Table of Contents

ca
clear Commands
crypto dynamic-map
crypto ipsec
crypto map
debug
domain-name
dynamic-map
ip local pool
ipsec
isakmp
sysopt
vpngroup

Command Reference

This chapter provides detailed descriptions of the IPSec-related PIX Firewall commands. For all other PIX Firewall commands, see the "Command Reference" chapter of the Configuration Guide for the Cisco Secure PIX Firewall Version 5.2.

The following notes can help you as you configure the PIX Firewall:

• View your configuration at any time with the write terminal command.

• Save your configuration frequently with the write memory command.

• Always check the syntax before entering a command. Enter a command and press the Enter key to view a quick summary, or precede a command with help, as in, help aaa.

• View syslog messages as you work on the PIX Firewall. Start accumulating messages with the logging buffered debugging command, view messages with the show logging command, and clear the message buffer with the clear logging command. Syslog messages are described in the System Log Messages for the Cisco Secure PIX Firewall Version 5.2.

• Abbreviate commands, such as, using the con te command statement to start configuration mode, the wr t command statement to list the configuration, and wr m to write to Flash memory. Start logging with the lo b 7 command statement and show logging messages with the sh lo command statement.

• After changing or removing the alias, access-list, conduit, global, nat, outbound, and static commands, use the clear xlate command to make the IP addresses available for access.

• You can view possible port and protocol numbers at the following IANA web sites:

  http://www.isi.edu/in-notes/iana/assignments/port-numbers
http://www.isi.edu/in-notes/iana/assignments/protocol-numbers

• Create your configuration on a text editor and then cut and paste it into the configuration. PIX Firewall lets you paste in a line at a time or the whole configuration. Always check your configuration after pasting large blocks of text to be sure everything copied.

ca

Configure the PIX Firewall to interoperate with a certification authority (CA). (Configuration mode.)

show ca crl

show ca mypubkey rsa

Syntax Description

ca_nickname	The name of the certification authority (CA). Enter any string that you desire. (If you previously declared the CA and just want to update its characteristics, specify the name you previously created.) The CA might require a particular name, such as its domain name. Currently the PIX Firewall supports only one CA at a time.
fingerprint	A key consisting of alphanumeric characters the PIX Firewall uses to authenticate CA's certificate.
ca | ra	Indicates whether to contact the CA or Registration Authority (RA) when using the ca configure command. Some CA systems provide an RA, which the PIX Firewall contacts instead of the CA.
retry_period	Specify the number of minutes the PIX Firewall waits before resending a certificate request to the CA when it does not receive a response from the CA to its previous request. Specify from 1 to 60 minutes. By default, the PIX Firewall retries every 1 minute.
retry_count	Specify how many times the PIX Firewall will resend a certificate request when it does not receive a certificate from the CA from the previous request. Specify from 1 to 100. The default is 0, which indicates that there is no limit to the number of times the PIX Firewall should contact the CA to obtain a pending certificate.
crloptional	Allows other peers' certificates be accepted by your PIX Firewall even if the appropriate Certificate Revocation List (CRL) is not accessible to your PIX Firewall. The default is without crloptional.
challenge_password	A required password that gives the CA administrator some authentication when a user calls to ask for a certificate to be revoked. It can be up to 80 characters in length.
serial	Return the PIX Firewall unit's serial number in the certificate.
ipaddress	Return the PIX Firewall unit's IP address in the certificate.
key	This specifies that one general-purpose RSA key pair will be generated.
specialkey	This specifies that two special-purpose RSA key pairs will be generated instead of one general-purpose key.
key_modulus_size	The size of the key modulus, which is between 512 and 2048 bits. Choosing a size greater than 1024 bits may cause key generation to take a few minutes.
ca_ipaddress	The CA's IP address.
:ca_script_location	The default location and script on the CA server is /cgi-bin/pkiclient.exe. If the CA administrator has not put the CGI script in this location, provide the location and the name of the script in the ca identity command. A PIX Firewall uses a subset of the HTTP protocol to contact the CA, and so it must identify a particular cgi-bin script to handle CA requests.
ldap_ipaddress	The IP address of the Lightweight Directory Access Protocol (LDAP) server. By default, querying of a certificate or a CRL is done via Cisco's PKI protocol. If the CA supports LDAP, query functions may also use LDAP.

Usage Guidelines

The sections that follow describe each ca command.

---

Note   The PIX Firewall currently supports the CA servers from VeriSign, Entrust, Baltimore Technologies, and Microsoft. See "CA Configuration Examples," for a list of specific CA server versions the PIX Firewall supports.

---

---

Note   If you are using the VeriSign CA, you must use the crloptional parameter with the ca configure command.

---

---

Note   The lifetime of a certificate and the Certificate Revocation List (CRL) is checked in GMT. Set the PIX Firewall clock to GMT to ensure that CRL checking works correctly. Use the clock command to set the PIX Firewall clock.

---

ca authenticate

The ca authenticate command allows the PIX Firewall to authenticate its certification authority (CA) by obtaining the CA's self-signed certificate, which contains the CA's public key.

If you are using RA mode (within the ca configure command), when you issue the ca authenticate command, the RA signing and encryption certificates will be returned from the CA, as well as the CA certificate.

The ca authenticate command is not saved to the PIX Firewall configuration. However, the public keys embedded in the received CA (and RA) certificates are saved in the configuration as part of the RSA public key record (called the "RSA public key chain"). To save the public keys permanently to Flash memory, use the ca save all command.

To view the CA's certificate, use the show ca certificate command.

---

Note   If the CA does not respond by a timeout period after this command is issued, the terminal control will be returned so it will not be tied up. If this happens, you must re-enter the command.

---

Examples

In this example, a request for the CA's certificate was sent to the CA. The fingerprint was not included in the command. The CA sends its certificate and the PIX Firewall prompts for verification of the CA's certificate by checking the CA certificate's fingerprint. Using the fingerprint associated with the CA's certificate retrieved in some out-of-band process from a CA administrator, compare the two fingerprints. If both fingerprints match, then the certificate is considered valid.

ca authenticate myca
Certificate has the following attributes:
Fingerprint: 0123 4567 89AB CDEF 0123
 

The following example shows the error message. This time, the fingerprint is included in the command. The two fingerprints do not match, and therefore the certificate is not valid.

ca authenticate myca 0123456789ABCDEF0123
Certificate has the following attributes:
Fingerprint: 0123 4567 89AB CDEF 5432
%Error in verifying the received fingerprint. Type help or `?' for a list of
available commands.

ca configure

The ca configure command is used to specify the communication parameters between the PIX Firewall and the CA.

Use the no ca configure command to reset each of the communication parameters to the default value. If you want to show the current settings stored in RAM, use the show ca configure command.

---

Note   When using VeriSign as your CA, always use the crloptional option with the ca configure command. Without the crloptional option, an error occurs when the PIX Firewall validates the certificate during main mode, which causes the peer PIX Firewall to fail. This problem occurs because the PIX Firewall is not able to poll the CRL from the VeriSign CA.

---

Examples

The following example indicates that myca is the name of the CA and the CA will be contacted rather than the RA. It also indicates that the PIX Firewall will wait 5 minutes before sending another certificate request, if it does not receive a response, and will resend a total of 15 times before dropping its request. If the CRL is not accessible, crloptional tells the PIX Firewall to accept other peer's certificates.

ca configure myca ca 5 15 crloptional

ca crl request

The ca crl request command allows the PIX Firewall to obtain an updated CRL from the CA at any time. The no ca crl command deletes the CRL within the PIX Firewall.

The following example indicates the PIX Firewall will obtain an updated CRL from the CA with the name myca:

ca crl request myca

The ca enroll command is used to send an enrollment request to the CA requesting a certificate for all of your PIX Firewall unit's key pairs. This is also known as "enrolling" with the CA. (Technically, enrolling and obtaining certificates are two separate events, but they both occur when this command is issued.)

The required challenge password is necessary in the event that you need to revoke your PIX Firewall unit's certificate(s). When you ask the CA administrator to revoke your certificate, you must supply this challenge password as a protection against fraudulent or mistaken revocation requests.

---

Note   This password is not stored anywhere, so you need to remember this password.

---

If you lose the password, the CA administrator may still be able to revoke the PIX Firewall's certificate but will require further manual authentication of the PIX Firewall administrator identity.

The PIX Firewall unit's serial number is optional. If you provide the serial option, the serial number will be included in the obtained certificate. The serial number is not used by IPSec or IKE but may be used by the CA to either authenticate certificates or to later associate a certificate with a particular device. Ask your CA administrator if serial numbers should be included in the certificate. If you are in doubt, specify the serial option.

The PIX Firewall unit's IP address is optional. If you provide the ipaddress option, the IP address will be included in the obtained certificate. Normally, you would not include the ipaddress option because the IP address binds the certificate more tightly to a specific entity. Also, if the PIX Firewall is moved, you would need to issue a new certificate.

---

Note   When configuring ISAKMP for certificate-based authentication, it is important to match the ISAKMP identity type with the certificate type. The ca enroll command used to acquire certificates will, by default, get a certificate with the identity based on host name. The default identity type for the isakmp identity command is based on address instead of host name. You can reconcile this disparity of identity types by using the isakmp identity address command. See the isakmp command page for information about the isakmp identity address command.

---

Examples

The following example indicates that the PIX Firewall will send an enrollment request to the CA myca.example.com. The password 1234567890 is specified, as well as a request for the PIX Firewall unit's serial number to be embedded in the certificate.

ca enroll myca.example.com 1234567890 serial

ca generate rsa

The ca generate rsa command generates RSA key pairs for your PIX Firewall. RSA keys are generated in pairs—one public RSA key and one private RSA key. If your PIX Firewall already has RSA keys when you issue this command, you will be warned and prompted to replace the existing keys with new keys.

---

Note   Before issuing this command, make sure your PIX Firewall has a hostname and domain name configured (using the hostname and domain-name commands). You will be unable to complete the ca generate rsa command without a hostname and domain name.

---

The ca generate rsa command is not saved in the PIX Firewall configuration. However, the keys generated by this command are saved in the persistent data file in Flash memory, which is never displayed to the user or backed up to another device.

Examples

In this example, one general purpose RSA key pair is to be generated. The selected size of the key modulus is 2048.

ca generate rsa key 2048

---

Note   You cannot generate both special usage and general purpose keys; you can only generate one or the other.

---

ca identity

The ca identity command declares the CA that your PIX Firewall will use. Currently, PIX Firewall supports one CA at one time. The no ca identity command removes the ca identity command from the configuration and deletes all certificates issued by the specified CA and CRLs. The show ca identity command shows the current settings stored in RAM.

The PIX Firewall uses a subset of the HTTP protocol to contact the CA, and so must identify a particular cgi-bin script to handle CA requests. The default location and script on the CA server is /cgi-bin/pkiclient.exe. If the CA administrator has not put the CGI script in the above location, include the location and the name of the script within the ca identity command statement.

By default, querying of a certificate or a CRL is done via Cisco's PKI protocol. If the CA supports Lightweight Directory Access Protocol (LDAP), query functions may use LDAP as well. The IP address of the LDAP server must be included within the ca identity command statement.

ca identity myca.example.com 205.139.94.231 

The ca save all commands allows you to save the PIX Firewall unit's RSA key pairs, the CA, RA and PIX Firewall unit's certificates, and the CA's CRLs in the persistent data file in Flash memory between reloads. The no ca save command removes the saved data from PIX Firewall unit's Flash memory.

The ca zeroize rsa command deletes all RSA keys that were previously generated by your PIX Firewall. If you issue this command, you must also perform two additional tasks. Perform these tasks in the following order:

• Use the no ca identity command to manually remove the PIX Firewall unit's certificates from the configuration. This will delete all the certificates issued by the CA.

• Ask the CA administrator to revoke your PIX Firewall unit's certificates at the CA. Supply the challenge password you created when you originally obtained the PIX Firewall unit's certificates using the crypto ca enroll command.

To delete a specific RSA key pair, specify the name of the RSA key you want to delete using the option keypair_name within the ca zeroize rsa command statement.

---

Note   You may have more than one pair of RSA keys due to SSH. See the ssh command page within Chapter 5, "Command Reference," of the Configuration Guide for the Cisco Secure PIX Firewall.

---

Examples

show ca certificate

The show ca certificate command displays the CA Server's subject name, CRL distribution point (where the PIX Firewall will obtain the CRL), and lifetime of both the CA server's root certificate and the PIX Firewall's certificates.

show ca certificate
 
RA Signature Certificate
  Status:Available
  Certificate Serial Number:6106e08a000000000005
  Key Usage:Signature
    CN = SCEP
     OU = VSEC
     O = Cisco
     L = San Jose
     ST = CA
     C = US
     EA =<16> username@example.com
  Validity Date:
    start date:17:17:09 Jul 11 2000
 
    end   date:17:27:09 Jul 11 2001
 
 
Certificate
  Status:Available
  Certificate Serial Number:1f80655400000000000a
  Key Usage:General Purpose
  Subject Name
    Name:pixfirewall.example.com
  Validity Date:
    start date:20:06:23 Jul 17 2000
 
    end   date:20:16:23 Jul 17 2001
 
 
CA Certificate
  Status:Available
  Certificate Serial Number:25b81813efe58fb34726eec44ae82365
  Key Usage:Signature
    CN = MSCA
     OU = Cisco
     O = VSEC
     L = San Jose
     ST = CA
     C = US
     EA =<16> username@example.com
  Validity Date:
    start date:17:07:34 Jul 11 2000
RA KeyEncipher Certificate
  Status:Available
  Certificate Serial Number:6106e24c000000000006
  Key Usage:Encryption
    CN = SCEP
     OU = VSEC
     O = Cisco
     L = San Jose
     ST = CA
     C = US
     EA =<16> username@example.com
  Validity Date:
    start date:17:17:10 Jul 11 2000
 
    end   date:17:27:10 Jul 11 01 

The show ca crl command lets you know whether there is a CRL in RAM, and where and when the CRL is downloaded.

The following is a sample output of the show ca crl command. See Table 12-1 for descriptions of the strings within the following sample output:

show ca crl
 
CRL:
    CRL Issuer Name:
        CN = MSCA, OU = Cisco, O = VSEC, L = San Jose, ST = CA, C = US, EA
=<16> username@example.com
    LastUpdate:17:07:40 Jul 11 2000
 
    NextUpdate:05:27:40 Jul 19 2000

show ca mypubkey rsa

The show ca mypubkey rsa command displays the PIX Firewall unit's public keys in a DER/BER encoded PKCS#1 representation.

show ca mypubkey rsa
 
% Key pair was generated at: 15:34:55 Aug 05 1999
 
Key name: pixfirewall.example.com
 Usage: Signature Key
 Key Data:
305c300d 06092a86 4886f70d 01010105 00034b00 30480241 00c31f4a ad32f60d
6e7ed9a2 32883ca9 319a4b30 e7470888 87732e83 c909fb17 fb5cae70 3de738cf
6e2fd12c 5b3ffa98 8c5adc59 1ec84d78 90bdb53f 2218cfe7 3f020301 0001
% Key pair was generated at: 15:34:55 Aug 05 1999
 
Key name: pixfirewall.example.com
 Usage: Encryption Key
 Key Data:
305c300d 06092a86 4886f70d 01010105 00034b00 30480241 00d8a6ac cc64e57a
48dfb2c1 234661c7 76380bd5 72ae62f7 1706bdab 0eedd0b5 2e5feef0 76319d98
908f50b4 85a291de 247b6711 59b30026 453bfa3c 45234991 5d020301 0001

clear Commands

Remove commands from the configuration or reset command values (All modes.)

Table 12-2 lists each mode in which the clear commands first appear. Each clear command listed in one mode can be also accessed in each subsequent more secure mode going from unprivileged to configuration mode, but not from less secure modes.

Table 12-2: Configuration Mode Clear Commands

Clear Command	Description	Described on Command Page
clear [crypto] dynamic-map	Removes crypto dynamic-map command statements from the configuration.The keyword crypto is optional.	crypto dynamic-map and dynamic-map
clear [crypto] ipsec sa	Deletes the active IPSec security associations. The keyword crypto is optional.	crypto ipsec
clear [crypto] ipsec sa counters	Clears the traffic counters maintained for each security association. The keyword crypto is optional.	crypto ipsec
clear [crypto] ipsec sa entry destination-address protocol spi	Deletes the active IPSec security association with the specified address, protocol, and SPI. The keyword crypto is optional.	crypto ipsec
clear [crypto] ipsec sa map map-name	Deletes the active IPSec security associations for the named crypto map set. The keyword crypto is optional.	crypto ipsec
clear [crypto] ipsec sa peer	Deletes the active IPSec security associations for the specified peer. The keyword crypto is optional.	crypto ipsec
clear [crypto] isakmp sa	Deletes the active IKE security associations. The keyword crypto is optional.	isakmp
clear ipsec	Removes ipsec command statements from the configuration.	ipsec
clear isakmp	Removes isakmp command statements from the configuration.	isakmp
clear sysopt	Removes sysopt command statements from the configuration.	sysopt

crypto dynamic-map

Create, view, or delete a dynamic crypto map entry. (Configuration mode.)

Syntax Description

dynamic-map-name	Specify the name of the dynamic crypto map set.
dynamic-seq-num	Specify the sequence number that corresponds to the dynamic crypto map entry.
subcommand	Various subcommands (match address, set transform-set, and so on).
tag map-name	(Optional) Show the crypto dynamic map set with the specified map-name.

Note   The crypto dynamic-map subcommands, such as match address, set peer, and set pfs are described in the crypto map command page. If the peer initiates the negotiation and the local configuration specifies PFS, the peer must perform a PFS exchange or the negotiation will fail. If the local configuration does not specify a group, a default of group1 will be assumed, and an offer of either group1 or group2 will be accepted. If the local configuration specifies group2, that group must be part of the peer's offer or the negotiation will fail. If the local configuration does not specify PFS, it will accept any offer of PFS from the peer. command page. See this command page for the descriptions of these commands, including syntax descriptions.

Usage Guidelines

The sections that follow describe each crypto dynamic-map command.

crypto dynamic-map

The crypto dynamic-map command allows you to create a dynamic crypto map entry. The no crypto dynamic-map command deletes a dynamic crypto map set or entry. The clear [crypto] dynamic-map removes all of the dynamic crypto map command statements. Specifying the name of a given crypto dynamic map removes the associated crypto dynamic map command statement(s). You can also specify the dynamic crypto map's sequence number to remove all of the associated dynamic crypto map command statements. The show crypto dynamic-map command allows you to view a dynamic crypto map set.

Dynamic crypto maps are policy templates used when processing negotiation requests for new security associations from a remote IPSec peer, even if you do not know all of the crypto map parameters required to communicate with the peer (such as the peer's IP address). For example, if you do not know about all the remote IPSec peers in your network, a dynamic crypto map allows you to accept requests for new security associations from previously unknown peers. (However, these requests are not processed until the IKE authentication has completed successfully.)

When a PIX Firewall receives a negotiation request via IKE from another peer, the request is examined to see if it matches a crypto map entry. If the negotiation does not match any explicit crypto map entry, it will be rejected unless the crypto map set includes a reference to a dynamic crypto map.

The dynamic crypto map accepts "wildcard" parameters for any parameters not explicitly stated in the dynamic crypto map entry. This allows you to set up IPSec security associations with a previously unknown peer. (The peer still must specify matching values for the "wildcard" IPSec security association negotiation parameters.)

If the PIX Firewall accepts the peer's request, at the point that it installs the new IPSec security associations it also installs a temporary crypto map entry. This entry is filled in with the results of the negotiation. At this point, the PIX Firewall performs normal processing, using this temporary crypto map entry as a normal entry, even requesting new security associations if the current ones are expiring (based upon the policy specified in the temporary crypto map entry). Once the flow expires (that is, all of the corresponding security associations expire), the temporary crypto map entry is removed.

Dynamic crypto maps are used for determining whether or not traffic should be protected.

Note   The only parameter required in a dynamic crypto map is the set transform-set. All other parameters are optional.

Examples

The following example configures an IPSec crypto map set.

Crypto map entry mymap 30 references the dynamic crypto map set mydynamicmap, which can be used to process inbound security association negotiation requests that do not match mymap entries 10 or 20. In this case, if the peer specifies a transform set that matches one of the transform sets specified in mydynamicmap, for a flow "permitted" by the access list 103, IPSec will accept the request and set up security associations with the remote peer without previously knowing about the peer. If accepted, the resulting security associations (and temporary crypto map entry) are established according to the settings specified by the remote peer.

The access list associated with mydynamicmap 10 is also used as a filter. Inbound packets that match a permit statement in this list are dropped for not being IPSec protected. (The same is true for access lists associated with static crypto maps entries.) Outbound packets that match a permit statement without an existing corresponding IPSec security association are also dropped.

crypto map mymap 10 ipsec-isakmp
crypto map mymap 10 match address 101
crypto map mymap 10 set transform-set my_t_set1
crypto map mymap 10 set peer 10.0.0.1 10.0.0.2
crypto map mymap 20 ipsec-isakmp
crypto map mymap 20 match address 102
crypto map mymap 20 set transform-set my_t_set1 my_t_set2
crypto map mymap 20 set peer 10.0.0.3
crypto dynamic-map mydynamicmap 10 match address 103
 
crypto dynamic-map mydynamicmap 10 set transform-set my_t_set1 my_t_set2 my_t_set3
 
crypto map mymap 30 ipsec-isakmp dynamic mydynamicmap
 

The following is sample output for the show crypto dynamic-map command:

show crypto dynamic-map
 
Crypto Map Template "dyn1" 10
 
        access-list 152 permit ip host 172.21.114.67 any
        Current peer: 0.0.0.0
        Security association lifetime: 4608000 kilobytes/120 seconds
        PFS (Y/N): N
        Transform sets={tauth, t1,}
 

The following partial configuration was in effect when the above show crypto dynamic-map command was issued:

crypto ipsec security-association lifetime seconds 120        
crypto ipsec transform-set t1 esp-des esp-md5-hmac 
crypto ipsec transform-set tauth ah-sha-hmac 
crypto dynamic-map dyn1 10
crypto dynamic-map dyn1 set transform-set tauth t1 
crypto dynamic-map dyn1 match address 152
crypto map to-firewall local-address Ethernet0
crypto map to-firewall 10 ipsec-isakmp 
crypto map to-firewall 10 set peer 172.21.114.123
crypto map to-firewall 10 set transform-set tauth t1 
crypto map to-firewall 10 match address 150
crypto map to-firewall 20 ipsec-isakmp dynamic dyn1
access-list 150 permit ip host 172.21.114.67 host 172.21.114.123
access-list 150 permit ip host 15.15.15.1 host 172.21.114.123
access-list 150 permit ip host 15.15.15.1 host 8.8.8.1
access-list 152 permit ip host 172.21.114.67 any

crypto dynamic-map match address

See the crypto mapmatch address command within the crypto map command page for information about this command.

crypto dynamic-mapset peer

See the crypto map set peer command within the crypto map command page for information about this command.

crypto dynamic-mapset pfs

See the crypto map set pfs command within the crypto map command page for information about this command.

crypto dynamic-map set security-association lifetime

See the crypto mapset security-association lifetime command within the crypto map command page for information about this command.

crypto dynamic-mapset transform-set

See the crypto mapset transform-set command within the crypto map command page for information about this command.

Note   The crypto mapset transform-set command is required for dynamic crypto map entries.

crypto ipsec

Create, view, or delete IPSec security associations, security association global lifetime values, and global transform sets. (Configuration mode.)

Syntax Description

address	(Optional) Show all of the existing security associations, sorted by the destination address (either the local address or the address of the remote IPSec peer) and then by protocol (AH or ESP).
destination-address	Specify the IP address of your peer or the remote peer.
detail	(Optional) Show detailed error counters. (The default is the high level send/receive error counters.)
identity	(Optional) Show only the flow information. It does not show the security association information.
interface-name	Specify the identifying interface (outside or external) to be used by the PIX Firewall to identify itself to remote peers. If IKE is enabled, and you are using a certification authority (CA) to obtain certificates, this should be the interface with the address specified in the CA certificates.
ip-address	Specify a remote peer's IP address.
ipsec-isakmp	Indicate that IKE will be used to establish the IPSec security associations for protecting the traffic specified by this crypto map entry.
ipsec-manual	Indicate that IKE will not be used to establish the IPSec security associations for protecting the traffic specified by this crypto map entry.
kilobytes kilobytes	Specify the volume of traffic (in kilobytes) that can pass between IPSec peers using a given security association before that security association expires. The default is 4,608,000 kilobytes (10 megabytes per second for one hour).
map map-name	The name of the crypto map set.
peer-name	Specify a remote peer's name as the fully qualified domain name. For example, remotepeer.example.com.
protocol	Specify either the AH or ESP protocol.
seconds seconds	Specify the number of seconds a security association will live before it expires. The default is 28,800 seconds (eight hours).
seq-num	The number you assign to the crypto map entry.
spi	Specify the security parameter index (SPI), a number that is used to uniquely identify a security association. The SPI is an arbitrary number you assign in the range of 256 to 4,294,967,295 (FFFF FFFF).
tag transform-set-name	(Optional) Show only the transform sets with the specified transform-set-name.
transform1 transform2 transform3	Specify up to three transforms. Transforms define the IPSec security protocol(s) and algorithm(s). Each transform represents an IPSec security protocol (ESP, AH, or both) plus the algorithm you want to use.
transform-set-name	Specify the name of the transform set to create or modify.

Usage Guidelines

The sections that follow describe each crypto ipsec command.

crypto ipsec security-association lifetime

The crypto ipsec security-association lifetime command is used to change global lifetime values used when negotiating IPSec security associations. To reset a lifetime to the default value, use the no crypto ipsec security-association lifetime command. The show crypto ipsec security-association lifetime command allows you to view the security-association lifetime value configured for a particular crypto map entry.

IPSec security associations use shared secret keys. These keys and their security associations time out together.

Assuming that the particular crypto map entry does not have lifetime values configured, when the PIX Firewall requests new security associations during security association negotiation, it will specify its global lifetime value in the request to the peer; it will use this value as the lifetime of the new security associations. When the PIX Firewall receives a negotiation request from the peer, it will use the smaller of the lifetime value proposed by the peer or the locally configured lifetime value as the lifetime of the new security associations.

There are two lifetimes: a "timed" lifetime and a "traffic-volume" lifetime. The security association expires after the first of these lifetimes is reached.

If you change a global lifetime, the change is only applied when the crypto map entry does not have a lifetime value specified. The change will not be applied to existing security associations, but will be used in subsequent negotiations to establish new security associations. If you want the new settings to take effect sooner, you can clear all or part of the security association database by using the clear [crypto] ipsec sa command. See the clear [crypto] ipsec sa command for more information.

To change the global timed lifetime, use the crypto ipsec security-association lifetime seconds command. The timed lifetime causes the security association to time out after the specified number of seconds have passed.

To change the global traffic-volume lifetime, use the crypto ipsec security-association lifetime kilobytes command. The traffic-volume lifetime causes the security association to time out after the specified amount of traffic (in kilobytes) has been protected by the security associations' key.

Shorter lifetimes can make it harder to mount a successful key recovery attack, because the attacker has less data encrypted under the same key to work with. However, shorter lifetimes require more CPU processing time for establishing new security associations. The lifetime values are ignored for manually established security associations (security associations installed using an ipsec-manual crypto map command entry).

The security association (and corresponding keys) will expire according to whichever occurs sooner, either after the number of seconds has passed (specified by the seconds keyword) or after the amount of traffic in kilobytes has passed (specified by the kilobytes keyword).

A new security association is negotiated before the lifetime threshold of the existing security association is reached, to ensure that a new security association is ready for use when the old one expires. The new security association is negotiated either 30 seconds before the seconds lifetime expires or when the volume of traffic through the tunnel reaches 256 kilobytes less than the kilobytes lifetime (whichever occurs first).

If no traffic has passed through the tunnel during the entire life of the security association, a new security association is not negotiated when the lifetime expires. Instead, a new security association will be negotiated only when IPSec sees another packet that should be protected.

Examples

This example shortens both lifetimes, because the administrator feels there is a higher risk that the keys could be compromised. The timed lifetime is shortened to 2,700 seconds (45 minutes), and the traffic-volume lifetime is shortened to 2,304,000 kilobytes (10 megabytes per second for one half hour).

crypto ipsec security-association lifetime seconds 2700
crypto ipsec security-association lifetime kilobytes 2304000

The following is sample output for the show crypto ipsec security-association lifetime command:

show crypto ipsec security-association lifetime
Security-association lifetime: 4608000 kilobytes/120 seconds

The following configuration was in effect when the preceding show crypto ipsec security-association lifetime command was issued:

crypto ipsec security-association lifetime seconds 120

crypto ipsec transform-set

The crypto ipsec transform-set command defines a transform set. To delete a transform set, use the no crypto ipsec transform-set command. To view the configured transform sets, use the show crypto ipsec transform-set command.

A transform set specifies one or two IPSec security protocols (either ESP or AH or both) and specifies which algorithms to use with the selected security protocol. During the IPSec security association negotiation, the peers agree to use a particular transform set when protecting a particular data flow.

You can configure multiple transform sets, and then specify one or more of these transform sets in a crypto map entry. The transform set defined in the crypto map entry is used in the IPSec security association negotiation to protect the data flows specified by that crypto map entry's access list. During the negotiation, the peers search for a transform set that is the same at both peers. When such a transform set is found, it is selected and is applied to the protected traffic as part of both peer's IPSec security associations.

When security associations are established manually, a single transform set must be used. The transform set is not negotiated.

Before a transform set can be included in a crypto map entry, it must be defined using the crypto ipsec transform-set command.

To define a transform set, you specify one to three "transforms"—each transform represents an IPSec security protocol (ESP or AH) plus the algorithm you want to use. When the particular transform set is used during negotiations for IPSec security associations, the entire transform set (the combination of protocols, algorithms, and other settings) must match a transform set at the remote peer.

In a transform set you could specify the AH protocol, the ESP protocol, or both. If you specify an ESP protocol in a transform set, you can specify just an ESP encryption transform or both an ESP encryption transform and an ESP authentication transform.

Examples of acceptable transform combinations are as follows:

• ah-md5-hmac

• esp-des

• esp-des and esp-md5-hmac

• ah-sha-hmac and esp-des and esp-sha-hmac

If one or more transforms are specified in the crypto ipsec transform-set command for an existing transform set, the specified transforms will replace the existing transforms for that transform set.

If you change a transform set definition, the change is only applied to crypto map entries that reference the transform set. The change will not be applied to existing security associations, but will be used in subsequent negotiations to establish new security associations. If you want the new settings to take effect sooner, you can clear all or part of the security association database by using the clear [crypto] ipsec sa command.

For more information about transform sets, see "Transform Sets" within the "About IPSec."

Examples

This example defines one transform set (named "standard"), which will be used with an IPSec peer that supports the ESP protocol. Both an ESP encryption transform and an ESP authentication transform are specified in this example:

crypto ipsec transform-set standard esp-des esp-md5-hmac
 

The following is sample output for the show crypto ipsec transform-set command:

show crypto ipsec transform-set 
 
Transform set combined-des-sha: { esp-des esp-sha-hmac } 
   will negotiate = { Tunnel, }, 
   
Transform set combined-des-md5: { esp-des esp-md5-hmac } 
   will negotiate = { Tunnel, }, 
   
Transform set t1: { esp-des esp-md5-hmac } 
   will negotiate = { Tunnel, }, 
   
Transform set t100: { ah-sha-hmac } 
   will negotiate = { Tunnel, }, 
   
Transform set t2: { ah-sha-hmac } 
   will negotiate = { Tunnel, }, 
   { esp-des } 
   will negotiate = { Tunnel, },
 

The following configuration was in effect when the above show crypto ipsec transform-set command was issued:

crypto ipsec transform-set combined-des-sha esp-des esp-sha-hmac
crypto ipsec transform-set combined-des-md5 esp-des esp-md5-hmac
crypto ipsec transform-set t1 esp-des esp-md5-hmac
crypto ipsec transform-set t100 ah-sha-hmac
crypto ipsec transform-set t2 ah-sha-hmac esp-des

clear [crypto] ipsec sa

The clear [crypto] ipsec sa command allows you to delete IPSec security associations. The keyword crypto is optional. If the security associations were established via IKE, they are deleted and future IPSec traffic will require new security associations to be negotiated. When IKE is used, the IPSec security associations are established only when needed.

If the security associations are manually established, the security associations are deleted.

If the peer, map, entry, or counters keywords are not used, all IPSec security associations will be deleted. This command clears (deletes) IPSec security associations.

If the security associations were established via IKE, they are deleted and future IPSec traffic will require new security associations to be negotiated. (When IKE is used, the IPSec security associations are established only when needed.)

If the security associations are manually established, the security associations are deleted and reinstalled. (When IKE is not used, the IPSec security associations are created as soon as the configuration is completed.)

If the peer, map, entry, or counters keywords are not used, all IPSec security associations will be deleted.

The peer keyword deletes any IPSec security associations for the specified peer.

The map keyword deletes any IPSec security associations for the named crypto map set.

The entry keyword deletes the IPSec security association with the specified address, protocol, and SPI.

If any of the previous commands cause a particular security association to be deleted, all the "sibling" security associations—that were established during the same IKE negotiation—are deleted as well.

The counters keyword simply clears the traffic counters maintained for each security association; it does not clear the security associations themselves.

If you make configuration changes that affect security associations, these changes will not apply to existing security associations but to negotiations for subsequent security associations. You can use the clear [crypto] ipsec sa command to restart all security associations so they will use the most current configuration settings. In the case of manually established security associations, if you make changes that affect security associations you must use the clear [crypto] ipsec sa command before the changes take effect.

---

Note   If you make significant changes to an IPSec configuration such as access-list or peers, the clear [crypto] ipsec sa command will not be enough to activate the new configuration. In such a case, rebind the crypto map to the interface with the crypto map interface command.

---

If the PIX Firewall is processing active IPSec traffic, Cisco recommends that you only clear the portion of the security association database that is affected by the changes to avoid causing active IPSec traffic to temporarily fail.

---

Note   The clear [crypto] ipsec sa command only clears IPSec security associations; to clear IKE security associations, use the clear [crypto] isakmp sa command.

---

Examples

The following example clears (and re initializes if appropriate) all IPSec security associations at the PIX Firewall:

clear crypto ipsec sa
 

The following example clears (and re initializes if appropriate) the inbound and outbound IPSec security associations established along with the security association established for address 10.0.0.1 using the AH protocol with the SPI of 256:

clear crypto ipsec sa entry 10.0.0.1 AH 256

show crypto ipsec sa

The show crypto ipsec sa command allows you to view the settings used by current security associations. If no keyword is used, all security associations are displayed. They are sorted first by interface, and then by traffic flow (for example, source/destination address, mask, protocol, port). Within a flow, the security associations are listed by protocol (ESP/AH) and direction (inbound/outbound).

---

Note   While entering the show crypto ipsec sa command, if the screen display is stopped with the More prompt and the security association lifetime expires while the screen display is stopped, then the subsequent display information may refer to a stale security association. Assume that the security association lifetime values that display are invalid.

---

---

Note   Output of the show crypto ipsec sa command lists the PCP protocol. This is a compression protocol supplied with the Cisco IOS software code on which the PIX Firewall IPSec implementation is based; however, the PIX Firewall does not support the PCP protocol.

---

Examples

The following is a sample output for the show crypto ipsec sa command:

show crypto ipsec sa
 
interface: outside
    Crypto map tag: firewall-alice, local addr. 172.21.114.123
 
   local ident (addr/mask/prot/port): (172.21.114.123/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (172.21.114.67/255.255.255.255/0/0)
   current_peer: 172.21.114.67
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 10, #pkts encrypt: 10, #pkts digest 10
    #pkts decaps: 10, #pkts decrypt: 10, #pkts verify 10
    #send errors 10, #recv errors 0
 
     local crypto endpt.: 172.21.114.123, remote crypto endpt.: 172.21.114.67
     path mtu 1500, media mtu 1500
     current outbound spi: 20890A6F
 
     inbound esp sas:
      spi: 0x257A1039(628756537)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 26, crypto map: firewall-alice
        sa timing: remaining key lifetime (k/sec): (4607999/90)
        IV size: 8 bytes
        replay detection support: Y
     inbound ah sas:
     outbound esp sas:
      spi: 0x20890A6F(545852015)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 27, crypto map: firewall-alice
        sa timing: remaining key lifetime (k/sec): (4607999/90)
        IV size: 8 bytes
        replay detection support: Y
     outbound ah sas:
interface: inside
    Crypto map tag: firewall-alice, local addr. 172.21.114.123
          
   local ident (addr/mask/prot/port): (172.21.114.123/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (172.21.114.67/255.255.255.255/0/0)
   current_peer: 172.21.114.67
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 10, #pkts encrypt: 10, #pkts digest 10
    #pkts decaps: 10, #pkts decrypt: 10, #pkts verify 10
    #send errors 10, #recv errors 0
 
     local crypto endpt.: 172.21.114.123, remote crypto endpt.: 172.21.114.67
     path mtu 1500, media mtu 1500
     current outbound spi: 20890A6F
 
     inbound esp sas:
      spi: 0x257A1039(628756537)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 26, crypto map: firewall-alice
        sa timing: remaining key lifetime (k/sec): (4607999/90)
        IV size: 8 bytes
        replay detection support: Y
     inbound ah sas:
     outbound esp sas:
      spi: 0x20890A6F(545852015)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 27, crypto map: firewall-alice
        sa timing: remaining key lifetime (k/sec): (4607999/90)
        IV size: 8 bytes
        replay detection support: Y
     outbound ah sas:

crypto map

To create, modify, view or delete a crypto map entry. Also used to delete a crypto map set. (Configuration mode.)

Note   The PIX 506 does not support use of the crypto map map-name client authentication aaa-group-tag command. Also, only four ISAKMP peers can be specified for the PIX 506.

Syntax Description

map map-name	The name of the crypto map set.
aaa-server-name	The name of the AAA server that will authenticate the user during IKE authentication. The two AAA server options available are TACACS+ and RADIUS.
token	Indicate a token-based server for user authentication is used.
initiate	Indicate that the PIX Firewall will attempt to set IP addresses for each peer.
respond	Indicate that the PIX Firewall will accept requests for IP addresses from any requesting peer.
interface interface-name	Specify the identifying interface to be used by the PIX Firewall to identify itself to peers. If IKE is enabled, and you are using a certification authority (CA) to obtain certificates, this should be the interface with the address specified in the CA certificates.
tag map-name	(Optional) Show the crypto map set with the specified map-name.
seq-num	The number you assign to the crypto map entry.
ipsec-isakmp	Indicate that IKE will be used to establish the IPSec security associations for protecting the traffic specified by this crypto map entry.
ipsec-manual	Indicate that IKE will not be used to establish the IPSec security associations for protecting the traffic specified by this crypto map entry.
dynamic	(Optional) Specify that this crypto map entry is to reference a pre-existing dynamic crypto map.
dynamic-map-name	(Optional) Specify the name of the dynamic crypto map set to be used as the policy template.
acl_name	Identify the named encryption access list. This name should match the name argument of the named encryption access list being matched.
match address	Specify an access list for a crypto map entry.
set peer	Specify an IPSec peer in a crypto map entry.
hostname	Specify a peer by its hostname. This is the peer's hostname concatenated with its domain name. For example, myhost.example.com.
ip-address	Specify a peer by its IP address.
set pfs	Specify that IPSec should ask for perfect forward secrecy (PFS). With PFS, every time a new security association is negotiated, a new Diffie-Hellman exchange occurs. (This exchange requires additional processing time.)
group1	Specify that IPSec should use the 768-bit Diffie-Hellman prime modulus group when performing the new Diffie-Hellman exchange.
group2	Specify that IPSec should use the 1024-bit Diffie-Hellman prime modulus group when performing the new Diffie-Hellman exchange.
secondsseconds	Specify the number of seconds a security association will live before it expires. The default is 28,800 seconds (eight hours).
kilobytes kilobytes	Specify the volume of traffic (in kilobytes) that can pass between peers using a given security association before that security association expires. The default is 4,608,000 kilobytes.
set session-key	Manually specify the IPSec session keys within a crypto map entry.
inbound	Set the inbound IPSec session key. (You must set both inbound and outbound keys.)
outbound	Set the outbound IPSec session key. (You must set both inbound and outbound keys.)
ah	Set the IPSec session key for the AH protocol. Specify ah when the crypto map entry's transform set includes an AH transform. AH protocol provides authentication via MD5-HMAC and SHA-HMAC.
spi	Specify the security parameter index (SPI), a number that is used to uniquely identify a security association. The SPI is an arbitrary number you assign in the range of 256 to 4,294,967,295 (FFFF FFFF). You can assign the same SPI to both directions and both protocols. However, not all peers have the same flexibility in SPI assignment. For a given destination address/protocol combination, unique SPI values must be used. The destination address is that of the PIX Firewall if inbound, the peer if outbound.
hex-key-string	Specify the session key; enter in hexadecimal format. This is an arbitrary hexadecimal string of 16, 32, or 40 digits. If the crypto map's transform set includes: DES algorithm, specify at least 16 hexadecimal digits per key. MD5 algorithm, specify at least 32 hexadecimal digits per key. SHA algorithm, specify 40 hexadecimal digits per key. Longer key sizes are simply hashed to the appropriate length.
esp	Set the IPSec session key for the ESP protocol. Specify esp when the crypto map entry's transform set includes an ESP transform. ESP protocol provides both authentication and/or confidentiality. Authentication is done via MD5-HMAC, SHA-HMAC and NULL. Confidentiality is done via DES, 3DES, and NULL.
cipher	Indicate that the key string to use with the ESP encryption transform.
authenticator	(Optional) Indicate that the key string is to be used with the ESP authentication transform. This argument is required only when the crypto map entry's transform set includes an ESP authentication transform.
set transform-set	Specify which transform sets can be used with the crypto map entry.
transform-set-name	The name of the transform set. For an ipsec-manual crypto map entry, you can specify only one transform set. For an ipsec-isakmp or dynamic crypto map entry, you can specify up to six transform sets.
transform1 transform2 transform3	Specify up to three transforms. Transforms define the IPSec security protocol(s) and algorithm(s). Each transform represents an IPSec security protocol (ESP, AH, or both) plus the algorithm you want to use.

Usage Guidelines

The sections that follow describe each crypto map command.

crypto map client authentication

The crypto map client authentication command enables the Extended Authentication (Xauth) feature, which allows you to prompt for a TACAC+/RADIUS username and password during IKE authentication. You must first have your basic AAA Server set up to be able to use this feature. This command tells the PIX Firewall during Phase 1 of IKE to use the Xauth (RADIUS/TACACS+) challenge to authenticate IKE. If the Xauth fails, the IPSec security association will not be established, and the IKE security association will be deleted. Use the no crypto map client authentication command to restore the default value. The Xauth feature is not enabled by default.

---

Note   Be sure to specify the same AAA server name within the crypto map client authentication command statement as was specified in the aaa-server command statement.

---

The crypto map client token authentication command enables the PIX Firewall to interoperate with a Cisco VPN 3000 Client that is set up to use a token-based server for user authentication. The keyword token tells the PIX Firewall that the AAA Server uses a token-card system and to prompt the user for username and password during IKE authentication. Use the no crypto map client token authentication command to restore the default value.

---

Note   The remote user must be running one of the following: Cisco Secure VPN Client, version 1.1 or later Cisco VPN 3000 Client, version 2.5 or later

---

Examples

The following example shows how the crypto map client authentication command is used. This example sets up the IPSec rules for VPN encryption IPSec. The ip, nat, aaa-server command statements establish the context for the IPSec-related commands.

ip address inside 10.0.0.1 255.255.255.0
ip address outside 168.20.1.5 255.255.255.0
ip local pool dealer 10.1.2.1-10.1.2.254
nat (inside) 0 access-list 80
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ (inside) host 10.0.0.2 secret123
crypto ipsec transform-set pc esp-des esp-md5-hmac 
crypto dynamic-map cisco 4 set transform-set pc
crypto map partner-map 20 ipsec-isakmp dynamic cisco
crypto map partner-map client configuration address initiate
crypto map partner-map client authentication TACACS+ 
crypto map partner-map interface outside
isakmp key cisco1234 address 0.0.0.0 netmask 0.0.0.0
isakmp client configuration address-pool local dealer outside
isakmp policy 8 authentication pre-share 
isakmp policy 8 encryption des
isakmp policy 8 hash md5
isakmp policy 8 group 1
isakmp policy 8 lifetime 86400

The following example shows how the crypto map client token authentication command is used. This example sets up the IPSec rules for VPN encryption IPSec. The ip, nat, aaa-server command statements establish the context for the IPSec-related commands.

ip address inside 10.0.0.1 255.255.255.0
ip address outside 168.20.1.5 255.255.255.0
ip local pool dealer 10.1.2.1-10.1.2.254
nat (inside) 0 access-list 80
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 10.0.0.2 secret123
crypto ipsec transform-set pc esp-des esp-md5-hmac 
crypto dynamic-map cisco 4 set transform-set pc
crypto map partner-map 20 ipsec-isakmp dynamic cisco
crypto map partner-map client configuration address initiate
crypto map partner-map client token authentication RADIUS
crypto map partner-map interface outside
isakmp key cisco1234 address 0.0.0.0 netmask 0.0.0.0
isakmp client configuration address-pool local dealer outside
isakmp policy 8 authentication pre-share 
isakmp policy 8 encryption des
isakmp policy 8 hash md5
isakmp policy 8 group 1
isakmp policy 8 lifetime 86400

crypto map client configuration address

Use the crypto map client configuration address command to configure IKE Mode Configuration on your PIX Firewall. The IKE Mode Configuration allows the PIX Firewall to download an IP address to the remote peer (client) as part of an IKE negotiation. With crypto map client configuration address command, you define the crypto map(s) that should attempt to configure the peer.

Use the no crypto map client configuration address command to restore the default value. The IKE Mode Configuration is not enabled by default.

The keyword initiate indicates that the PIX Firewall will attempt to set IP addresses for each peer. The respond keyword indicates that the PIX Firewall will accept requests for IP addresses from any requesting peer.

---

Note   If you use IKE Mode Configuration on the PIX Firewall, the routers handling the IPSec traffic must also support IKE Mode Configuration. Cisco IOS Release 12.06(T) and later, supports the IKE Mode Configuration.

---

See "Advanced Configurations," for more information about the IKE Mode Configuration.

Examples

The following examples configure IKE Mode Configuration on your PIX Firewall:

crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond

crypto map interface

The crypto map interface command applies a previously defined crypto map set to an interface. Use the no crypto map interface command to remove the crypto map set from the interface. Use the show crypto map [interface | tag] to view the crypto map configuration.

Use this command to assign a crypto map set to any active PIX Firewall interface. The PIX Firewall supports IPSec termination on any and all active interfaces. You must assign a crypto map set to an interface before that interface can provide IPSec services. Only one crypto map set can be assigned to an interface. If multiple crypto map entries have the same map-name but a different seq-num, they are considered to be part of the same set and will all be applied to the interface. The crypto map entry with the lowest seq-num is considered the highest priority and will be evaluated first. A single crypto map set can contain a combination of ipsec-isakmp and ipsec-manual crypto map entries.

Note   The use of the crypto map interface command re-initializes the security association database causing any currently established security associations to be deleted.

Examples

The following example assigns the crypto map set "mymap" to the outside interface. When traffic passes through the outside interface, the traffic will be evaluated against all the crypto map entries in the "mymap" set. When outbound traffic matches an access list in one of the "mymap" crypto map entries, a security association (if IPSec) will be established per that crypto map entry's configuration (if no security association or connection already exists).

crypto map mymap interface outside
 

The following is sample output for the show crypto map command:

show crypto map
 
Crypto Map: "firewall-alice" pif: outside local address: 172.21.114.123
 
Crypto Map "firewall-alice" 10 ipsec-isakmp
        Peer = 172.21.114.67
        access-list 141 permit ip host 172.21.114.123 host 172.21.114.67
        Current peer: 172.21.114.67
        Security-association lifetime: 4608000 kilobytes/120 seconds
        PFS (Y/N): N
        Transform sets={ t1, }
 

The following configuration was in effect when the preceding show crypto map command was issued:

crypto map firewall-alice 10 ipsec-isakmp 
crypto map firewall-alice 10 set peer 172.21.114.67
crypto map firewall-alice 10 set transform-set t1 
crypto map firewall-alice 10 match address 141
 

The following is sample output for the show crypto map command when manually established security associations are used:

show crypto map
 
Crypto Map "multi-peer" 20 ipsec-manual
        Peer = 172.21.114.67
        access-list 120 permit ip host 1.1.1.1 host 1.1.1.2
        Current peer: 172.21.114.67
        Transform sets={ t2, }
        Inbound esp spi: 0, 
         cipher key: ,
         auth_key: ,
        Inbound ah spi: 256, 
            key: 010203040506070809010203040506070809010203040506070809,
        Outbound esp spi: 0
         cipher key: ,
         auth key: , 
        Outbound ah spi: 256, 
            key: 010203040506070809010203040506070809010203040506070809,
 

The following configuration was in effect when the above show crypto map command was issued:

crypto map multi-peer 20 ipsec-manual 
crypto map multi-peer 20 set peer 172.21.114.67
crypto map multi-peer 20 set session-key inbound ah 256
010203040506070809010203040506070809010203040506070809
crypto map multi-peer 20 set session-key outbound ah 256
010203040506070809010203040506070809010203040506070809
crypto map multi-peer 20 set transform-set t2 
crypto map multi-peer 20 match address 120

crypto mapipsec-manual | ipsec-isakmp

To create or modify a crypto map entry, use the crypto map ipsec-manual | ipsec-isakmp command. To create or modify an ipsec-manual crypto map entry, use the ipsec-manual option of the command. To create or modify an ipsec-isakmp crypto map entry, use the ipsec-isakmp option of the command. Use the no crypto map command to delete a crypto map entry or set.

---

Note   The crypto map command without a keyword creates an ipsec-isakmp entry by default.

---

After you define crypto map entries, you can use the crypto map interface command to assign the crypto map set to interfaces.

Crypto maps provide two functions: filtering/classifying traffic to be protected, and defining the policy to be applied to that traffic. The first use affects the flow of traffic on an interface; the second affects the negotiation performed (via IKE) on behalf of that traffic.

IPSec crypto maps link together definitions of the following:

• What traffic should be protected

• Which IPSec peer(s) the protected traffic can be forwarded to—these are the peers with which a security association can be established

• Which transform sets are acceptable for use with the protected traffic

• How keys and security associations should be used/managed (or what the keys are, if IKE is not used)

A crypto map set is a collection of crypto map entries each with a different seq-num but the same map-name. Therefore, for a given interface, you could have certain traffic forwarded to one peer with specified security applied to that traffic, and other traffic forwarded to the same or a different peer with different IPSec security applied. To accomplish this you would create two crypto map entries, each with the same map-name, but each with a different seq-num.

The number you assign to the seq-num argument should not be arbitrary. This number is used to rank multiple crypto map entries within a crypto map set. Within a crypto map set, a crypto map entry with a lower seq-num is evaluated before a map entry with a higher seq-num; that is, the map entry with the lower number has a higher priority.

Examples

The following example shows the minimum required crypto map configuration when IKE will be used to establish the security associations:

crypto map mymap 10 ipsec-isakmp
crypto map mymap 10 match address 101
crypto map mymap set transform-set my_t_set1
crypto map mymap set peer 10.0.0.1
 

The following example shows the minimum required crypto map configuration when the security associations are manually established:

crypto transform-set someset ah-md5-hmac esp-des
crypto map mymap 10 ipsec-manual
crypto map mymap 10 match address 102
crypto map mymap 10 set transform-set someset
crypto map mymap 10 set peer 10.0.0.5
crypto map mymap 10 set session-key inbound ah 256 98765432109876549876543210987654
crypto map mymap 10 set session-key outbound ah 256 fedcbafedcbafedcfedcbafedcbafedc
crypto map mymap 10 set session-key inbound esp 256 cipher 0123456789012345
crypto map mymap 10 set session-key outbound esp 256 cipher abcdefabcdefabcd

crypto mapipsec-isakmp dynamic

To specify that a given crypto map entry is to reference a pre-existing dynamic crypto map, use the crypto map ipsec-isakmp dynamic command.

Use the crypto dynamic-map command to create dynamic crypto map entries. After you create a dynamic crypto map set, use the crypto map ipsec-isakmp dynamic command to add the dynamic crypto map set to a static crypto map.

Give crypto map entries which reference dynamic map sets the lowest priority map entries so that inbound security association negotiation requests will try to match the static maps first. Only after the request does not match any of the static maps do you want it to be evaluated against the dynamic map set.

To make a crypto map entry that references a dynamic crypto map to be set to the lowest priority map entry, give the map entry the highest seq-num of all the map entries in a crypto map set.

For more information about dynamic maps, see "About IPSec."

Examples

The following example configures an IPSec crypto map set that includes a reference to a dynamic crypto map set.

Crypto map "mymap 10" allows security associations to be established between the PIX Firewall and either (or both) of two remote IPSec peers for traffic matching access list 101. Crypto map "mymap 20" allows either of two transform sets to be negotiated with the peer for traffic matching access list 102.

Crypto map entry "mymap 30" references the dynamic crypto map set "mydynamicmap," which can be used to process inbound security association negotiation requests that do not match "mymap" entries 10 or 20. In this case, if the peer specifies a transform set that matches one of the transform sets specified in "mydynamicmap" for a flow "permitted" by the access list 103, IPSec will accept the request and set up security associations with the peer without previously knowing about the peer. If accepted, the resulting security associations (and temporary crypto map entry) are established according to the settings specified by the peer.

The access list associated with "mydynamicmap 10" is also used as a filter. Inbound packets that match a permit statement in this list are dropped for not being IPSec protected. (The same is true for access lists associated with static crypto maps entries.) Outbound packets that match a permit statement without an existing corresponding IPSec security association are also dropped.

crypto map mymap 10 ipsec-isakmp
crypto map mymap 10 match address 101
crypto map mymap 10 set transform-set my_t_set1
crypto map mymap 10 set peer 10.0.0.1
crypto map mymap 10 set peer 10.0.0.2
crypto map mymap 20 ipsec-isakmp
crypto map mymap 10 match address 102
crypto map mymap 10 set transform-set my_t_set1 my_t_set2
crypto map mymap 10 set peer 10.0.0.3
crypto dynamic-map mydynamicmap 10
crypto dynamic-map mydynamicmap 10 match address 103
crypto dynamic-map mydynamicmap 10 set transform-set my_t_set1 my_t_set2 my_t_set3
crypto map mymap 30 ipsec-isakmp dynamic mydynamicmap

crypto mapmatch address

To assign an access list to a crypto map entry, use the crypto map match address command. Use the no crypto map match address command to remove the access list from a crypto map entry.

This command is required for all static crypto map entries. If you are defining a dynamic crypto map entry (with the crypto dynamic-map command), this command is not required but is strongly recommended.

Use the access-list command to define this access list.

The access list specified with this command will be used by IPSec to determine which traffic should be protected by IPSec crypto and which traffic does not need protection. (Traffic that is permitted by the access list will be protected. Traffic that is denied by the access list will not be protected in the context of the corresponding crypto map entry.)

---

Note   The crypto access list is not used to determine whether to permit or deny traffic through the interface. An access list applied directly to the interface with the access-group command makes that determination.

---

The crypto access list specified by this command is used when evaluating both inbound and outbound traffic. Outbound traffic is evaluated against the crypto access lists specified by the interface's crypto map entries to determine if it should be protected by crypto, and if so (if traffic matches a permit entry), which crypto policy applies. (If necessary, in the case of static IPSec crypto maps, new security associations are established using the data flow identity as specified in the permit entry; in the case of dynamic crypto map entries, if no security association exists, the packet is dropped.) Inbound traffic is evaluated against the crypto access lists specified by the entries of the interface's crypto map set to determine if it should be protected by crypto and, if so, which crypto policy applies. (In the case of IPSec, unprotected traffic is discarded because it should have been protected by IPSec.)

The access list is also used to identify the flow for which the IPSec security associations are established. In the outbound case, the permit entry is used as the data flow identity (in general), while in the inbound case the data flow identity specified by the peer must be "permitted" by the crypto access list.

Examples

The following example shows the minimum required crypto map configuration when IKE will be used to establish the security associations. (This example is for a static crypto map.)

crypto map mymap 10 ipsec-isakmp
crypto map mymap 10 match address 101
crypto map mymap 10 set transform-set my_t_set1
crypto map mymap 10 set peer 10.0.0.1

crypto map set peer

Use the crypto mapset peer command to specify an IPSec peer in a crypto map entry. Use the no crypto mapset peer command to remove an IPSec peer from a crypto map entry.

crypto map mymap 10 ipsec-isakmp
crypto map mymap 10 match address 101
crypto map mymap 10 set transform-set my_t_set1
crypto map mymap 10 set peer 10.0.0.1 10.0.0.2

crypto map set pfs

The crypto mapset pfs command sets IPSec to ask for perfect forward secrecy (PFS) when requesting new security associations for this crypto map entry, or that IPSec requires PFS when receiving requests for new security associations. To specify that IPSec should not request PFS, use the no crypto mapset pfs command. This command is only available for ipsec-isakmp crypto map entries and dynamic crypto map entries.

If the peer initiates the negotiation and the local configuration specifies PFS, the peer must perform a PFS exchange or the negotiation will fail. If the local configuration does not specify a group, a default of group1 will be assumed, and an offer of either group1 or group2 will be accepted. If the local configuration specifies group2, that group must be part of the peer's offer or the negotiation will fail. If the local configuration does not specify PFS, it will accept any offer of PFS from the peer.

The 1024-bit Diffie-Hellman prime modulus group, group2, provides more security than group1, but requires more processing time than group1.

---

Note   IKE negotiations with a remote peer may hang when a PIX Firewall has numerous tunnels that originate from the PIX Firewall and terminate on a single remote peer. This problem occurs when PFS is not enabled, and the local peer requests many simultaneous rekey requests. If this problem occurs, the IKE security association will not recover until it has timed out or until you manually clear it with the clear [crypto] isakmp sa command. PIX Firewall units configured with many tunnels to many peers or many clients sharing the same tunnel are not affected by this problem. If your configuration is affected, enable PFS with the crypto map mapname seqnum set pfs command.

---

Examples

This example specifies that PFS should be used whenever a new security association is negotiated for the crypto map "mymap 10":

crypto map mymap 10 ipsec-isakmp
crypto map mymap 10 set pfs group2

crypto mapset security-association lifetime

To override (for a particular crypto map entry) the global lifetime value, which is used when negotiating IPSec security associations, use the crypto map set security-association lifetime command. To reset a crypto map entry's lifetime value to the global value, use the no crypto map set security-association lifetime command.

For more information about lifetimes, see "About IPSec."

Examples

This example shortens the timed lifetime for a particular crypto map entry, because there is a higher risk that the keys could be compromised for security associations belonging to the crypto map entry. The traffic-volume lifetime is not changed because there is not a high volume of traffic anticipated for these security associations. The timed lifetime is shortened to 2,700 seconds (45 minutes).

crypto map mymap 10 ipsec-isakmp
set security-association lifetime seconds 2700

crypto mapset session-key

To manually specify the IPSec session keys within a crypto map entry, use the crypto mapset session-key command. Use the no crypto mapset session-key command to remove IPSec session keys from a crypto map entry. This command is only available for ipsec-manual crypto map entries.

If the crypto map's transform set includes an AH protocol, you must define IPSec keys for AH for both inbound and outbound traffic. If the crypto map's transform set includes an ESP encryption protocol, you must define IPSec keys for ESP encryption for both inbound and outbound traffic. If the crypto map's transform set includes an ESP authentication protocol, you must define IPSec keys for ESP authentication for inbound and outbound traffic.

When you define multiple IPSec session keys within a single crypto map, you can assign the same security parameter index (SPI) number to all the keys. The SPI is used to identify the security association used with the crypto map. However, not all peers have the same flexibility in SPI assignment.

You may have to coordinate SPI assignment with the peer's network administrator, making certain that the same SPI is not used more than once for the same destination address/protocol combination.

crypto ipsec transform-set t_set ah-sha-hmac
crypto map mymap 20 ipsec-manual
crypto map mymap 20 match address 102
crypto map mymap 20 set transform-set t_set
crypto map mymap 20 set peer 10.0.0.21
crypto map mymap 20 set session-key inbound ah 300 1111111111111111111111111111111111111111
crypto map mymap 20 set session-key outbound ah 300 2222222222222222222222222222222222222222
 

crypto ipsec transform-set someset ah-sha-hmac esp-des esp-sha-hmac
crypto map mymap 10 ipsec-manual
crypto map mymap 10 match address 101
crypto map mymap 10 set transform-set someset
crypto map mymap 10 set peer 10.0.0.1
crypto map mymap 10 set session-key inbound ah 300 9876543210987654321098765432109876543210
crypto map mymap 10 set session-key outbound ah 300 fedcbafedcbafedcbafedcbafedcbafedcbafedc
crypto map mymap 10 set session-key inbound esp 300 cipher 0123456789012345
    authenticator 0000111122223333444455556666777788889999
crypto map mymap 10 set session-key outbound esp 300 cipher abcdefabcdefabcd
    authenticator 9999888877776666555544443333222211110000

crypto mapset transform-set

To specify which transform sets can be used with the crypto map entry, use the crypto mapset transform-set command. Use the no crypto mapset transform-set command to remove all transform sets from a crypto map entry.

crypto ipsec transform-set my_t_set1 esp-des esp-sha-hmac
crypto ipsec transform-set my_t_set2 ah-sha-hmac esp-des esp-sha-hmac
crypto map mymap 10 ipsec-isakmp
crypto map mymap 10 match address 101
crypto map mymap 10 set transform-set my_t_set1 my_t_set2
crypto map mymap set peer 10.0.0.1 10.0.0.2
 

debug

Debug packets or ICMP tracings through the PIX Firewall. (Configuration mode.)

Syntax Description

crypto ca	Display information about CA (certification authority) traffic.
level	The level of debugging feedback. The higher the level number, the more information is displayed. The default level is 1. The levels correspond to these events: Level 1: Interesting events Level 2: Normative and interesting events Level 3: Diminutive, normative, and interesting events Refer to the "Examples" section at the end of this command page for an example of how the debugging level appears with the show debug command.
crypto ipsec	Display information about IPSec traffic.
crypto isakmp	Display information about IKE traffic.
dhcpd event	Display event information associated with the DHCP server.
dhcpd packet	Display packet information associated with the DHCP server.

Usage Guidelines

The debug command lets you view debug information. The show debug command displays the current state of tracing. You can debug the contents of network layer protocol packets with the debug packet command.

The debug crypto ipsec, debug crypto isakmp, and debug crypto ca commands let you debug IPSec connections. Use the no form of the command to disable debugging.

The debug dhcpd event command displays event information about the DHCP server. The debug dhcpd packet command displays packet information about the DHCP server. Use the no form of the debug dhcpd commands to disable debugging.

Use of the debug commands can slow down busy networks.

The debug commands are shared between all Telnet and serial console sessions.

Additional debug Command Information

---

Note   When creating your digital certificates, use the debug crypto ca command to ensure that the certificate is created correctly. Important error messages only display when the debug crypto ca command is enabled. For example, if you enter an Entrust fingerprint value incorrectly, the only warning message that indicates the value is incorrect appears in the debug crypto ca command output.

---

---

Note   Output from the debug crypto ipsec and debug crypto isakmp commands does not display in a Telnet console session.

---

Examples

The following is sample output from the show debug command:

show debug
debug ppp error
debug vpdn event
debug crypto ipsec 1
debug crypto isakmp 1
debug crypto ca 1
debug icmp trace
debug packet outside both
debug sqlnet

The trailing 1 at the end of the debug crypto commands is the debugging level, which is described in the "Syntax Description" section at the start of this command page.

domain-name

Change the IPSec domain name. (Configuration mode.)

Syntax Description

name	A domain name.

Usage Guidelines

The domain-name command lets you change the IPSec domain name.

Note   The change of the domain name causes the change of the fully qualified domain name. Once the fully qualified domain name is changed, delete the RSA key pairs using the ca zeroize rsa command and delete related certificates using the no ca identity ca_nickname command.

Examples

The following example shows use of the domain-name command:

domain-name example.com

dynamic-map

Create, view, or delete a dynamic crypto map entry. (Configuration mode.)

Usage Guidelines

The clear dynamic-map command removes dynamic-map commands from the configuration. The show dynamic-map command lists the dynamic-map commands in the configuration.

Note   The dynamic-map command is the same as the crypto dynamic-map command. Refer to the crypto dynamic-map command page for more information and for other command options.

ip local pool

Identify addresses for a local pool to be used for dynamic assignment to remove VPN Clients. (Configuration mode)

Syntax Description

pool_name	Local pool name.
pool_start_address pool_end_address	Local pool IP address range.
ip_address [-ip_address]	Local pool IP address range.

Usage Guidelines

The ip local pool command lets you create a pool of local addresses to be used for assigning dynamic IP addresses to remote VPN Clients. The address range of this pool of local addresses must not overlap with any command statement that lets you specify an IP address. To delete an address pool, use the no ip local pool command. Use the show ip local pool command to view usage information about the pool of local addresses.

When a pool of addresses set by the ip local pool command is empty, the following syslog message appears:

%PIX-4-404101: ISAKMP: Failed to allocate address for client from pool poolname

To reference this pool of local addresses, use the isakmp client configuration address-pool command. See the isakmp command page for more information.

Examples

The following example creates a pool of IP addresses and then displays the pool contents:

ip local pool mypool 10.0.0.10-10.0.0.20
show ip local pool mypool
 
PoolBeginEndFreeIn use
mypool10.0.0.1010.0.0.20110
 
Available Addresses:
10.0.0.10
10.0.0.11
10.0.0.12
10.0.0.13
10.0.0.14
10.0.0.15
10.0.0.16
10.0.0.17
10.0.0.18
10.0.0.19
10.0.0.20

ipsec

The ipsec command is a shortened form of the crypto ipsec command. (Configuration mode.)

Usage Guidelines

The clear ipsec command removes all ipsec commands from the configuration. The show ipsec command lists all the ipsec commands in the configuration.

Note   See the crypto ipsec command page for information on all other command options and examples.

isakmp

Negotiate IPSec security associations and enable IPSec secure communications.
(Configuration mode.)

Syntax Description

pool-name	Specify the name of a local address pool to allocate the dynamic client IP.
interface-name	The name of the interface on which to enable ISAKMP negotiation.
peer-address	Specify the IP address of the IPSec peer.
peer-hostname	Specify the host name of the IPSec peer.
key keystring	Specify the authentication pre-shared key. Use any combination of alphanumeric characters up to 128 bytes. This pre-shared key must be identical at both peers.
address peer-address	Specify the IPSec peer's IP address for the pre-shared key.
netmask mask	(Optional) The netmask of 0.0.0.0. can be entered as a wildcard indicating the key could be used for any peer that does not have a key associated with its specific IP address.
no-xauth	This is only to be used if you enabled the Xauth feature, and you have an IPSec peer that is a gateway. This option associates a given pre-shared key with a gateway and allows an exception to the Xauth feature enabled by the crypto map client authentication command.
no-config-mode	This is only to be used if you enabled the IKE Mode Configuration feature, and you have an IPSec peer that is a gateway. This option associates a given pre-shared key with a gateway and allows an exception to the IKE Mode Configuration feature enabled by the crypto map client configuration address command.
fqdn fqdn	The fully qualified domain name of the peer. This is used to identify a peer that is a security gateway.
policy priority	Uniquely identifies the IKE policy and assigns a priority to the policy. Use an integer from 1 to 65,534, with 1 being the highest priority and 65,534 the lowest.
authentication pre-share	Specify pre-shared keys as the authentication method.
authentication rsa-sig	Specify RSA signatures as the authentication method. RSA signatures provide non-repudiation for the IKE negotiation. This basically means you can prove to a third party whether you had an IKE negotiation with the peer.
encryption des	Specify 56-bit DES-CBC as the encryption algorithm to be used in the IKE policy.
encryption 3des	Specify that the Triple DES encryption algorithm is to be used in the IKE policy.
group 1	Specify that the 768-bit Diffie-Hellman group is to be used in the IKE policy. This is the default value.
group 2	Specify that the 1024-bit Diffie-Hellman group is to be used in the IKE policy.
hash md5	Specify MD5 (HMAC variant) as the hash algorithm to be used in the IKE policy.
hash sha	Specify SHA-1 (HMAC variant) as the hash algorithm to be used in the IKE policy. This is the default hash algorithm.
lifetime seconds	Specify how many seconds each security association should exist before expiring. Use an integer from 60 to 86,400 seconds (one day).

Usage Guidelines

The sections that follow describe each isakmp command.

isakmp client configuration address-pool local

The isakmp client configuration address-pool local command is used to configure the IP address local pool to reference IKE. Use the no crypto isakmp client configuration address-pool local command to restore to the default value.

Before using this command, use the ip local pool command to define a pool of local addresses to be assigned to a remote IPSec peer.

Examples

The following example references IP address local pools to IKE with "mypool" as the pool-name:

isakmp client configuration address-pool local mypool outside

isakmp enable

The isakmp enable command is used to enable ISAKMP negotiation on the interface on which the IPSec peer will communicate with the PIX Firewall. ISAKMP is enabled by default. Use the no isakmp enable command to disable IKE.

Examples

The following example shows how to disable IKE on the inside interface:

no isakmp enable inside

isakmp identity address | hostname

To define the ISAKMP identity the PIX Firewall uses when participating in the IKE protocol, use the isakmp identity address | hostname command. Use no isakmp identity address | hostname command to reset the ISAKMP identity to the default value of IP address.

When two peers use IKE to establish IPSec security associations, each peer sends its ISAKMP identity to the remote peer. It will send either its IP address or hostname depending on how each has its ISAKMP identity set. By default, the PIX Firewall unit's ISAKMP identity is set to the IP address. As a general rule, set the PIX Firewall and its peer's identities in the same way to avoid an IKE negotiation failure. This failure could be due to either the PIX Firewall or its peer not recognizing its peer's identity.

Note   If you are using RSA signatures as your authentication method in your IKE policies, Cisco recommends you set each participating peer's identity to host name. Otherwise, the ISAKMP security association to be established during Phase 1 of IKE may fail.

The following example uses pre-shared keys between the two PIX Firewall units (PIX Firewall 1 and PIX Firewall 2) that are peers and sets both their ISAKMP identities to host name.

At the PIX Firewall 1, the ISAKMP identity is set to host name:

isakmp identity hostname
 

At the PIX Firewall 2, the ISAKMP identity is set to hostname:

isakmp identity hostname

isakmp key address

To configure a pre-shared authentication key and associate the key with an IPSec peer address or host name, use the isakmp key address command. Use the no isakmp key address command to delete a pre-shared authentication key and its associated IPSec peer address.

You would configure the pre-shared key at both peers whenever you specify pre-shared key in an IKE policy. Otherwise the policy cannot be used because it will not be submitted for matching by the IKE process.

A netmask of 0.0.0.0. can be entered as a wildcard indicating that any IPSec peer with a given valid pre-shared key is a valid peer.

Note   The PIX Firewall or any IPSec peer can use the same authentication key with multiple peers, but this is not as secure as using a unique authentication key between each pair of peers.

Note   Configure a pre-shared key associated with a given security gateway to be distinct from a wildcard, pre-shared key (pre-shared key plus a netmask of 0.0.0.0) used to identify and authenticate the remote VPN Clients.

The no-xauth or no-config-mode command options are to be used only if the following criteria are met:

• You are using the pre-shared key authentication method within your IKE policy.

• The security gateway and VPN Client peers terminate on the same interface.

• The Xauth or IKE Mode Configuration feature is enabled for VPN Client peers.

The isakmp key keystring address ip-address [no-xauth] [no-config-mode] command allows you to configure a pre-shared authentication key, associate the key with a given security gateway's address, and make an exception to the enabled Xauth feature, IKE Mode Configuration feature, or both (the most common case) for this peer.

Both the Xauth and IKE Mode Configuration features are specifically designed for remote VPN Clients. The Xauth feature allows the PIX Firewall to challenge the peer for a username and password during IKE negotiation. The IKE Mode Configuration enables the PIX Firewall to download an IP address to the peer for dynamic IP address assignment. Most security gateways do not support the Xauth and IKE Mode Configuration features.

If you have the no-xauth command option configured, the PIX Firewall will not challenge the peer for a username and password. Similarly, if you have the no-config-mode command option configured, the PIX Firewall will not attempt to download an IP address to the peer for dynamic IP address assignment.

Use the no key keystring address ip-address [no-xauth] [no-config-mode] command to disable the key keystring address ip-address [no-xauth] [no-config-mode] command that you previously enabled.

See the crypto map client authentication command within the crypto map command page in this chapter for more information about the Xauth feature. See the crypto map client configuration address command within the crypto map command page in this chapter for more information about the IKE Mode Config feature.

Examples

The following example shows "sharedkeystring" as the authentication key to share between the PIX Firewall and its peer specified by an IP address of 10.1.0.0:

isakmp key sharedkeystring address 10.1.0.0
 

The following example shows use of a wildcard, pre-shared key. The "sharedkeystring" is the authentication key to share between the PIX Firewall and its peer (in this case a VPN Client) specified by an IP address of 0.0.0.0. and a netmask of 0.0.0.0.

isakmp key sharedkeystring address 0.0.0.0 netmask 0.0.0.0
 

The following example shows use of the command options no-xauth and no-config-mode in relation to three PIX Firewall peers that are security gateways. These security gateways terminate IPSec on the same interface as the VPN Clients. Both the Xauth and IKE Mode Config features are enabled. This means there is a need to make an exception to these two features for each security gateway. The example shows each security gateway peer has a unique pre-shared key to share with the PIX Firewall. The peers' IP addresses are 10.1.1.1, 10.1.1.2, 10.1.1.3, and the netmask of 255.255.255.255 is specified.

isakmp key secretkey1234 address 10.1.1.1 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key secretkey4567 address 10.1.1.2 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key secretkey7890 address 10.1.1.3 netmask 255.255.255.255 no-xauth no-config-mode

isakmp peer fqdn no-xauth | no-config-mode

The isakmp peer fqdn fqdn no-xauth | no-config-mode command is to be used only if the following criteria are met:

• You are using the RSA signatures authentication method within your IKE policy.

• The security gateway and VPN Client peers terminate on the same interface.

• The Xauth or IKE Mode Configuration feature is enabled for VPN Client peers.

The isakmp peer fqdn fqdn no-xauth | no-config-mode command allows you identify a peer that is a security gateway and make an exception to the enabled Xauth feature, IKE Mode Configuration feature, or both (the most common case) for this peer.

Both the Xauth and IKE Mode Configuration features are specifically designed for remote VPN Clients. The Xauth feature allows the PIX Firewall to challenge the peer for a username and password during IKE negotiation. The IKE Mode Configuration feature enables the PIX Firewall to download an IP address to the peer for dynamic IP address assignment. Most security gateways do not support the Xauth and IKE Mode Configuration features.

If you have the no-xauth command option configured, the PIX Firewall will not challenge the peer for a username and password. Similarly, if you have the no-config-mode command option configured, the PIX Firewall will not attempt to download an IP address to the peer for dynamic IP address assignment.

Note   If you are using RSA signatures as your authentication method in your IKE policies, Cisco recommends you set each participating peer's identity to hostname using the isakmp identity hostname command. Otherwise, the ISAKMP security association to be established during Phase 1 of IKE may fail.

Use the no isakmp peer fqdn fqdn no-xauth | no-config-mode command to disable the isakmp peer fqdn fqdn no-xauth | no-config-mode command that you previously enabled.

See the crypto map client authentication within the crypto map command page in this chapter for more information about the Xauth feature. See the crypto map client configuration address command within the crypto map command page in this chapter for more information about the IKE Mode Config feature.

Examples

The following example shows use of the command options no-xauth and no-config-mode in relation to three PIX Firewall peers that are security gateways. These security gateways terminate IPSec on the same interface as the VPN Clients. Both the Xauth and IKE Mode Config features are enabled. This means there is a need to make an exception to these two features for each security gateway. Each security gateway peer's fully qualified domain name is specified.

isakmp peer fqdn hostname1.example.com no-xauth no-config-mode
isakmp peer fqdn hostname2.example.com no-xauth no-config-mode
isakmp peer fqdn hostname3.example.com no-xauth no-config-mode

isakmp policy authentication

The isakmp policy authentication command allows you to specify the authentication method within an IKE policy. IKE policies define a set of parameters to be used during IKE negotiation.

If you specify RSA signatures, you must configure the PIX Firewall and its peer to obtain certificates from a CA. If you specify pre-shared keys, you must separately configure these pre-shared keys within the PIX Firewall and its peer.

Use the no isakmp policy authentication command to reset the authentication method to the default value of RSA signatures.

Examples

The following example shows use of the isakmp policy authentication command. This example sets the authentication method of rsa-signatures to be used within the IKE policy with the priority number of 40.

isakmp policy 40 authentication rsa-sig

isakmp policy encryption

To specify the encryption algorithm within an IKE policy, use the isakmp policy encryption command. IKE policies define a set of parameters to be used during IKE negotiation.

DES and 3DES are the two encryption algorithm options available.

Use the no isakmp policy encryption command to reset the encryption algorithm to the default value, which is des.

Examples

The following example shows use of the isakmp policy encryption command. This example sets the Triple DES algorithm to be used within the IKE policy with the priority number of 40.

isakmp policy 40 encryption 3des

isakmp policy group

Use the isakmp policy group command to specify the Diffie-Hellman group to be used in an IKE policy. IKE policies define a set of parameters to be used during IKE negotiation.

There are two group options: 768-bit or 1024-bit. The 1024-bit Diffie Hellman provides stronger security, but it requires more CPU time to execute.

Use the no isakmp policy group command to reset the Diffie-Hellman group identifier to the default value of group 1, 768-bit Diffie Hellman.

Examples

The following example shows use of the isakmp policy group command. This example sets group 2, the 1024-bit Diffie Hellman, to be used within the IKE policy with the priority number of 40.

isakmp policy 40 group2

isakmp policy hash

Use the isakmp policy hash command to specify the hash algorithm to be used in an IKE policy. IKE policies define a set of parameters to be used during IKE negotiation.

There are two hash algorithm options: SHA-1 and MD5. MD5 has a smaller digest and is considered to be slightly faster than SHA-1.

To reset the hash algorithm to the default value of SHA-1, use the no isakmp policy hash command.

Examples

The following example shows use of the isakmp policy hash command. This example sets the MD5 hash algorithm to be used within the IKE policy with the priority number of 40.

isakmp policy 40 hash md5

isakmp policy lifetime

To specify the lifetime of an IKE security association before it expires, use the isakmp policy lifetime command. Use the no isakmp policy lifetime command to reset the security association lifetime to the default value of 86,400 seconds (one day).

When IKE begins negotiations, it looks to agree upon the security parameters for its own session. The agreed-upon parameters are then referenced by a security association at each peer. The security association is retained by each peer until the security association's lifetime expires. Before a security association expires, it can be reused by subsequent IKE negotiations, which can save time when setting up new IPSec security associations. New security associations are negotiated before current security associations expire.

To save setup time for IPSec, configure a longer IKE security association lifetime. However, the shorter the lifetime (up to a point), the more secure the IKE negotiation is likely to be.

---

Note   When PIX Firewall initiates an IKE negotiation between itself and an IPSec peer, an IKE policy can be selected only if the lifetime of the peer's policy is shorter than or equal to the lifetime of its policy. Then, if the lifetimes are not equal, the shorter lifetime will be selected.

---

Examples

The following example shows use of the isakmp policy lifetime command. This example sets the lifetime of the IKE security association to 50,400 seconds (14 hours) within the IKE policy with the priority number of 40.

isakmp policy 40 lifetime 50400

show isakmp policy

To view the parameters for each IKE policy including the default parameters, use the show isakmp policy command.

Examples

The following is sample output from the show isakmp policy command after two IKE policies were configured (with priorities 70 and 90 respectively):

show isakmp policy
 
Protection suite priority 70
encryption algorithm:DES - Data Encryption Standard (56 bit keys)
hash algorithm: Message Digest 5
authentication method:Rivest-Shamir-Adleman Signature
Diffie-Hellman group:#2 (1024 bit)
lifetime:5000 seconds, no volume limit
Protection suite priority 90
encryption algorithm:DES - Data Encryption Standard (56 bit keys)
hash algorithm: Secure Hash Standard
authentication method:Pre-Shared Key
Diffie-Hellman group:#1 (768 bit)
lifetime:10000 seconds, no volume limit
Default protection suite
encryption algorithm:DES - Data Encryption Standard (56 bit keys)
hash algorithm: Secure Hash Standard
authentication method:Rivest-Shamir-Adleman Signature
Diffie-Hellman group:#1 (768 bit)
lifetime:86400 seconds, no volume limit

---

Note   Although the output shows "no volume limit" for the lifetimes, you can currently only configure a time lifetime (such as 86,400 seconds); volume limit lifetimes are not currently configurable.

---

show isakmp sa

To view all current IKE security associations between the PIX Firewall and its peer, use the show isakmp sa command.

Examples

The following is sample output from the show isakmp sa command after IKE negotiations were successfully completed between the PIX Firewall and its peer:

show isakmp sa
        dst            src         state     pending    created 
    16.132.40.2    16.132.30.2    QM_IDLE        0           1 

clear isakmp

The clear isakmp command removes all isakmp command statements from the configuration.

clear [crypto] isakmp sa

The clear [crypto] isakmp sa command deletes active IKE security associations. The keyword crypto is optional.

sysopt

Change PIX Firewall system options. (Configuration mode.)

Syntax Description

connection permit-ipsec	Implicitly permit any packet that came from an IPSec tunnel and bypass the checking of an associated access-list, conduit, or access-group command statement for IPSec connections.
ipsec pl-compatible	Enable IPSec packets to bypass the PIX Firewall unit's NAT and ASA features and allows incoming IPSec packets to terminate on the inside interface.
uauth allow-http-cache	Allows the web browser to supply a username and password from its cache for aaa authentication.

Usage Guidelines

The sysopt commands let you tune various PIX Firewall security and configuration features. In addition, you can use this command to disable the PIX Firewall IP Frag Guard feature.

sysopt connection permit-ipsec

Use the sysopt connection permit-ipsec command in IPSec configurations to permit IPSec traffic to pass through the PIX Firewall without a check of conduit or access-list command statements.

An access-list or conduit command statement must be available for inbound sessions.

By default, any inbound session must be explicitly permitted by a conduit or access-list command statement. With IPSec protected traffic, the secondary access list check could be redundant. To enable IPSec authenticated/cipher inbound sessions to always be permitted, use the sysopt connection permit-ipsec command.

The no sysopt connection permit-ipsec command disables the option.

---

Note   If both the sysopt ipsec pl-compatible command and the sysopt connection permit-ipsec command are used within your configuration, the sysopt ipsec pl-compatible command will take precedence.

---

---

Note   If the sysopt connection permit-ipsec command is not configured, you must explicitly configure an access-list command statement to permit IPSec traffic to traverse the PIX Firewall.

---

Examples

The following is a minimal IPSec configuration to enable a session to be connected from host 172.21.100.123 to host 172.21.200.67 across an IPSec tunnel that terminates from peer 209.165.201.1 to peer 201.165.200.225.

With sysopt connection permit-ipsec and access-list command statements:

On peer 209.165.201.1:

static 172.21.100.123 172.21.100.123
access-list 10 permit ip host 172.21.200.67 host 172.21.100.123
crypto ipsec transform-set t1 esp-des esp-md5-hmac 
crypto map mymap 10 ipsec-isakmp
crypto map mymap 10 match address 10
crypto map mymap 10 set transform-set t1
crypto map mymap 10 set peer 172.21.200.1
crypto map mymap interface outside
 

On peer 201.165.200.225:

static 172.21.200.67 172.21.200.67
access-list 10 permit ip host 172.21.100.123 host 172.21.200.67
crypto ipsec transform-set t1 esp-des esp-md5-hmac 
crypto map mymap 10 ipsec-isakmp
crypto map mymap 10 match address 10
crypto map mymap 10 set transform-set t1 
crypto map mymap 10 set peer 172.21.100.1
crypto map mymap interface outside
 

With sysopt connection permit-ipsec and without conduit command statements:

On peer 209.165.201.1:

static 172.21.100.123 172.21.100.123
access-list 10 permit ip host 172.21.200.67 host 172.21.100.123
crypto ipsec transform-set t1 esp-des esp-md5-hmac 
crypto map mymap 10 ipsec-isakmp
crypto map mymap 10 match address 10
crypto map mymap 10 set transform-set t1
crypto map mymap 10 set peer 172.21.200.1
crypto map mymap interface outside
sysopt connection permit-ipsec
 

On peer 201.165.200.225:

static 172.21.200.67 172.21.200.67
access-list 10 permit ip host 172.21.100.123 host 172.21.200.67
crypto ipsec transform-set t1 esp-des esp-md5-hmac 
crypto map mymap 10 ipsec-isakmp
crypto map mymap 10 match address 10
crypto map mymap 10 set transform-set t1 
crypto map mymap 10 set peer 172.21.100.1
crypto map mymap interface outside
sysopt connection permit-ipsec

sysopt ipsec pl-compatible

Note   The sysopt ipsec pl-compatible command provides a migration path for Private Link users from Private Link tunnels to IPSec tunnels.

---

The sysopt ipsec pl-compatible command enables the IPSec feature to simulate the Private Link feature supported in PIX Firewall version 4. The Private Link feature provides encrypted tunnels to be established across an unsecured network between Private-Link equipped PIX Firewall units. The sysopt ipsec pl-compatible command allows IPSec packets to bypass the NAT and ASA features and enables incoming IPSec packets to terminate on the sending interface.

The no sysopt ipsec pl-compatible command disables the option, which is off by default.

---

Note   When using the sysopt ipsec pl-compatible command, all PIX Firewall features, such as access list control, stateful inspection, and user authentication, are bypassed for IPSec packets only.

---

---

Note   If both the sysopt ipsec pl-compatible command and the sysopt connection permit-ipsec command are used within your configuration, the sysopt ipsec pl-compatible command will take precedence.

---

---

Note   If the alias command is used with the sysopt ipsec pl-compatible command, a static route command statement must be added for each IP address specified in the alias command statement.

---

Examples

For an example of the use of the sysopt ipsec pl-compatible command, see the "Converting Private Link to IPSec" section in "Advanced Configurations."

sysopt uauth allow-http-cache

The sysopt uauth allow http-cache command allows the web browser to supply a username and password from its cache for AAA authentication. If the sysopt uauth allow http-cache command is not enabled, then the default behavior of the PIX Firewall is to require the web browser to prompt the user each time the uauth timer expires.

sysopt uauth allow-http-cache

vpngroup

This implements support for the Cisco VPN 3000 Client. (Configuration mode.)

vpngroup group_name address-pool ip pool name

no vpngroup group_name address-pool ip pool name

vpngroup group_name default-domain domain_name

no vpngroup group_name default-domain domain_name

vpngroup group_name dns-server dns_ip_prim [dns_ip_sec]

no vpngroup group_name dns-server dns_ip_prim [dns_ip_sec]

vpngroup group_name idle-time idle_seconds

no vpngroup group_name idle-time idle_seconds

vpngroup group_name max-time max_seconds

no vpngroup group_name max-time max_seconds

vpngroup group_name password preshared_key

no vpngroup group_name password preshared_key

vpngroup group_name split-tunnel acl_name

no vpngroup group_name split-tunnel acl_name

vpngroup group_name wins-server wins_ip_prim [wins_ip_sec]

no vpngroup group_name wins-server wins_ip_prim [wins_ip_sec]

Syntax Description

group_name	The Policy VPN group name. A VPN group name of "default" can be configured to create a VPN group policy that matches any group name.
pool_name	The IP address pool name.
dns_ip_prim	The IP address of the primary DNS server.
dns_ip_sec	The IP address of the secondary DNS server.
wins_ip_prim	The IP address of the primary WINS server.
wins_ip_sec	The IP address of the secondary WINS server.
domain_name	The default domain name.
acl_name	The name of the access-list to which to bind split-tunneling.
idle_seconds	The inactivity timeout in seconds. The default is 1800 seconds or 30 minutes.
max_seconds	The maximum connection time in seconds the VPN group is allowed. The default maximum connection time is set to unlimited.
preshared_key	The VPN group pre-shared key.

Usage Guidelines

---

Note   Be sure to configure the IKE Mode Config prior to configuring support for the Cisco VPN 3000 Client. In configuring IKE Mode Config, specify that the PIX Firewall initiates the IKE Mode Config. See "Configuring IKE Mode Config (Dynamic IP Address Assignment for VPN Client)" within "Advanced Configurations."

---

---

Note   For additional information about configuring interoperability with the Cisco VPN 3000 Client using the vpngroup commands, see "VPN Client Configuration Examples."

---

---

Note   The Cisco VPN 3000 Client does not support Windows 2000.

---

The vpngroup command set allows you to configure Cisco VPN 3000 Client policy attributes to be associated with a VPN group name and downloaded to the Cisco VPN 3000 Client(s) that are part of the given group. The same VPN group name is configured in the Cisco VPN 3000 Client to ensure the matching of VPN Client policy.

Configure a VPN group name of "default" to create a VPN group policy that matches any group name. The PIX Firewall selects the VPN group name "default," if there is no other policy match.

The vpngroup address-pool command lets you define a pool of local addresses to be assigned to a VPN group.

---

Note   Both the vpngroup address-pool command and the ip local pool command enable you to specify a pool of local addresses to be used for assigning dynamic ip addresses to remote VPN Clients. In the case of the Cisco VPN 3000 Client, the specified pool of addresses is associated with a given group, which consists of Cisco VPN 3000 Client users. Cisco recommends using the vpngroup address-pool command only if you will configure more than one pool of addresses to be used by more than one VPN user group. The vpngroup address-pool command gives the PIX Firewall added flexibility to configure different pools of local addresses for different user groups.

---

The vpngroup dns-server command enables the PIX Firewall to download an IP address of a DNS server to a Cisco VPN 3000 Client as part of an IKE negotiation.

The vpngroup wins-server command allows the PIX Firewall to download an IP address of a WINS server to a Cisco VPN 3000 Client as part of an IKE negotiation.

To enable the PIX Firewall to download a default domain name to a Cisco VPN 3000 Client as part of IKE negotiation, use the vpngroup default-domain command.

Use the vpngroup split-tunnel command to enable split tunneling on the PIX Firewall. Split tunneling allows a remote VPN client simultaneous encrypted access to the corporate network and clear access to the Internet. Using the vpngroup split-tunnel command, specify the access-list name to which to associate the split tunnelling of traffic. With split tunnelling enabled, the PIX Firewall downloads its local network IP address and netmask specified within the associated access-list to the VPN Client as part of the policy push to the client. In turn, the VPN Client sends the traffic destined to the specified local PIX Firewall network via an IPSec tunnel and all other traffic in the clear. The PIX Firewall receives the IPSec-protected packet on its outside interface, decrypts it, and then sends it to its specified local network.

---

Note   If you do not enable split tunneling, all traffic between the VPN Client and the PIX Firewall is sent through an IPSec tunnel. All traffic originating from the VPN Client is sent to the PIX Firewall's outside interface through a tunnel, and the client's access to the Internet from its remote site is denied.

---

---

Note   Regardless of whether split tunneling is enabled, the VPN Client negotiates an IPSec tunnel to the PIX Firewall unit's IP address with a netmask of 255.255.255.255.

---

---

Note   Networks defined in access-list deny command statements are not pushed to the VPN Client.

---

The vpngroup idle-time command sets the inactivity timeout for a Cisco VPN 3000 Client. When the inactivity timeout for all IPSec SAs have expired for a given VPN Client, the tunnel is terminated. The default inactivity timeout is 30 minutes.

The vpngroup max-time command sets the maximum connection time for a Cisco VPN 3000 Client. When the maximum connection time is reached for a given VPN Client, the tunnel is terminated. This means the connection between the Cisco VPN 3000 Client and the PIX Firewall will have to be reestablished. The default maximum connection time is set to an unlimited amount of time.

---

Note   The inactivity timeout specified with the vpngroup idle-time command and maximum connection time specified with the vpngroup max-time command for a given Cisco VPN 3000 Client take precedence over the commands used to set global lifetime timeouts. These commands are the isakmp policy lifetime and crypto map set security-association lifetime seconds commands.

---

Configure the VPN group's pre-shared key employing the vpngroup password command to be used during IKE authentication. This pre-shared key is equivalent to the password that you enter within the Group Password field of the Cisco VPN 3000 Client while configuring your group access information for a connection entry.

The PIX Firewall configured password displays in asterisks within the file configuration.

---

Note   Both the vpngroup password command and the isakmp key address command allow you to specify a pre-shared key to be used for IKE authentication. Cisco recommends using the vpngroup password command only if you plan to configure more than one VPN user group. The vpngroup password command gives the PIX Firewall added flexibility to configure different VPN user groups.

---

Examples

The following example show use of the vpngroup commands. The VPN Client(s) within the VPN group named as "myVpnGroup" will be dynamically assigned one of the IP addresses from the pool of addresses ranging from 10.140.40.0 to 10.140.40.7. The policy attributes for the group "myVpnGroup" will be downloaded to a given VPN Client during the policy push to the client. Split tunnelling is enabled. In the example, all traffic destined for the 10.130.38.0 255.255.255.0 PIX Firewall network from the VPN Client will be IPSec protected.

access-list 90 permit ip 10.130.38.0 255.255.255.0 10.140.40.0 255.255.255.248
 
ip local pool vpnpool 10.140.40.1-10.140.40.7
 
crypto ipsec transform-set esp-sha esp-null esp-sha-hmac
crypto dynamic-map dynmap 50 set transform-set esp-sha
crypto map mapName 10 ipsec-isakmp dynamic dynmap
crypto map mapName client configuration address initiate
crypto map mapName interface outside
 
isakmp enable outside
isakmp identity hostname
isakmp policy 7 authentication pre-share
isakmp policy 7 encryption 3des
isakmp policy 7 hash md5
isakmp policy 7 group 1
 
vpngroup myVpnGroup address-pool vpnpool
vpngroup myVpnGroup dns-server 10.131.31.11
vpngroup myVpnGroup wins-server 10.131.31.11
vpngroup myVpnGroup default-domain example.com
vpngroup myVpnGroup split-tunnel 90
vpngroup myVpnGroup idle-time 1800
vpngroup myVpnGroup max-time 86400
vpngroup myVpnGroup password ********

Posted: Thu Aug 31 19:39:59 PDT 2000
Copyright 1989-2000©Cisco Systems Inc.