Category:Cisco Systems -> Security
A crypto map set can contain multiple entries, each with a different access list. The router searches the crypto map entries in order, and attempts to match the packet to the access list specified in that entry.
crypto map XYZ 10 ipsec-isakmp
set peer 1
set peer 2
match ACL
//IPSec crypto map to access subnets defined by ACL and behind two redundant peers at one single site
crypto map XYZ 10
set peer 1
match UNIQUE_ACL_1
crypto map XYZ 20
set peer 2
match UNIQUE_ACL_2
//IPSec crypto map to access DIFFERENT subnets defined by different ACLs and behind two peers at different sites
IPSec VPN between ASA 8.x and ISR with dynamic IP address
ISR with dynamic IP address
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp key TESTKEY address 1.1.1.1
!
crypto ipsec transform-set VPNset esp-aes esp-sha-hmac
mode tunnel
!
crypto map VPN 10 ipsec-isakmp
set peer 1.1.1.1
set transform-set VPNset
match address 101
!
interface GigabitEthernet0/2
ip address 1.1.1.40 255.255.255.0 // Pretend that this IP is dynamic, you can change it
duplex auto
speed auto
crypto map VPN
!
access-list 101 permit ip <local LAN subnet> 0.0.255.255 <remote LAN subnet 0.0.255.255 // define interesting traffic FROM -> TO
!
!
// other output omitted
ASA/PIX with static IP address
interface Ethernet0
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.0 // This IP address must be static
!
!
// Following is NOT necessary for VPN traffic to pass through from ISR
!access-group outside in interface outside
!access-list outside extended permit ip any any
//^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
!
crypto ipsec transform-set VPNset esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map cisco 10 set transform-set VPNset
crypto dynamic-map cisco 10 set reverse-route
crypto map VPNmap 10 ipsec-isakmp dynamic cisco
crypto map VPNmap interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
!
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key TESTKEY
Also with NAT on ASA/PIX:
access-list NoNAT extended permit ip <local> 255.255.255.0 <remote> 255.255.255.0 // This access list is used for a nat zero command that prevents traffic which matches the access list from undergoing NAT.
!
!
global (outside) 1 interface
nat (inside) 0 access-list NoNAT
nat (inside) 1 0.0.0.0 0.0.0.0
Let’s check.
On ISR must activate VPN by initializing traffic from local subnet to remote subnet:
ping <remote LAN IP address> source lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to <remote LAN IP address>, timeout is 2 seconds:
Packet sent with a source address of <local LAN IP address>
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
1.1.1.1 1.1.1.40 QM_IDLE 9005 ACTIVE
#sh crypto ipsec sa
interface: GigabitEthernet0/2
Crypto map tag: VPN, local addr 1.1.1.40
protected vrf: (none)
local ident (addr/mask/prot/port): (<local LAN subnet>/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (<remote LAN subnet>/255.255.0.0/0/0)
current_peer 1.1.1.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 76, #pkts encrypt: 76, #pkts digest: 76 // can see packets encrypted and decrypted
#pkts decaps: 76, #pkts decrypt: 76, #pkts verify: 76 // can see packets encrypted and decrypted
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 1.1.1.40, remote crypto endpt.: 1.1.1.1
// output truncated
On ASA/PIX:
# sh crypto isakmp sa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 1.1.1.40
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
# sh crypto ipsec sa
interface: outside
Crypto map tag: cisco, seq num: 10, local addr: 1.1.1.1
local ident (addr/mask/prot/port): (<local LAN subnet>/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (<remote LAN subnet>/255.255.0.0/0/0)
current_peer: 1.1.1.40
#pkts encaps: 66, #pkts encrypt: 66, #pkts digest: 66 // can see packets encrypted and decrypted
#pkts decaps: 66, #pkts decrypt: 66, #pkts verify: 66 // can see packets encrypted and decrypted
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 66, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 1.1.1.1, remote crypto endpt.: 1.1.1.40
// output truncated
By privilege15