Configuring Crypto Maps
Just as the isakmp policy command configures the parameters for the IKE negotiations,
crypto map tells the PIX Firewall how to negotiate the IPSec SA. The crypto map command
is the final piece of the puzzle that is used on both peers to establish the SA. Again, it is
extremely important that the settings are compatible on both ends. If both peers do not have
a compatible configuration, they cannot establish the VPN connection. This does not mean
tgpix(config)# isakmp identity address
tgpix(config)# isakmp key abc123 address 192.168.2.1 netmask 255.255.255.255
tgpix(config)# access-list 90 permit ip 10.10.10.0 255.255.255.0 10.10.20.0
255.255.255.0
tgpix(config)# crypto ipsec transform-set strong esp-3des esp-md5-hmac
Example 13-3 Crypto IPSec SA Lifetime
tgpix(config)# isakmp policy 10 authentication pre-share
tgpix(config)# isakmp policy 10 encryption 3des
tgpix(config)# isakmp policy 10 group 2
tgpix(config)# isakmp policy 10 hash md5
tgpix(config)# isakmp policy 10 lifetime 86400
tgpix(config)# isakmp enable outside
tgpix(config)# isakmp identity address
tgpix(config)# isakmp key abc123 address 192.168.2.1 netmask 255.255.255.255
tgpix(config)# access-list 90 permit ip 10.10.10.0 255.255.255.0 10.10.20.0
255.255.255.0
tgpix(config)# crypto ipsec transform-set strong esp-3des esp-md5-hmac
tgpix(config)# crypto ipsec security-association lifetime seconds 900
Example 13-2 Crypto Transform Set (Continued)
352 Chapter 13: Virtual Private Networks
that the configuration must be an exact match (like the ISAKMP configurations), but the
peers must have matching elements within the crypto map. Many different components are
covered by the crypto map command. The following parameters are set using this command:
■ What traffic is to be encrypted and what traffic is not—Earlier in this chapter, the accesslist
command was said to designate which traffic the PIX should encrypt. This is correct;
however, the access list is applied by the crypto map.
■ What type of IPSec to apply to the connection—crypto map tells the firewall which
transform set to use.
■ How the SA is to be initially established—This tells the firewall if the SA is manually
established or established using IKE.
■ Who the peer is for this SA—This can be one or more peers. You can configure a primary
peer and backup peers. In the event that the firewall cannot establish the connection with
the primary peer, it will attempt to connect to the secondary, and so on. These additional
peers are called backup gateways.
■ What the SA’s local address is—The crypto map is applied to a specific interface on
the PIX.
■ Any additional options that should be configured for this SA—This can include setting
a specific timeout in kilobytes or adding an AAA server.
Three steps are required for configuring crypto maps:
Step 1 Creating a crypto map entry
Step 2 Applying the crypto map set to an interface
Step 3 Specifying that IPSec traffic be permitted
It is important that you ensure that all three steps are completed. Although each line of the
crypto map is considered “creating the crypto map,” specific lines apply the crypto map and
specify the IPSec traffic. These lines are discussed next.
Normally, you have at least five crypto map entries with the same name. These entries
combine to list your IPSec SA configuration. Each line of the configuration has its own
purpose. The following text shows and explains the syntax of each line.
crypto map map-name seq-num ipsec-isakmp
This line establishes the crypto map by name and sequence number and specifies that IKE
negotiates the SA.
crypto map map-name seq-num match address acl_name
Configuring the Security Appliance as a VPN Gateway 353
This line binds the access list to the crypto map. It establishes which traffic is encrypted and
which is not. This line specifies which IPSec traffic is permitted. It defines the traffic as
“interesting.”
crypto map map-name seq-num set transform-set transform-set-name
This line identifies which transform set is to be used. The transform-set-name is assigned to
the transform set using the crypto ipsec transform-set command.
crypto map map-name seq-num set peer ip-address
This line identifies the SA peer by IP address.
crypto map map-name interface if_name
This line applies the crypto map to a specific interface. In much the same way that the accessgroup
command is used to bind the access lists to an interface for standard ACLs, this
command binds the entire crypto map process (including the crypto access list) to the
interface. This line applies the crypto map set to a specific interface on the firewall.
Additional crypto map entries can include set pfs, set security-association lifetime, and client
authentication settings.
Example 13-4 shows the current configuration, including the crypto map entries. Note that
the access list is numbered 90 and the match address command references 90. The ipsec
transform-set is named strong, and the set transform-set references the name strong.