From: Ryan DeBerry (rdeberry@gmail.com)
Date: Wed Dec 13 2006 - 15:50:48 ART
IOS documentation for 12.4. I ran into the same issue but was never able
to find documentation for Pix 7.X.
A dynamic crypto map set is included by reference as part of a crypto map
set. Any crypto map entries that reference dynamic crypto map sets should be
the lowest priority crypto map entries in the crypto map set (that is, have
the highest sequence numbers) so that the other crypto map entries are
evaluated first; that way, the dynamic crypto map set is examined only when
the other (static) map entries are not successfully matched.
On 12/13/06, tdt_cciesec <tdt_cciesec@yahoo.com> wrote:
>
> Hi all,
>
> Does anyone know when Cisco actually enforce that crypto dynamic-map
> must
> have a higher sequence value than the static crypto map. In other
> words,
> I have the following configuration and it used to work in Pix 6.x but it
> breaks in
> version 7.x:
>
> access-list nonat permit ip 10.105.0.0 255.255.255.0 10.105.3.0
> 255.255.255.0
> access-list nonat permit ip 10.105.0.0 255.255.255.0 10.105.99.0
> 255.255.255.0
> access-list nonat permit ip 10.105.0.0 255.255.255.0 192.168.1.0
> 255.255.255.0
> access-list L2L1 permit ip 10.105.0.0 255.255.255.0 10.105.3.0
> 255.255.255.0
> access-list L2L2 permit ip 10.105.0.0 255.255.255.0 10.105.99.0
> 255.255.255.0
> access-list External permit icmp any any log
> access-list External permit ip any any log
> access-group External in interface outside
> ip local pool VPN 192.168.1.1-192.168.1.254
> global (outside) 1 interface
> nat (inside) 0 access-list nonat
> nat (inside) 1 0.0.0.0 0.0.0.0 0 0
> access-group External in interface outside
> route outside 0.0.0.0 0.0.0.0 129.174.1.8 1
> sysopt connection permit-ipsec
> crypto ipsec transform-set aes256 esp-aes-256 esp-sha-hmac
> crypto ipsec transform-set 3des esp-3des esp-md5-hmac
> crypto dynamic-map dynmap 10 set transform-set 3des
> crypto map cmap 10 ipsec-isakmp dynamic dynmap
> crypto map cmap 20 ipsec-isakmp
> crypto map cmap 20 match address L2L1
> crypto map cmap 20 set peer 4.2.2.2
> crypto map cmap 20 set transform-set aes256
> crypto map cmap 20 set security-association lifetime seconds 3600
> crypto map cmap 30 ipsec-isakmp
> crypto map cmap 30 match address L2L2
> crypto map cmap 30 set peer 1.1.1.1
> crypto map cmap 30 set transform-set 3des
> crypto map cmap 30 set security-association lifetime seconds 3600
> crypto map cmap interface outside
> isakmp enable outside
> isakmp key ******** address 4.2.2.2 netmask 255.255.255.255 no-xauth
> no-config-mode
> isakmp key ******** address 1.1.1.1 netmask 255.255.255.255 no-xauth
> no-config-mode
> isakmp identity address
> isakmp policy 1 authentication pre-share
> isakmp policy 1 encryption 3des
> isakmp policy 1 hash md5
> isakmp policy 1 group 2
> isakmp policy 1 lifetime 86400
> isakmp policy 10 authentication pre-share
> isakmp policy 10 encryption aes-256
> isakmp policy 10 hash sha
> isakmp policy 10 group 5
> isakmp policy 10 lifetime 86400
> vpngroup test address-pool VPN
> vpngroup test idle-time 1800
> vpngroup test password ********
>
> According to Cisco, in Pix 7.x, I have to move the "crypto map cmap 10
> ipsec-isakmp dynamic dynmap" to "crypto map cmap 40 ipsec-isakmp dynamic
> dynmap" because the dynamic map has to have a higher value than my
> static crypto map. Can anyone point to me to right documentation on
> where
> this is?
>
> I've been told that this is also true for Cisco IOS as well but I have
> not been
> able to find any documentation supporting this. In which IOS and Pix OS
> version
> that Cisco actually enforce this?
>
> Thanks.
>
> tdt
>
>
> ---------------------------------
> Access over 1 million songs - Yahoo! Music Unlimited.
This archive was generated by hypermail 2.1.4 : Tue Jan 02 2007 - 07:50:38 ART