Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1175
Views
0
Helpful
3
Replies

Can ASA 5505 support PFS and non-PFS at the same time?

vwr468moto
Level 1
Level 1

‎05-28-2011 01:00 AM

I need my ASA 5505 to support ESP-AES-128-SHA on 2 dynamic clients, one with PFS and another without PFS. I add 2 dynamic maps like this.

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 10 set pfs

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 10 set transform-set ESP-AES-128-SHA

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 20 set transform-set ESP-AES-128-SHA

The testing result shows the client with PFS can be connected, but the one without PFS cannot.

Then I change the settings to this.

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 10 set transform-set ESP-AES-128-SHA

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 20 set pfs

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 20 set transform-set ESP-AES-128-SHA

Now the client without PFS can be connected, but the one with PFS cannot.

How can I set the dynamic maps so that they can support both clients at the same time?

Thanks!

Labels:
0 Helpful
3 Replies 3

Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎05-28-2011 01:27 AM

Hi there,

You need to have a criteria to choose one dynamic crypto map entry or the other.

Typically what works on IOS is to add match stamement with for traffic, same way you do on your static crypto map entries.

With a match statment you would be able to pick one entry or the other based on the traffic selector other peer will send.

Never tested this on ASA but in theory it should work.

Marcin

0 Helpful

vwr468moto
Level 1
Level 1
In response to Marcin Latosiewicz

‎05-28-2011 02:01 AM

Marcin,

Thanks for your answer. Sorry I am still  confused. Both maps are with the same name SYSTEM_DEFAULT_CRYPTO_MAP.  The only difference is the priority. How can I specify to use which one?

My understanding is that the IOS will pick each of  these maps by the order of priorities. If one with higher priority does  not match, it will go to pick the next one. However, my tests seem not  support my theory. Could you send me an example how to use a matched  statement to pick one entry or the other? Any easy understood document  for it?

Thanks!

0 Helpful

Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to vwr468moto

‎05-28-2011 02:24 AM

If a entry in dynamic crypto maps doesn't have any match statement on it it will be always chosen as always matching.

That's why you need to differentiate between the two, by adding match staments.

The dynamic peers what are they?

Marcin

0 Helpful
Customers Also Viewed These Support Documents