Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
929
Views
5
Helpful
3
Replies

ASA crypto map inheritance

Rez
Level 1
Level 1

‎12-22-2017 02:46 AM - edited ‎03-12-2019 04:51 AM

Hi,

 

I've just been handed a half configured box to sort out and I'm trying to get me head around why all the crypto maps have inherited the same name. This is a direct cut and paste from the config with the inherted map name changed to MY_Map_Name. I'm scratching my head a bit as to where they have all inherited this map name from and the best way to tidy it up. The ADSM output just shows static:1,2 & 3 & dynamic 65535.6 without any map names so doesn't really help identify the issue.

 

Any ideas most welcome.

 

crypto map MY_Map_Name 1 match address MY_Map

crypto map MY_Map_Name 1 set pfs group5

crypto map MY_Map_Name 1 set peer xxx.xxx.xxx.xxx

crypto map MY_Map_Name 1 set ikev1 phase1-mode aggressive

crypto map MY_Map_Name 1 set ikev1 transform-set ESP-AES-256-SHA

crypto map MY_Map_Name 2 match address outside_cryptomap

crypto map MY_Map_Name 2 set peer x.xx.xxx.xxx

crypto map MY_Map_Name 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map MY_Map_Name 2 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES

crypto map MY_Map_Name 3 match address outside_cryptomap_1

crypto map MY_Map_Name 3 set pfs

crypto map MY_Map_Name 3 set peer xx.xxx.xx.xxx

crypto map MY_Map_Name 3 set ikev1 transform-set ESP-AES-256-MD5

crypto map MY_Map_Name 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map MY_Map_Name interface outside

Labels:
0 Helpful
3 Replies 3

Rez
Level 1
Level 1

‎12-22-2017 05:35 AM

Ok, think I see it now and just being a bit slow off the mark.

 

So he has set-

 

crypto map MY_Map_Name interface outside

 

....and I assume therefore that all of the crypto maps associated with the outside interface will take the same name... In which case he has used a really dumb name as it is a single client name with other clients connected on the same map name :-)

 

The next logical question would be, is there a way to give the cryto maps for each peer associated with that outside interface a more meaningful name than just the numbering or do people just rely on match address name?

0 Helpful

GioGonza
Level 4
Level 4
In response to Rez

‎12-22-2017 05:53 AM

Hello @Rez

 

You can only apply one crypto map per interface, this means one name per interface and the VPN you want to add if based on the sequence number as you said and traffic is sent when it matches the ACL attached on each crypto map (the first one it finds). 

 

If you want to change the name, you need to remove everything you have and apply the same just changing the name, something like this: 

 

no crypto map MY_Map_Name 1 match address MY_Map
no crypto map MY_Map_Name 1 set pfs group5
no crypto map MY_Map_Name 1 set peer xxx.xxx.xxx.xxx
no crypto map MY_Map_Name 1 set ikev1 phase1-mode aggressive
no crypto map MY_Map_Name 1 set ikev1 transform-set ESP-AES-256-SHA
no crypto map MY_Map_Name 2 match address outside_cryptomap
no crypto map MY_Map_Name 2 set peer x.xx.xxx.xxx
no crypto map MY_Map_Name 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
no crypto map MY_Map_Name 2 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
no crypto map MY_Map_Name 3 match address outside_cryptomap_1
no crypto map MY_Map_Name 3 set pfs
no crypto map MY_Map_Name 3 set peer xx.xxx.xx.xxx
no crypto map MY_Map_Name 3 set ikev1 transform-set ESP-AES-256-MD5
no crypto map MY_Map_Name 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
no crypto map MY_Map_Name interface outside


crypto map Cool_Name 1 match address MY_Map
crypto map Cool_Name 1 set pfs group5
crypto map Cool_Name 1 set peer xxx.xxx.xxx.xxx
crypto map Cool_Name 1 set ikev1 phase1-mode aggressive
crypto map Cool_Name 1 set ikev1 transform-set ESP-AES-256-SHA
crypto map Cool_Name 2 match address outside_cryptomap
crypto map Cool_Name 2 set peer x.xx.xxx.xxx
crypto map Cool_Name 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Cool_Name 2 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map Cool_Name 3 match address outside_cryptomap_1
crypto map Cool_Name 3 set pfs
crypto map Cool_Name 3 set peer xx.xxx.xx.xxx
crypto map Cool_Name 3 set ikev1 transform-set ESP-AES-256-MD5
crypto map Cool_Name 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Cool_Name interface outside

 

HTH

Gio

Rez
Level 1
Level 1
In response to GioGonza

‎12-22-2017 06:01 AM

Great, thanks for the heads up Gio.

 

Wasn't sure if I could just change the single line or not but makes sense I guess, the same as you would have to do if you wanted to rename an ACL.

0 Helpful
Customers Also Viewed These Support Documents