Firewall commands - crypto dynamic-map
Create, view, or delete a dynamic crypto map entry. (Configuration mode.)
[no] crypto dynamic-map dynamic-map-name dynamic-seq-num crypto dynamic-map dynamic-map-name dynamic-seq-num match address acl_name crypto dynamic-map dynamic-map-name dynamic-seq-num set peer hostname | ip-address crypto dynamic-map dynamic-map-name dynamic-seq-num set pfs [group1 | group2] crypto dynamic-map dynamic-map-name dynamic-seq-num set security-association lifetime seconds seconds | kilobytes kilobytes crypto dynamic-map dynamic-map-name dynamic-seq-num set transform-set transform-set-name1 [ transform-set-name] clear [crypto] dynamic-map [dynamic-map-name] [dynamic-seq-num] show crypto dynamic-map [tag dynamic-map-name]
Syntax Description
dynamic-map-name Specify the name of the dynamic crypto map set. dynamic-seq-num Specify the sequence number that corresponds to the dynamic crypto map entry. subcommand Various subcommands (match address, set transform-set, and so on). tag map-name (Optional) Show the crypto dynamic map set with the specified map-name. The crypto dynamic-map subcommands, such as match address, set peer, and set pfs are described in the crypto map command page. If the peer initiates the negotiation and the local configuration specifies PFS, the peer must perform a PFS exchange or the negotiation will fail. If the local configuration does not specify a group, a default of group1 will be assumed, and an offer of either group1 or group2 will be accepted. If the local configuration specifies group2, that group must be part of the peer's offer or the negotiation will fail. If the local configuration does not specify PFS, it will accept any offer of PFS from the peer. command page. See this command page for the descriptions of these commands, including syntax descriptions.
Usage Guidelines
Create a dynamic crypto map entry.
Specifying the name of a given crypto dynamic map removes the associated crypto dynamic map command statement(s). You can also specify the dynamic crypto maps sequence number to remove all of the associated dynamic crypto map command statements. The show crypto dynamic-map command allows you to view a dynamic crypto map set.
Dynamic crypto maps are policy templates used when processing negotiation requests for new security associations from a remote IPSec peer, even if you do not know all of the crypto map parameters required to communicate with the peer (such as the peer's IP address). For example, if you do not know about all the remote IPSec peers in the network, a dynamic crypto map allows you to accept requests for new security associations from previously unknown peers. (However, these requests are not processed until the IKE authentication has completed successfully.)
When a firewall receives a negotiation request via IKE from another peer, the request is examined to see if it matches a crypto map entry. If the negotiation does not match any explicit crypto map entry, it will be rejected unless the crypto map set includes a reference to a dynamic crypto map
The dynamic crypto map accepts "wildcard" parameters for any parameters not explicitly stated in the dynamic crypto map entry. This allows you to set up IPSec security associations with a previously unknown peer. (The peer still must specify matching values for the "wildcard" IPSec security association negotiation parameters.)
If the firewall accepts the peer's request, at the point that it installs the new IPSec security associations it also installs a temporary crypto map entry. This entry is filled in with the results of the negotiation. At this point, the firewall performs normal processing, using this temporary crypto map entry as a normal entry, even requesting new security associations if the current ones are expiring (based upon the policy specified in the temporary crypto map entry). Once the flow expires (that is, all of the corresponding security associations expire), the temporary crypto map entry is removed.
The dynamic crypto map command statements are used for determining whether or not traffic should be protected.
The only parameter required in a dynamic crypto map command statement is the set transform-set. All other parameters are optional. The no crypto dynamic-map command deletes a dynamic crypto map set or entry. The clear [crypto] dynamic-map removes all of the dynamic crypto map command statements.
Examples
The following example configures an IPSec crypto map set.
Crypto map entry mymap 30 references the dynamic crypto map set mydynamicmap, which can be used to process inbound security association negotiation requests that do not match mymap entries 10 or 20. In this case, if the peer specifies a transform set that matches one of the transform sets specified in mydynamicmap, for a flow "permitted" by the access list 103, IPSec will accept the request and set up security associations with the remote peer without previously knowing about the peer. If accepted, the resulting security associations (and temporary crypto map entry) are established according to the settings specified by the remote peer.
The access list associated with mydynamicmap 10 is also used as a filter. Inbound packets that match a permit statement in this list are dropped for not being IPSec protected. (The same is true for access lists associated with static crypto maps entries.) Outbound packets that match a permit statement without an existing corresponding IPSec security association are also dropped.
crypto map mymap 10 ipsec-isakmp
crypto map mymap 10 match address 101
crypto map mymap 10 set transform-set my_t_set1
crypto map mymap 10 set peer 10.0.0.1 10.0.0.2
crypto map mymap 20 ipsec-isakmp
crypto map mymap 20 match address 102
crypto map mymap 20 set transform-set my_t_set1 my_t_set2
crypto map mymap 20 set peer 10.0.0.3
crypto dynamic-map mydynamicmap 10 match address 103
crypto dynamic-map mydynamicmap 10 set transform-set my_t_set1 my_t_set2 my_t_set3
crypto map mymap 30 ipsec-isakmp dynamic mydynamicmapThe following is sample output for the show crypto dynamic-map command:
show crypto dynamic-map Crypto Map Template "dyn1" 10 access-list 152 permit ip host 172.21.114.67 any Current peer: 0.0.0.0 Security association lifetime: 4608000 kilobytes/120 seconds PFS (Y/N): N Transform sets={tauth, t1,}The following partial configuration was in effect when the above show crypto dynamic-map command was issued:
crypto ipsec security-association lifetime seconds 120
crypto ipsec transform-set t1 esp-des esp-md5-hmac
crypto ipsec transform-set tauth ah-sha-hmac
crypto dynamic-map dyn1 10
crypto dynamic-map dyn1 set transform-set tauth t1
crypto dynamic-map dyn1 match address 152
crypto map to-firewall local-address Ethernet0
crypto map to-firewall 10 ipsec-isakmp
crypto map to-firewall 10 set peer 172.21.114.123
crypto map to-firewall 10 set transform-set tauth t1
crypto map to-firewall 10 match address 150
crypto map to-firewall 20 ipsec-isakmp dynamic dyn1
access-list 150 permit ip host 172.21.114.67 host 172.21.114.123
access-list 150 permit ip host 15.15.15.1 host 172.21.114.123
access-list 150 permit ip host 15.15.15.1 host 8.8.8.1
access-list 152 permit ip host 172.21.114.67 anyThe crypto map set transform-set command is required for dynamic crypto map entries.