage: Signature Key
 Key Data:
305c300d 06092a86 4886f70d 01010105 00034b00 30480241 00c31f4a ad32f60d
6e7ed9a2 32883ca9 319a4b30 e7470888 87732e83 c909fb17 fb5cae70 3de738cf
6e2fd12c 5b3ffa98 8c5adc59 1ec84d78 90bdb53f 2218cfe7 3f020301 0001
% Key pair was generated at: 15:34:55 Aug 05 1999
 
Key name: pixfirewall.example.com
 Usage: Encryption Key
 Key Data:
305c300d 06092a86 4886f70d 01010105 00034b00 30480241 00d8a6ac cc64e57a
48dfb2c1 234661c7 76380bd5 72ae62f7 1706bdab 0eedd0b5 2e5feef0 76319d98
908f50b4 85a291de 247b6711 59b30026 453bfa3c 45234991 5d020301 0001

clear Commands

Remove commands from the configuration or reset command values (All modes.)

Table 12-2 lists each mode in which the clear commands first appear. Each clear command listed in one mode can be also accessed in each subsequent more secure mode going from unprivileged to configuration mode, but not from less secure modes.

Table 12-2: Configuration Mode Clear Commands

Clear Command	Description	Described on Command Page
clear [crypto] dynamic-map	Remove crypto dynamic-map command statements from the configuration.The keyword crypto is optional.	crypto dynamic-map and dynamic-map
clear [crypto] ipsec sa	Delete the active IPSec security associations. The keyword crypto is optional.	crypto ipsec
clear [crypto] ipsec sa counters	Clear the traffic counters maintained for each security association. The keyword crypto is optional.	crypto ipsec
clear [crypto] ipsec sa entry destination-address protocol spi	Delete the active IPSec security association with the specified address, protocol, and SPI. The keyword crypto is optional.	crypto ipsec
clear [crypto] ipsec sa map map-name	Delete the active IPSec security associations for the named crypto map set. The keyword crypto is optional.	crypto ipsec
clear [crypto] ipsec sa peer	Delete the active IPSec security associations for the specified peer. The keyword crypto is optional.	crypto ipsec
clear [crypto] isakmp sa	Delete the active IKE security associations. The keyword crypto is optional.	isakmp
clear ipsec	Remove ipsec command statements from the configuration.	ipsec
clear isakmp	Remove isakmp command statements from the configuration.	isakmp
clear [crypto] map	Delete all parameters entered through the crypto map command belonging to the specified map. Does not delete dynamic maps.	crypto map
clear sysopt	Remove sysopt command statements from the configuration.	sysopt

crypto dynamic-map

Create, view, or delete a dynamic crypto map entry. (Configuration mode.)

Syntax Description

dynamic-map-name	Specify the name of the dynamic crypto map set.
dynamic-seq-num	Specify the sequence number that corresponds to the dynamic crypto map entry.
subcommand	Various subcommands (match address, set transform-set, and so on).
tag map-name	(Optional) Show the crypto dynamic map set with the specified map-name.

Note   The crypto dynamic-map subcommands, such as match address, set peer, and set pfs are described in the crypto map command page. If the peer initiates the negotiation and the local configuration specifies PFS, the peer must perform a PFS exchange or the negotiation will fail. If the local configuration does not specify a group, a default of group1 will be assumed, and an offer of either group1 or group2 will be accepted. If the local configuration specifies group2, that group must be part of the peer's offer or the negotiation will fail. If the local configuration does not specify PFS, it will accept any offer of PFS from the peer. command page. See this command page for the descriptions of these commands, including syntax descriptions.

Usage Guidelines

The sections that follow describe each crypto dynamic-map command.

crypto dynamic-map

The crypto dynamic-map command allows you to create a dynamic crypto map entry. The no crypto dynamic-map command deletes a dynamic crypto map set or entry. The clear [crypto] dynamic-map removes all of the dynamic crypto map command statements. Specifying the name of a given crypto dynamic map removes the associated crypto dynamic map command statement(s). You can also specify the dynamic crypto map's sequence number to remove all of the associated dynamic crypto map command statements. The show crypto dynamic-map command allows you to view a dynamic crypto map set.

Dynamic crypto maps are policy templates used when processing negotiation requests for new security associations from a remote IPSec peer, even if you do not know all of the crypto map parameters required to communicate with the peer (such as the peer's IP address). For example, if you do not know about all the remote IPSec peers in your network, a dynamic crypto map allows you to accept requests for new security associations from previously unknown peers. (However, these requests are not processed until the IKE authentication has completed successfully.)

When a PIX Firewall receives a negotiation request via IKE from another peer, the request is examined to see if it matches a crypto map entry. If the negotiation does not match any explicit crypto map entry, it will be rejected unless the crypto map set includes a reference to a dynamic crypto map.

The dynamic crypto map accepts "wildcard" parameters for any parameters not explicitly stated in the dynamic crypto map entry. This allows you to set up IPSec security associations with a previously unknown peer. (The peer still must specify matching values for the "wildcard" IPSec security association negotiation parameters.)

If the PIX Firewall accepts the peer's request, at the point that it installs the new IPSec security associations it also installs a temporary crypto map entry. This entry is filled in with the results of the negotiation. At this point, the PIX Firewall performs normal processing, using this temporary crypto map entry as a normal entry, even requesting new security associations if the current ones are expiring (based upon the policy specified in the temporary crypto map entry). Once the flow expires (that is, all of the corresponding security associations expire), the temporary crypto map entry is removed.

Dynamic crypto maps are used for determining whether or not traffic should be protected.

Note   The only parameter required in a dynamic crypto map is the set transform-set. All other parameters are optional.

Examples

The following example configures an IPSec crypto map set.

Crypto map entry mymap 30 references the dynamic crypto map set mydynamicmap, which can be used to process inbound security association negotiation requests that do not match mymap entries 10 or 20. In this case, if the peer specifies a transform set that matches one of the transform sets specified in mydynamicmap, for a flow "permitted" by the access list 103, IPSec will accept the request and set up security associations with the remote peer without previously knowing about the peer. If accepted, the resulting security associations (and temporary crypto map entry) are established according to the settings specified by the remote peer.

The access list associated with mydynamicmap 10 is also used as a filter. Inbound packets that match a permit statement in this list are dropped for not being IPSec protected. (The same is true for access lists associated with static crypto maps entries.) Outbound packets that match a permit statement without an existing corresponding IPSec security association are also dropped.

crypto map mymap 10 ipsec-isakmp

crypto map mymap 10 match address 101

crypto map mymap 10 set transform-set my_t_set1

crypto map mymap 10 set peer 10.0.0.1 10.0.0.2

crypto map mymap 20 ipsec-isakmp

crypto map mymap 20 match address 102

crypto map mymap 20 set transform-set my_t_set1 my_t_set2

crypto map mymap 20 set peer 10.0.0.3

crypto dynamic-map mydynamicmap 10 match address 103

 
crypto dynamic-map mydynamicmap 10 set transform-set my_t_set1 my_t_set2 my_t_set3

 
crypto map mymap 30 ipsec-isakmp dynamic mydynamicmap

 

The following is sample output for the show crypto dynamic-map command:

show crypto dynamic-map

 
Crypto Map Template "dyn1" 10
 
        access-list 152 permit ip host 172.21.114.67 any
        Current peer: 0.0.0.0
        Security association lifetime: 4608000 kilobytes/120 seconds
        PFS (Y/N): N
        Transform sets={tauth, t1,}
 

The following partial configuration was in effect when the above show crypto dynamic-map command was issued:

crypto ipsec security-association lifetime seconds 120        

crypto ipsec transform-set t1 esp-des esp-md5-hmac 

crypto ipsec transform-set tauth ah-sha-hmac 

crypto dynamic-map dyn1 10

crypto dynamic-map dyn1 set transform-set tauth t1 

crypto dynamic-map dyn1 match address 152

crypto map to-firewall local-address Ethernet0

crypto map to-firewall 10 ipsec-isakmp 

crypto map to-firewall 10 set peer 172.21.114.123

crypto map to-firewall 10 set transform-set tauth t1 

crypto map to-firewall 10 match address 150

crypto map to-firewall 20 ipsec-isakmp dynamic dyn1

access-list 150 permit ip host 172.21.114.67 host 172.21.114.123

access-list 150 permit ip host 15.15.15.1 host 172.21.114.123

access-list 150 permit ip host 15.15.15.1 host 8.8.8.1

access-list 152 permit ip host 172.21.114.67 any

crypto dynamic-map match address

See the crypto mapmatch address command within the crypto map command page for information about this command.

crypto dynamic-mapset peer

See the crypto map set peer command within the crypto map command page for information about this command.

crypto dynamic-mapset pfs

See the crypto map set pfs command within the crypto map command page for information about this command.

crypto dynamic-map set security-association lifetime

See the crypto mapset security-association lifetime command within the crypto map command page for information about this command.

crypto dynamic-mapset transform-set

See the crypto mapset transform-set command within the crypto map command page for information about this command.

Note   The crypto mapset transform-set command is required for dynamic crypto map entries.

crypto ipsec

Create, view, or delete IPSec security associations, security association global lifetime values, and global transform sets. (Configuration mode.)

Syntax Description

address	(Optional) Show all of the existing security associations, sorted by the destination address (either the local address or the address of the remote IPSec peer) and then by protocol (AH or ESP).
destination-address	Specify the IP address of your peer or the remote peer.
detail	(Optional) Show detailed error counters. (The default is the high level send/receive error counters.)
identity	(Optional) Show only the flow information. It does not show the security association information.
interface-name	Specify the identifying interface (outside or external) to be used by the PIX Firewall to identify itself to remote peers. If IKE is enabled, and you are using a certification authority (CA) to obtain certificates, this should be the interface with the address specified in the CA certificates.
ip-address	Specify a remote peer's IP address.
ipsec-isakmp	Indicate that IKE will be used to establish the IPSec security associations for protecting the traffic specified by this crypto map entry.
ipsec-manual	Indicate that IKE will not be used to establish the IPSec security associations for protecting the traffic specified by this crypto map entry.
kilobytes kilobytes	Specify the volume of traffic (in kilobytes) that can pass between IPSec peers using a given security association before that security association expires. The default is 4,608,000 kilobytes (10 megabytes per second for one hour).
map map-name	The name of the crypto map set.
peer-name	Specify a remote peer's name as the fully qualified domain name. For example, remotepeer.example.com.
protocol	Specify either the AH or ESP protocol.
mode transport	Specifies the transform set to accept transport mode requests in addition to the tunnel mode request.
seconds seconds	Specify the number of seconds a security association will live before it expires. The default is 28,800 seconds (eight hours).
seq-num	The number you assign to the crypto map entry.
spi	Specify the security parameter index (SPI), a number that is used to uniquely identify a security association. The SPI is an arbitrary number you assign in the range of 256 to 4,294,967,295 (FFFF FFFF).
tag transform-set-name	(Optional) Show only the transform sets with the specified transform-set-name.
transform1 transform2 transform3	Specify up to three transforms. Transforms define the IPSec security protocol(s) and algorithm(s). Each transform represents an IPSec security protocol (ESP, AH, or both) plus the algorithm you want to use.
transform-set-name	Specify the name of the transform set to create or modify.

Usage Guidelines

The sections that follow describe each crypto ipsec command.

crypto ipsec security-association lifetime

The crypto ipsec security-association lifetime command is used to change global lifetime values used when negotiating IPSec security associations. To reset a lifetime to the default value, use the no crypto ipsec security-association lifetime command. The show crypto ipsec security-association lifetime command allows you to view the security-association lifetime value configured for a particular crypto map entry.

IPSec security associations use shared secret keys. These keys and their security associations time out together.

Assuming that the particular crypto map entry does not have lifetime values configured, when the PIX Firewall requests new security associations during security association negotiation, it will specify its global lifetime value in the request to the peer; it will use this value as the lifetime of the new security associations. When the PIX Firewall receives a negotiation request from the peer, it will use the smaller of the lifetime value proposed by the peer or the locally configured lifetime value as the lifetime of the new security associations.

There are two lifetimes: a "timed" lifetime and a "traffic-volume" lifetime. The security association expires after the first of these lifetimes is reached.

If you change a global lifetime, the change is only applied when the crypto map entry does not have a lifetime value specified. The change will not be applied to existing security associations, but will be used in subsequent negotiations to establish new security associations. If you want the new settings to take effect sooner, you can clear all or part of the security association database by using the clear [crypto] ipsec sa command. See the clear [crypto] ipsec sa command for more information.

To change the global timed lifetime, use the crypto ipsec security-association lifetime seconds command. The timed lifetime causes the security association to time out after the specified number of seconds have passed.

To change the global traffic-volume lifetime, use the crypto ipsec security-association lifetime kilobytes command. The traffic-volume lifetime causes the security association to time out after the specified amount of traffic (in kilobytes) has been protected by the security associations' key.

Shorter lifetimes can make it harder to mount a successful key recovery attack, because the attacker has less data encrypted under the same key to work with. However, shorter lifetimes require more CPU processing time for establishing new security associations. The lifetime values are ignored for manually established security associations (security associations installed using an ipsec-manual crypto map command entry).

The security association (and corresponding keys) will expire according to whichever occurs sooner, either after the number of seconds has passed (specified by the seconds keyword) or after the amount of traffic in kilobytes has passed (specified by the kilobytes keyword).

A new security association is negotiated before the lifetime threshold of the existing security association is reached, to ensure that a new security association is ready for use when the old one expires. The new security association is negotiated either 30 seconds before the seconds lifetime expires or when the volume of traffic through the tunnel reaches 256 kilobytes less than the kilobytes lifetime (whichever occurs first).

If no traffic has passed through the tunnel during the entire life of the security association, a new security association is not negotiated when the lifetime expires. Instead, a new security association will be negotiated only when IPSec sees another packet that should be protected.

Examples

This example shortens both lifetimes, because the administrator feels there is a higher risk that the keys could be compromised. The timed lifetime is shortened to 2,700 seconds (45 minutes), and the traffic-volume lifetime is shortened to 2,304,000 kilobytes (10 megabytes per second for one half hour).

crypto ipsec security-association lifetime seconds 2700

crypto ipsec security-association lifetime kilobytes 2304000

The following is sample output for the show crypto ipsec security-association lifetime command:

show crypto ipsec security-association lifetime

Security-association lifetime: 4608000 kilobytes/120 seconds

The following configuration was in effect when the preceding show crypto ipsec security-association lifetime command was issued:

crypto ipsec security-association lifetime seconds 120

crypto ipsec transform-set

The crypto ipsec transform-set command defines a transform set. To delete a transform set, use the no crypto ipsec transform-set command. To view the configured transform sets, use the show crypto ipsec transform-set command.

A transform set specifies one or two IPSec security protocols (either ESP or AH or both) and specifies which algorithms to use with the selected security protocol. During the IPSec security association negotiation, the peers agree to use a particular transform set when protecting a particular data flow.

You can configure multiple transform sets, and then specify one or more of these transform sets in a crypto map entry. The transform set defined in the crypto map entry is used in the IPSec security association negotiation to protect the data flows specified by that crypto map entry's access list. During the negotiation, the peers search for a transform set that is the same at both peers. When such a transform set is found, it is selected and is applied to the protected traffic as part of both peer's IPSec security associations.

When security associations are established manually, a single transform set must be used. The transform set is not negotiated.

Before a transform set can be included in a crypto map entry, it must be defined using the crypto ipsec transform-set command.

To define a transform set, you specify one to three "transforms"—each transform represents an IPSec security protocol (ESP or AH) plus the algorithm you want to use. When the particular transform set is used during negotiations for IPSec security associations, the entire transform set (the combination of protocols, algorithms, and other settings) must match a transform set at the remote peer.

In a transform set you could specify the AH protocol, the ESP protocol, or both. If you specify an ESP protocol in a transform set, you can specify just an ESP encryption transform or both an ESP encryption transform and an ESP authentication transform.

Examples of acceptable transform combinations are as follows:

• ah-md5-hmac

• esp-des

• esp-des and esp-md5-hmac

• ah-sha-hmac and esp-des and esp-sha-hmac

If one or more transforms are specified in the crypto ipsec transform-set command for an existing transform set, the specified transforms will replace the existing transforms for that transform set.

If you change a transform set definition, the change is only applied to crypto map entries that reference the transform set. The change will not be applied to existing security associations, but will be used in subsequent negotiations to establish new security associations. If you want the new settings to take effect sooner, you can clear all or part of the security association database by using the clear [crypto] ipsec sa command.

For more information about transform sets, see "About IPSec" within "About IPSec."

Examples

This example defines one transform set (named "standard"), which will be used with an IPSec peer that supports the ESP protocol. Both an ESP encryption transform and an ESP authentication transform are specified in this example:

crypto ipsec transform-set standard esp-des esp-md5-hmac

 

The following is sample output for the show crypto ipsec transform-set command:

show crypto ipsec transform-set 
 
Transform set combined-des-sha: { esp-des esp-sha-hmac } 
   will negotiate = { Tunnel, }, 
   
Transform set combined-des-md5: { esp-des esp-md5-hmac } 
   will negotiate = { Tunnel, }, 
   
Transform set t1: { esp-des esp-md5-hmac } 
   will negotiate = { Tunnel, }, 
   
Transform set t100: { ah-sha-hmac } 
   will negotiate = { Tunnel, }, 
   
Transform set t2: { ah-sha-hmac } 
   will negotiate = { Tunnel, }, 
   { esp-des } 
   will negotiate = { Tunnel, },
 

The following configuration was in effect when the above show crypto ipsec transform-set command was issued:

crypto ipsec transform-set combined-des-sha esp-des esp-sha-hmac

crypto ipsec transform-set combined-des-md5 esp-des esp-md5-hmac

crypto ipsec transform-set t1 esp-des esp-md5-hmac

crypto ipsec transform-set t100 ah-sha-hmac

crypto ipsec transform-set t2 ah-sha-hmac esp-des

 

crypto ipsec transform-set transform-set-name mode transport

This command specifies IPSec transport mode for a transform set. The Windows 2000 L2TP/IPSec client uses IPSec transport mode, so transport mode must be selected on the transform set. The default is tunnel mode. For Pix Firewall version 6.0, L2TP is the only protocol that can use the IPSec transport mode. All other types of packets using IPSec transport mode will be discarded by the PIX Firewall. Use the no form of the command to reset the mode to the default value of tunnel mode.

Note   A transport mode transform can only be used on a dynamic crypto map, and the PIX Firewall CLI will display an error if you attempt to tie a transport-mode transform to a static crypto map.

clear [crypto] ipsec sa

The clear [crypto] ipsec sa command allows you to delete IPSec security associations. The keyword crypto is optional. If the security associations were established via IKE, they are deleted and future IPSec traffic will require new security associations to be negotiated. When IKE is used, the IPSec security associations are established only when needed.

If the security associations are manually established, the security associations are deleted.

If the peer, map, entry, or counters keywords are not used, all IPSec security associations will be deleted. This command clears (deletes) IPSec security associations.

If the security associations were established via IKE, they are deleted and future IPSec traffic will require new security associations to be negotiated. (When IKE is used, the IPSec security associations are established only when needed.)

If the security associations are manually established, the security associations are deleted and reinstalled. (When IKE is not used, the IPSec security associations are created as soon as the configuration is completed.)

If the peer, map, entry, or counters keywords are not used, all IPSec security associations will be deleted.

The peer keyword deletes any IPSec security associations for the specified peer.

The map keyword deletes any IPSec security associations for the named crypto map set.

The entry keyword deletes the IPSec security association with the specified address, protocol, and SPI.

If any of the previous commands cause a particular security association to be deleted, all the "sibling" security associations—that were established during the same IKE negotiation—are deleted as well.

The counters keyword simply clears the traffic counters maintained for each security association; it does not clear the security associations themselves.

If you make configuration changes that affect security associations, these changes will not apply to existing security associations but to negotiations for subsequent security associations. You can use the clear [crypto] ipsec sa command to restart all security associations so they will use the most current configuration settings. In the case of manually established security associations, if you make changes that affect security associations you must use the clear [crypto] ipsec sa command before the changes take effect.

---

Note   If you make significant changes to an IPSec configuration such as access-list or peers, the clear [crypto] ipsec sa command will not be enough to activate the new configuration. In such a case, rebind the crypto map to the interface with the crypto map interface command.

---

If the PIX Firewall is processing active IPSec traffic, we recommend that you only clear the portion of the security association database that is affected by the changes to avoid causing active IPSec traffic to temporarily fail.

---

Note   The clear [crypto] ipsec sa command only clears IPSec security associations; to clear IKE security associations, use the clear [crypto] isakmp sa command.

---

Examples

The following example clears (and re initializes if appropriate) all IPSec security associations at the PIX Firewall:

clear crypto ipsec sa

 

The following example clears (and re initializes if appropriate) the inbound and outbound IPSec security associations established along with the security association established for address 10.0.0.1 using the AH protocol with the SPI of 256:

clear crypto ipsec sa entry 10.0.0.1 AH 256

show crypto ipsec sa

The show crypto ipsec sa command allows you to view the settings used by current security associations. If no keyword is used, all security associations are displayed. They are sorted first by interface, and then by traffic flow (for example, source/destination address, mask, protocol, port). Within a flow, the security associations are listed by protocol (ESP/AH) and direction (inbound/outbound).

---

Note   While entering the show crypto ipsec sa command, if the screen display is stopped with the More prompt and the security association lifetime expires while the screen display is stopped, then the subsequent display information may refer to a stale security association. Assume that the security association lifetime values that display are invalid.

---

---

Note   Output of the show crypto ipsec sa command lists the PCP protocol. This is a compression protocol supplied with the Cisco IOS software code on which the PIX Firewall IPSec implementation is based; however, the PIX Firewall does not support the PCP protocol.

---

Examples

The following is a sample output for the show crypto ipsec sa command:

show crypto ipsec sa

 
interface: outside
    Crypto map tag: firewall-alice, local addr. 172.21.114.123
 
   local ident (addr/mask/prot/port): (172.21.114.123/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (172.21.114.67/255.255.255.255/0/0)
   current_peer: 172.21.114.67
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 10, #pkts encrypt: 10, #pkts digest 10
    #pkts decaps: 10, #pkts decrypt: 10, #pkts verify 10
    #send errors 10, #recv errors 0
 
     local crypto endpt.: 172.21.114.123, remote crypto endpt.: 172.21.114.67
     path mtu 1500, media mtu 1500
     current outbound spi: 20890A6F
 
     inbound esp sas:
      spi: 0x257A1039(628756537)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 26, crypto map: firewall-alice
        sa timing: remaining key lifetime (k/sec): (4607999/90)
        IV size: 8 bytes
        replay detection support: Y
     inbound ah sas:
     outbound esp sas:
      spi: 0x20890A6F(545852015)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 27, crypto map: firewall-alice
        sa timing: remaining key lifetime (k/sec): (4607999/90)
        IV size: 8 bytes
        replay detection support: Y
     outbound ah sas:
interface: inside
    Crypto map tag: firewall-alice, local addr. 172.21.114.123
          
   local ident (addr/mask/prot/port): (172.21.114.123/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (172.21.114.67/255.255.255.255/0/0)
   current_peer: 172.21.114.67
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 10, #pkts encrypt: 10, #pkts digest 10
    #pkts decaps: 10, #pkts decrypt: 10, #pkts verify 10
    #send errors 10, #recv errors 0
 
     local crypto endpt.: 172.21.114.123, remote crypto endpt.: 172.21.114.67
     path mtu 1500, media mtu 1500
     current outbound spi: 20890A6F
		inbound esp sas:
      spi: 0x257A1039(628756537)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 26, crypto map: firewall-alice
        sa timing: remaining key lifetime (k/sec): (4607999/90)
        IV size: 8 bytes
        replay detection support: Y
     inbound ah sas:
     outbound esp sas:
      spi: 0x20890A6F(545852015)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 27, crypto map: firewall-alice
        sa timing: remaining key lifetime (k/sec): (4607999/90)
        IV size: 8 bytes
        replay detection support: Y
     outbound ah sas:

crypto map

To create, modify, view or delete a crypto map entry. Also used to delete a crypto map set. (Configuration mode.)

Note   The PIX 506 does not support use of the crypto map map-name client authentication aaa-group-tag command. Also, only four ISAKMP peers can be specified for the PIX 506.

Syntax Description

map map-name	The name of the crypto map set.
aaa-server-name	The name of the AAA server that will authenticate the user during IKE authentication. The two AAA server options available are TACACS+ and RADIUS.
token	Indicate a token-based server for user authentication is used.
initiate	Indicate that the PIX Firewall will attempt to set IP addresses for each peer.
respond	Indicate that the PIX Firewall will accept requests for IP addresses from any requesting peer.
interface interface-name	Specify the identifying interface to be used by the PIX Firewall to identify itself to peers. If IKE is enabled, and you are using a certification authority (CA) to obtain certificates, this should be the interface with the address specified in the CA certificates.
tag map-name	(Optional) Show the crypto map set with the specified map-name.
seq-num	The number you assign to the crypto map entry.
ipsec-isakmp	Indicate that IKE will be used to establish the IPSec security associations for protecting the traffic specified by this crypto map entry.
ipsec-manual	Indicate that IKE will not be used to establish the IPSec security associations for protecting the traffic specified by this crypto map entry.
dynamic	(Optional) Specify that this crypto map entry is to reference a pre-existing dynamic crypto map.
dynamic-map-name	(Optional) Specify the name of the dynamic crypto map set to be used as the policy template.
acl_name	Identify the named encryption access list. This name should match the name argument of the named encryption access list being matched.
match address	Specify an access list for a crypto map entry.
set peer	Specify an IPSec peer in a crypto map entry.
hostname	Specify a peer by its hostname. This is the peer's hostname concatenated with its domain name. For example, myhost.example.com.
ip-address	Specify a peer by its IP address.
set pfs	Specify that IPSec should ask for perfect forward secrecy (PFS). With PFS, every time a new security association is negotiated, a new Diffie-Hellman exchange occurs. (This exchange requires additional processing time.)
group1	Specify that IPSec should use the 768-bit Diffie-Hellman prime modulus group when performing the new Diffie-Hellman exchange.
group2	Specify that IPSec should use the 1024-bit Diffie-Hellman prime modulus group when performing the new Diffie-Hellman exchange.
secondsseconds	Specify the number of seconds a security association will live before it expires. The default is 28,800 seconds (eight hours).
kilobytes kilobytes	Specify the volume of traffic (in kilobytes) that can pass between peers using a given security association before that security association expires. The default is 4,608,000 kilobytes.
set session-key	Manually specify the IPSec session keys within a crypto map entry.
inbound	Set the inbound IPSec session key. (You must set both inbound and outbound keys.)
outbound	Set the outbound IPSec session key. (You must set both inbound and outbound keys.)
ah	Set the IPSec session key for the AH protocol. Specify ah when the crypto map entry's transform set includes an AH transform. AH protocol provides authentication via MD5-HMAC and SHA-HMAC.
spi	Specify the security parameter index (SPI), a number that is used to uniquely identify a security association. The SPI is an arbitrary number you assign in the range of 256 to 4,294,967,295 (FFFF FFFF). You can assign the same SPI to both directions and both protocols. However, not all peers have the same flexibility in SPI assignment. For a given destination address/protocol combination, unique SPI values must be used. The destination address is that of the PIX Firewall if inbound, the peer if outbound.
hex-key-string	Specify the session key; enter in hexadecimal format. This is an arbitrary hexadecimal string of 16, 32, or 40 digits. If the crypto map's transform set includes: DES algorithm, specify at least 16 hexadecimal digits per key. MD5 algorithm, specify at least 32 hexadecimal digits per key. SHA algorithm, specify 40 hexadecimal digits per key. Longer key sizes are simply hashed to the appropriate length.
esp	Set the IPSec session key for the ESP protocol. Specify esp when the crypto map entry's transform set includes an ESP transform. ESP protocol provides both authentication and/or confidentiality. Authentication is done via MD5-HMAC, SHA-HMAC and NULL. Confidentiality is done via DES, 3DES, and NULL.
cipher	Indicate that the key string to use with the ESP encryption transform.
authenticator	(Optional) Indicate that the key string is to be used with the ESP authentication transform. This argument is required only when the crypto map entry's transform set includes an ESP authentication transform.
set transform-set	Specify which transform sets can be used with the crypto map entry.
transform-set-name	The name of the transform set. For an ipsec-manual crypto map entry, you can specify only one transform set. For an ipsec-isakmp or dynamic crypto map entry, you can specify up to six transform sets.
transform1 transform2 transform3	Specify up to three transforms. Transforms define the IPSec security protocol(s) and algorithm(s). Each transform represents an IPSec security protocol (ESP, AH, or both) plus the algorithm you want to use.

Usage Guidelines

The sections that follow describe each crypto map command.

crypto map client authentication

The crypto map client authentication command enables the Extended Authentication (Xauth) feature, which allows you to prompt for a TACAC+/RADIUS username and password during IKE authentication. You must first have your basic AAA Server set up to be able to use this feature.

This command tells the PIX Firewall during Phase 1 of IKE to use the Xauth (RADIUS/TACACS+) challenge to authenticate IKE. If the Xauth fails, the IPSec security association will not be established, and the IKE security association will be deleted. Use the no crypto map client authentication command to restore the default value. The Xauth feature is not enabled by default.

---

Note   Be sure to specify the same AAA server name within the crypto map client authentication command statement as was specified in the aaa-server command statement.

---

The crypto map client token authentication command enables the PIX Firewall to interoperate with a Cisco VPN 3000 Client that is set up to use a token-based server for user authentication. The keyword token tells the PIX Firewall that the AAA Server uses a token-card system and to prompt the user for username and password during IKE authentication. Use the no crypto map client token authentication command to restore the default value.

---

Note   The remote user must be running one of the following: Cisco Secure VPN Client, version 1.1 or later Cisco VPN 3000 Client, version 2.5 or later

---

Examples

The following example shows how the crypto map client authentication command is used. This example sets up the IPSec rules for VPN encryption IPSec. The ip, nat, aaa-server command statements establish the context for the IPSec-related commands.

ip address inside 10.0.0.1 255.255.255.0

ip address outside 168.20.1.5 255.255.255.0

dealer 10.1.2.1-10.1.2.254

nat (inside) 0 access-list 80

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ (inside) host 10.0.0.2 secret123

crypto ipsec transform-set pc esp-des esp-md5-hmac 

crypto dynamic-map cisco 4 set transform-set pc

crypto map partner-map 20 ipsec-isakmp dynamic cisco

crypto map partner-map client configuration address initiate

crypto map partner-map client authentication TACACS+ 

crypto map partner-map interface outside

isakmp key cisco1234 address 0.0.0.0 netmask 0.0.0.0

isakmp client configuration address-pool local dealer outside

isakmp policy 8 authentication pre-share 

isakmp policy 8 encryption des

isakmp policy 8 hash md5

isakmp policy 8 group 1

isakmp policy 8 lifetime 86400

The following example shows how the crypto map client token authentication command is used. This example sets up the IPSec rules for VPN encryption IPSec. The ip, nat, aaa-server command statements establish the context for the IPSec-related commands.

ip address inside 10.0.0.1 255.255.255.0

ip address outside 168.20.1.5 255.255.255.0

ip local pool dealer 10.1.2.1-10.1.2.254

nat (inside) 0 access-list 80

aaa-server RADIUS protocol radius

aaa-server RADIUS (inside) host 10.0.0.2 secret123

crypto ipsec transform-set pc esp-des esp-md5-hmac 

crypto dynamic-map cisco 4 set transform-set pc

crypto map partner-map 20 ipsec-isakmp dynamic cisco

crypto map partner-map client configuration address initiate

crypto map partner-map client token authentication RADIUS

crypto map partner-map interface outside

isakmp key cisco1234 address 0.0.0.0 netmask 0.0.0.0

isakmp client configuration address-pool local dealer outside

isakmp policy 8 authentication pre-share 

isakmp policy 8 encryption des

isakmp policy 8 hash md5

isakmp policy 8 group 1

isakmp policy 8 lifetime 86400

crypto map client configuration address

Use the crypto map client configuration address command to configure IKE Mode Configuration on your PIX Firewall. The IKE Mode Configuration allows the PIX Firewall to download an IP address to the remote peer (client) as part of an IKE negotiation. With crypto map client configuration address command, you define the crypto map(s) that should attempt to configure the peer.

Use the no crypto map client configuration address command to restore the default value. The IKE Mode Configuration is not enabled by default.

The keyword initiate indicates that the PIX Firewall will attempt to set IP addresses for each peer. The respond keyword indicates that the PIX Firewall will accept requests for IP addresses from any requesting peer.

---

Note   If you use IKE Mode Configuration on the PIX Firewall, the routers handling the IPSec traffic must also support IKE Mode Configuration. Cisco IOS Release 12.0(6)T and later, supports the IKE Mode Configuration.

---

See "Advanced Configurations," for more information about the IKE Mode Configuration.

Examples

The following examples configure IKE Mode Configuration on your PIX Firewall:

crypto map mymap client configuration address initiate

crypto map mymap client configuration address respond

crypto map interface

The crypto map interface command applies a previously defined crypto map set to an interface. Use the no crypto map interface command to remove the crypto map set from the interface. Use the show crypto map [interface | tag] to view the crypto map configuration.

Use this command to assign a crypto map set to any active PIX Firewall interface. The PIX Firewall supports IPSec termination on any and all active interfaces. You must assign a crypto map set to an interface before that interface can provide IPSec services.

Only one crypto map set can be assigned to an interface. If multiple crypto map entries have the same map-name but a different seq-num, they are considered to be part of the same set and will all be applied to the interface. The crypto map entry with the lowest seq-num is considered the highest priority and will be evaluated first. A single crypto map set can contain a combination of ipsec-isakmp and ipsec-manual crypto map entries.

Note   The use of the crypto map interface command re-initializes the security association database causing any currently established security associations to be deleted.

Examples

The following example assigns the crypto map set "mymap" to the outside interface. When traffic passes through the outside interface, the traffic will be evaluated against all the crypto map entries in the "mymap" set. When outbound traffic matches an access list in one of the "mymap" crypto map entries, a security association (if IPSec) will be established per that crypto map entry's configuration (if no security association or connection already exists).

crypto map mymap interface outside

 

The following is sample output for the show crypto map command:

show crypto map

 
Crypto Map: "firewall-alice" pif: outside local address: 172.21.114.123
 
Crypto Map "firewall-alice" 10 ipsec-isakmp
        Peer = 172.21.114.67
        access-list 141 permit ip host 172.21.114.123 host 172.21.114.67
        Current peer: 172.21.114.67
        Security-association lifetime: 4608000 kilobytes/120 seconds
        PFS (Y/N): N
        Transform sets={ t1, }
 

The following configuration was in effect when the preceding show crypto map command was issued:

crypto map firewall-alice 10 ipsec-isakmp 

crypto map firewall-alice 10 set peer 172.21.114.67

crypto map firewall-alice 10 set transform-set t1 

crypto map firewall-alice 10 match address 141

 

The following is sample output for the show crypto map command when manually established security associations are used:

show crypto map

 
Crypto Map "multi-peer" 20 ipsec-manual
        Peer = 172.21.114.67
        access-list 120 permit ip host 1.1.1.1 host 1.1.1.2
        Current peer: 172.21.114.67
        Transform sets={ t2, }
        Inbound esp spi: 0, 
         cipher key: ,
         auth_key: ,
        Inbound ah spi: 256, 
            key: 010203040506070809010203040506070809010203040506070809,
        Outbound esp spi: 0
         cipher key: ,
         auth key: , 
        Outbound ah spi: 256, 
            key: 010203040506070809010203040506070809010203040506070809,
 

The following configuration was in effect when the above show crypto map command was issued:

crypto map multi-peer 20 ipsec-manual 

crypto map multi-peer 20 set peer 172.21.114.67

crypto map multi-peer 20 set session-key inbound ah 256

010203040506070809010203040506070809010203040506070809

crypto map multi-peer 20 set session-key outbound ah 256

010203040506070809010203040506070809010203040506070809

crypto map multi-peer 20 set transform-set t2 

crypto map multi-peer 20 match address 120

crypto mapipsec-manual | ipsec-isakmp

To create or modify a crypto map entry, use the crypto map ipsec-manual | ipsec-isakmp command. To create or modify an ipsec-manual crypto map entry, use the ipsec-manual option of the command. To create or modify an ipsec-isakmp crypto map entry, use the ipsec-isakmp option of the command. Use the no crypto map command to delete a crypto map entry or set.

---

Note   The crypto map command without a keyword creates an ipsec-isakmp entry by default.

---

After you define crypto map entries, you can use the crypto map interface command to assign the crypto map set to interfaces.

Crypto maps provide two functions: filtering/classifying traffic to be protected, and defining the policy to be applied to that traffic. The first use affects the flow of traffic on an interface; the second affects the negotiation performed (via IKE) on behalf of that traffic.

IPSec crypto maps link together definitions of the following:

• What traffic should be protected

• Which IPSec peer(s) the protected traffic can be forwarded to—these are the peers with which a security association can be established

• Which transform sets are acceptable for use with the protected traffic

• How keys and security associations should be used/managed (or what the keys are, if IKE is not used)

A crypto map set is a collection of crypto map entries each with a different seq-num but the same map-name. Therefore, for a given interface, you could have certain traffic forwarded to one peer with specified security applied to that traffic, and other traffic forwarded to the same or a different peer with different IPSec security applied. To accomplish this you would create two crypto map entries, each with the same map-name, but each with a different seq-num.

The number you assign to the seq-num argument should not be arbitrary. This number is used to rank multiple crypto map entries within a crypto map set. Within a crypto map set, a crypto map entry with a lower seq-num is evaluated before a map entry with a higher seq-num; that is, the map entry with the lower number has a higher priority.

Examples

The following example shows the minimum required crypto map configuration when IKE will be used to establish the security associations:

crypto map mymap 10 ipsec-isakmp

crypto map mymap 10 match address 101

crypto map mymap set transform-set my_t_set1

crypto map mymap set peer 10.0.0.1

 

The following example shows the minimum required crypto map configuration when the security associations are manually established:

crypto transform-set someset ah-md5-hmac esp-des

crypto map mymap 10 ipsec-manual

crypto map mymap 10 match address 102

crypto map mymap 10 set transform-set someset

crypto map mymap 10 set peer 10.0.0.5

crypto map mymap 10 set session-key inbound ah 256 98765432109876549876543210987654

crypto map mymap 10 set session-key outbound ah 256 fedcbafedcbafedcfedcbafedcbafedc

crypto map mymap 10 set session-key inbound esp 256 cipher 0123456789012345

crypto map mymap 10 set session-key outbound esp 256 cipher abcdefabcdefabcd

crypto mapipsec-isakmp dynamic

To specify that a given crypto map entry is to reference a pre-existing dynamic crypto map, use the crypto map ipsec-isakmp dynamic command.

Use the crypto dynamic-map command to create dynamic crypto map entries. After you create a dynamic crypto map set, use the crypto map ipsec-isakmp dynamic command to add the dynamic crypto map set to a static crypto map.

Give crypto map entries which reference dynamic map sets the lowest priority map entries so that inbound security association negotiation requests will try to match the static maps first. Only after the request does not match any of the static maps do you want it to be evaluated against the dynamic map set.

To make a crypto map entry that references a dynamic crypto map to be set to the lowest priority map entry, give the map entry the highest seq-num of all the map entries in a crypto map set.

For more information about dynamic maps, see "About IPSec."

Examples

The following example configures an IPSec crypto map set that includes a reference to a dynamic crypto map set.

Crypto map "mymap 10" allows security associations to be established between the PIX Firewall and either (or both) of two remote IPSec peers for traffic matching access list 101. Crypto map "mymap 20" allows either of two transform sets to be negotiated with the peer for traffic matching access list 102.

Crypto map entry "mymap 30" references the dynamic crypto map set "mydynamicmap," which can be used to process inbound security association negotiation requests that do not match "mymap" entries 10 or 20. In this case, if the peer specifies a transform set that matches one of the transform sets specified in "mydynamicmap" for a flow "permitted" by the access list 103, IPSec will accept the request and set up security associations with the peer without previously knowing about the peer. If accepted, the resulting security associations (and temporary crypto map entry) are established according to the settings specified by the peer.

The access list associated with "mydynamicmap 10" is also used as a filter. Inbound packets that match a permit statement in this list are dropped for not being IPSec protected. (The same is true for access lists associated with static crypto maps entries.) Outbound packets that match a permit statement without an existing corresponding IPSec security association are also dropped.

crypto map mymap 10 ipsec-isakmp

crypto map mymap 10 match address 101

crypto map mymap 10 set transform-set my_t_set1

crypto map mymap 10 set peer 10.0.0.1

crypto map mymap 10 set peer 10.0.0.2

crypto map mymap 20 ipsec-isakmp

crypto map mymap 10 match address 102

crypto map mymap 10 set transform-set my_t_set1 my_t_set2

crypto map mymap 10 set peer 10.0.0.3

crypto dynamic-map mydynamicmap 10

crypto dynamic-map mydynamicmap 10 match address 103

crypto dynamic-map mydynamicmap 10 set transform-set my_t_set1 my_t_set2 my_t_set3

crypto map mymap 30 ipsec-isakmp dynamic mydynamicmap

crypto mapmatch address

To assign an access list to a crypto map entry, use the crypto map match address command. Use the no crypto map match address command to remove the access list from a crypto map entry.

This command is required for all static crypto map entries. If you are defining a dynamic crypto map entry (with the crypto dynamic-map command), this command is not required but is strongly recommended.

Use the access-list command to define this access list.

The access list specified with this command will be used by IPSec to determine which traffic should be protected by IPSec crypto and which traffic does not need protection. (Traffic that is permitted by the access list will be protected. Traffic that is denied by the access list will not be protected in the context of the corresponding crypto map entry.)

---

Note   The crypto access list is not used to determine whether to permit or deny traffic through the interface. An access list applied directly to the interface with the access-group command makes that determination.

---

The crypto access list specified by this command is used when evaluating both inbound and outbound traffic. Outbound traffic is evaluated against the crypto access lists specified by the interface's crypto map entries to determine if it should be protected by crypto, and if so (if traffic matches a permit entry), which crypto policy applies. (If necessary, in the case of static IPSec crypto maps, new security associations are established using the data flow identity as specified in the permit entry; in the case of dynamic crypto map entries, if no security association exists, the packet is dropped.) Inbound traffic is evaluated against the crypto access lists specified by the entries of the interface's crypto map set to determine if it should be protected by crypto and, if so, which crypto policy applies. (In the case of IPSec, unprotected traffic is discarded because it should have been protected by IPSec.)

The access list is also used to identify the flow for which the IPSec security associations are established. In the outbound case, the permit entry is used as the data flow identity (in general), while in the inbound case the data flow identity specified by the peer must be "permitted" by the crypto access list.

Examples

The following example shows the minimum required crypto map configuration when IKE will be used to establish the security associations. (This example is for a static crypto map.)

crypto map mymap 10 ipsec-isakmp

crypto map mymap 10 match address 101

crypto map mymap 10 set transform-set my_t_set1

crypto map mymap 10 set peer 10.0.0.1

crypto map set peer

Use the crypto mapset peer command to specify an IPSec peer in a crypto map entry. Use the no crypto mapset peer command to remove an IPSec peer from a crypto map entry.

crypto map mymap 10 ipsec-isakmp

crypto map mymap 10 match address 101

crypto map mymap 10 set transform-set my_t_set1

crypto map mymap 10 set peer 10.0.0.1 10.0.0.2

crypto map set pfs

The crypto mapset pfs command sets IPSec to ask for perfect forward secrecy (PFS) when requesting new security associations for this crypto map entry, or that IPSec requires PFS when receiving requests for new security associations. To specify that IPSec should not request PFS, use the no crypto mapset pfs command. This command is only available for ipsec-isakmp crypto map entries and dynamic crypto map entries.

If the peer initiates the negotiation and the local configuration specifies PFS, the peer must perform a PFS exchange or the negotiation will fail. If the local configuration does not specify a group, a default of group1 will be assumed, and an offer of either group1 or group2 will be accepted. If the local configuration specifies group2, that group must be part of the peer's offer or the negotiation will fail. If the local configuration does not specify PFS, it will accept any offer of PFS from the peer.

The 1024-bit Diffie-Hellman prime modulus group, group2, provides more security than group1, but requires more processing time than group1.

---

Note   IKE negotiations with a remote peer may hang when a PIX Firewall has numerous tunnels that originate from the PIX Firewall and terminate on a single remote peer. This problem occurs when PFS is not enabled, and the local peer requests many simultaneous rekey requests. If this problem occurs, the IKE security association will not recover until it has timed out or until you manually clear it with the clear [crypto] isakmp sa command. PIX Firewall units configured with many tunnels to many peers or many clients sharing the same tunnel are not affected by this problem. If your configuration is affected, enable PFS with the crypto map mapname seqnum set pfs command.

---

Examples

This example specifies that PFS should be used whenever a new security association is negotiated for the crypto map "mymap 10":

crypto map mymap 10 ipsec-isakmp

crypto map mymap 10 set pfs group2

crypto mapset security-association lifetime

To override (for a particular crypto map entry) the global lifetime value, which is used when negotiating IPSec security associations, use the crypto map set security-association lifetime command. To reset a crypto map entry's lifetime value to the global value, use the no crypto map set security-association lifetime command.

For more information about lifetimes, see "About IPSec."

Examples

This example shortens the timed lifetime for a particular crypto map entry, because there is a higher risk that the keys could be compromised for security associations belonging to the crypto map entry. The traffic-volume lifetime is not changed because there is not a high volume of traffic anticipated for these security associations. The timed lifetime is shortened to 2700 seconds (45 minutes).

crypto map mymap 10 ipsec-isakmp

set security-association lifetime seconds 2700

crypto mapset session-key

To manually specify the IPSec session keys within a crypto map entry, use the crypto mapset session-key command. Use the no crypto mapset session-key command to remove IPSec session keys from a crypto map entry. This command is only available for ipsec-manual crypto map entries.

If the crypto map's transform set includes an AH protocol, you must define IPSec keys for AH for both inbound and outbound traffic. If the crypto map's transform set includes an ESP encryption protocol, you must define IPSec keys for ESP encryption for both inbound and outbound traffic. If the crypto map's transform set includes an ESP authentication protocol, you must define IPSec keys for ESP authentication for inbound and outbound traffic.

When you define multiple IPSec session keys within a single crypto map, you can assign the same security parameter index (SPI) number to all the keys. The SPI is used to identify the security association used with the crypto map. However, not all peers have the same flexibility in SPI assignment.

You may have to coordinate SPI assignment with the peer's network administrator, making certain that the same SPI is not used more than once for the same destination address/protocol combination.

crypto ipsec transform-set t_set ah-sha-hmac

crypto map mymap 20 ipsec-manual

crypto map mymap 20 match address 102

crypto map mymap 20 set transform-set t_set

crypto map mymap 20 set peer 10.0.0.21

crypto map mymap 20 set session-key inbound ah 300 
1111111111111111111111111111111111111111

crypto map mymap 20 set session-key outbound ah 300 
2222222222222222222222222222222222222222

crypto ipsec transform-set someset ah-sha-hmac esp-des esp-sha-hmac

crypto map mymap 10 ipsec-manual

crypto map mymap 10 match address 101

crypto map mymap 10 set transform-set someset

crypto map mymap 10 set peer 10.0.0.1

crypto map mymap 10 set session-key inbound ah 300 
9876543210987654321098765432109876543210

crypto map mymap 10 set session-key outbound ah 300 
fedcbafedcbafedcbafedcbafedcbafedcbafedc

crypto map mymap 10 set session-key inbound esp 300 cipher 0123456789012345

    authenticator 0000111122223333444455556666777788889999

crypto map mymap 10 set session-key outbound esp 300 cipher abcdefabcdefabcd

    authenticator 9999888877776666555544443333222211110000

crypto mapset transform-set

To specify which transform sets can be used with the crypto map entry, use the crypto mapset transform-set command. Use the no crypto mapset transform-set command to remove all transform sets from a crypto map entry.

crypto ipsec transform-set my_t_set1 esp-des esp-sha-hmac

crypto ipsec transform-set my_t_set2 ah-sha-hmac esp-des esp-sha-hmac

crypto map mymap 10 ipsec-isakmp

crypto map mymap 10 match address 101

crypto map mymap 10 set transform-set my_t_set1 my_t_set2

crypto map mymap set peer 10.0.0.1 10.0.0.2

 

debug

Debug packets or ICMP tracings through the PIX Firewall. (Configuration mode.)

Syntax Description

crypto ca	Display information about CA (certification authority) traffic.
level	The level of debugging feedback. The higher the level number, the more information is displayed. The default level is 1. The levels correspond to these events: Level 1: Interesting events Level 2: Normative and interesting events Level 3: Diminutive, normative, and interesting events Refer to the "Examples" section at the end of this command page for an example of how the debugging level appears with the show debug command.
crypto ipsec	Display information about IPSec traffic.
crypto isakmp	Display information about IKE traffic.
dhcpd event	Display event information associated with the DHCP server.
dhcpd packet	Display packet information associated with the DHCP server.

Usage Guidelines

The debug command lets you view debug information. The show debug command displays the current state of tracing. You can debug the contents of network layer protocol packets with the debug packet command.

The debug crypto ipsec, debug crypto isakmp, and debug crypto ca commands let you debug IPSec connections. Use the no form of the command to disable debugging.

Use of the debug commands can slow down busy networks.

The debug commands are shared between all Telnet and serial console sessions.

The debug ppp io|error|uauth|upap|chap|negotiation commands allow you to debug info for the L2TP tunnels.

The debug vpdn event|error|packet commands allow you to show L2TP protocol debug information.

Additional debug Command Information

---

Note   When creating your digital certificates, use the debug crypto ca command to ensure that the certificate is created correctly. Important error messages only display when the debug crypto ca command is enabled. For example, if you enter an Entrust fingerprint value incorrectly, the only warning message that indicates the value is incorrect appears in the debug crypto ca command output.

---

---

Note   Output from the debug crypto ipsec and debug crypto isakmp commands does not display in a Telnet console session.

---

Examples

The following is sample output from the show debug command:

show debug

debug ppp error
debug vpdn event
debug crypto ipsec 1
debug crypto isakmp 1
debug crypto ca 1
debug icmp trace
debug packet outside both
debug sqlnet

The trailing 1 at the end of the debug crypto commands is the debugging level, which is described in the "Syntax Description" section at the start of this command page.

domain-name

Change the IPSec domain name. (Configuration mode.)

Syntax Description

name	A domain name.

Usage Guidelines

The domain-name command lets you change the IPSec domain name.

Note   The change of the domain name causes the change of the fully qualified domain name. Once the fully qualified domain name is changed, delete the RSA key pairs using the ca zeroize rsa command and delete related certificates using the no ca identity ca_nickname command.

Examples

The following example shows use of the domain-name command:

domain-name example.com

dynamic-map

Create, view, or delete a dynamic crypto map entry. (Configuration mode.)

Usage Guidelines

The clear dynamic-map command removes dynamic-map commands from the configuration. The show dynamic-map command lists the dynamic-map commands in the configuration.

Note   The dynamic-map command is the same as the crypto dynamic-map command. Refer to the crypto dynamic-map command page for more information and for other command options.

ip local pool

Identify addresses for a local pool (Configuration mode)

Syntax Description

ip local pool	Creates a pool of local addresses to be used for assigning dynamic IP addresses to remote VPN clients. The address range of this pool of local addresses must not overlap with any command statement that lets you specify an IP address.
no ip local pool	Deletes a local address pool.
show ip local pool	Shows usage information about a local address pool.
clear ip local pool	Resets IP addresses in a local pool to their default values.
pool_name	Local pool name.
pool_start_address pool_end_address	Local pool IP address range.<