From: tdt_cciesec (tdt_cciesec@yahoo.com)
Date: Wed Dec 13 2006 - 14:00:46 ART
Hi all,
Does anyone know when Cisco actually enforce that crypto dynamic-map must
have a higher sequence value than the static crypto map. In other words,
I have the following configuration and it used to work in Pix 6.x but it breaks in
version 7.x:
access-list nonat permit ip 10.105.0.0 255.255.255.0 10.105.3.0 255.255.255.0
access-list nonat permit ip 10.105.0.0 255.255.255.0 10.105.99.0 255.255.255.0
access-list nonat permit ip 10.105.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list L2L1 permit ip 10.105.0.0 255.255.255.0 10.105.3.0 255.255.255.0
access-list L2L2 permit ip 10.105.0.0 255.255.255.0 10.105.99.0 255.255.255.0
access-list External permit icmp any any log
access-list External permit ip any any log
access-group External in interface outside
ip local pool VPN 192.168.1.1-192.168.1.254
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group External in interface outside
route outside 0.0.0.0 0.0.0.0 129.174.1.8 1
sysopt connection permit-ipsec
crypto ipsec transform-set aes256 esp-aes-256 esp-sha-hmac
crypto ipsec transform-set 3des esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set 3des
crypto map cmap 10 ipsec-isakmp dynamic dynmap
crypto map cmap 20 ipsec-isakmp
crypto map cmap 20 match address L2L1
crypto map cmap 20 set peer 4.2.2.2
crypto map cmap 20 set transform-set aes256
crypto map cmap 20 set security-association lifetime seconds 3600
crypto map cmap 30 ipsec-isakmp
crypto map cmap 30 match address L2L2
crypto map cmap 30 set peer 1.1.1.1
crypto map cmap 30 set transform-set 3des
crypto map cmap 30 set security-association lifetime seconds 3600
crypto map cmap interface outside
isakmp enable outside
isakmp key ******** address 4.2.2.2 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address 1.1.1.1 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 5
isakmp policy 10 lifetime 86400
vpngroup test address-pool VPN
vpngroup test idle-time 1800
vpngroup test password ********
According to Cisco, in Pix 7.x, I have to move the "crypto map cmap 10
ipsec-isakmp dynamic dynmap" to "crypto map cmap 40 ipsec-isakmp dynamic
dynmap" because the dynamic map has to have a higher value than my
static crypto map. Can anyone point to me to right documentation on where
this is?
I've been told that this is also true for Cisco IOS as well but I have not been
able to find any documentation supporting this. In which IOS and Pix OS version
that Cisco actually enforce this?
Thanks.
tdt
---------------------------------
Access over 1 million songs - Yahoo! Music Unlimited.
This archive was generated by hypermail 2.1.4 : Tue Jan 02 2007 - 07:50:38 ART