Cisco ASA Configuration in Software

Encoder ECC200 in Software Cisco ASA Configuration

The optional set phase1-mode parameter specifies what mode should be used (aggressive or main) during ISAKMP Phase 1 when building the management connection to the peer If you don t configure this value, main mode is used if certificates are used for authentication, and aggressive mode is used if pre-shared keys are used The optional set trustpoint parameter specifies the name of the CA trustpoint, and thus the identity certificate, to use if certificates are used during Phase 1 for authentication Starting in version 70, the preferred method is to configure this within a tunnel group Optionally you can change the lifetimes for the data connections associated with this peer by configuring the set security-association parameter The defaults are based on the configuration of the global timeout commands configured with the crypto ipsec security-association lifetime, discussed earlier The connection type, defined by the set connection-type parameter, allows you to control who initiates the tunnel the default is bi-directional, where either peer can bring up the tunnel The answer-only parameter forces the remote peer to establish the tunnel, and originate-only forces the local appliance to establish the tunnel NOTE If you change the parameters in a crypto map entry, the changes don t affect any existing data SAs you must tear down the existing ones (or wait till they expire) before the changes take effect

Once you have created your crypto map and its entries, you need to apply the crypto map to an interface on the appliance This is accomplished with the crypto map interface command:

Typically the crypto map will be applied to the interface connected to the public network, like the outside interface Once you apply the crypto map, the appliance will begin building tunnels and processing IPSec traffic Also, you can only apply one crypto map to an interface To view your crypto map commands, use the show run crypto map command NOTE Tunnels will not be built until traffic needs to be sent to a remote site that matches a crypto ACL associated with a crypto map entry

Once you ve configured your Phase 1 and Phase 2 commands, and traffic matches a crypto ACL entry destined for the remote peer, a tunnel is built, barring any misconfiguration or other issues This section will show you how to view, tear down, and troubleshoot your

16:

IPSec connections Please note that these commands apply to all IPSec connections: L2L and remote access TIP One common entry to include in a crypto ACL is ICMP traffic associated with the two peers This way performing a ping from one of the peers will attempt to bring the tunnel up

This section discusses how to view and tear down the Phase 1 management and Phase 2 data connections

To view the Phase 1 management connections that you have established to remote peers, use the show crypto isakmp sa command:

ciscoasa# show [crypto] isakmp sa [detail]

Here is an example of viewing the management connections:

ciscoasa# show crypto isakmp sa Active SA: 1 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 1 1 IKE Peer: 1921140 Type : L2L Role : responder Rekey : no State : MM_ACTIVE

The State should be MM_ACTIVE (main mode) or AG_ACTIVE (aggressive mode) if the management connection is successfully built To tear down management connections, use the clear crypto isakmp sa command:

To view all the IPSec data SAs that you have established to peers, use the show crypto ipsec sa command:

ciscoasa# show crypto ipsec sa [entry | identity | map map_name | peer peer_IP_addr] [detail]

Here s an example of the use of this command:

Crypto map tag: mymap, local addr: 19211100 local ident (addr/mask/prot/port): (19216820/2552552550/0/0) remote ident (addr/mask/prot/port): (19216800/2552552550/0/0) current_peer: 1921140 encaps: 4, #pkts encrypt: 4, #pkts digest: 4 decaps: 4, #pkts decrypt: 4, #pkts verify: 4 compressed: 0, #pkts decompressed: 0 not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0 #send errors: 0, #recv errors: 0 local crypto endpt: 19211100, remote crypto endpt: 1921140 path mtu 1500, ipsec overhead 76, media mtu 1500 current outbound spi: 2ED644AD inbound esp sas: spi: 0x76DFE868 (1994385512) transform: esp-aes esp-sha-hmac in use settings ={L2L, Tunnel, } slot: 0, conn_id: 1, crypto-map: mymap sa timing: remaining key lifetime (kB/sec): (4274999/3586) IV size: 16 bytes replay detection support: Y outbound esp sas: spi: 0x2ED644AD (785794221) transform: esp-aes esp-sha-hmac in use settings ={L2L, Tunnel, } slot: 0, conn_id: 1, crypto-map: mymap sa timing: remaining key lifetime (kB/sec): (4274999/3584) IV size: 16 bytes replay detection support: Y #pkts #pkts #pkts #pkts

Every time you execute this command, if you see pkts information incrementing, then you have traffic traversing the tunnel At the bottom, you see two sections inbound and outbound esp sas These are the two data connections built during Phase 2 To tear down the data SA(s), use the clear crypto ipsec sa command:

ciscoasa# clear [crypto] ipsec sa [counters | entry {hostname | ip_address} {esp spi | map map_name | peer {hostname | ip_address}]

16: