03-30-2023 05:58 AM - edited 03-30-2023 06:21 AM
Hi,
I'm trying to understand where/why the priority numbers come into play on the Dynamic maps and crypto maps.
For instance:
Here is a section currently on my ASA.
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65000 set pfs group19
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65000 set ikev2 ipsec-proposal AES256 AES AES5_SHA5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65000 set nat-t-disable
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65000 set reverse-route
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-192-SHA ESP-AES-256-SHA
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set nat-t-disable
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route
crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Outside_map interface Outside
The dynamic maps have a priority number for each entry. They are different. But then the Crypto map that the dynamic map will be a child of has a priority number that matches one of the dynamic maps. Was this on purpose or does it matter what the priority number is in relation to each other? Is the dynamic map with pfs group 19 currently active?
Thanks for any help!
04-18-2023 11:24 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide