Cisco Systems C7200 Network Cables User Manual

Open as PDF

of 62

4-13

C7200 VSA (VPN Services Adapter) Installation and Configuration Guide

OL-9129-02

Chapter 4 Configuring the VSA

Configuration Tasks

Step 3

Router(config-crypto-m)# match address

access-list-id

(Optional) Accesses list number or name of an

extended access list. This access list determines

which traffic should be protected by IPSec and which

traffic should not be protected by IPSec security in

the context of this crypto map entry.

Note Although access-lists are optional for

dynamic crypto maps, they are highly

recommended.

If this is configured, the data flow identity proposed

by the IPSec peer must fall within a permit statement

for this crypto access list.

If this is not configured, the router will accept any

data flow identity proposed by the IPSec peer.

However, if this is configured but the specified

access list does not exist or is empty, the router will

drop all packets. This is similar to static crypto maps

because they also require that an access list be

specified.

Care must be taken if the any keyword is used in the

access list, because the access list is used for packet

filtering as well as for negotiation.

Step 4

Router(config-crypto-m)# set peer {

hostname

ip-address

}

(Optional) Specifies a remote IPSec peer. Repeat for

multiple remote peers.

This is rarely configured in dynamic crypto map

entries. Dynamic crypto map entries are often used

for unknown remote peers.

Step 5

Router(config-crypto-m)# set security-association

lifetime seconds

seconds

and

Router (config-crypto-m)# set security-association

lifetime kilobytes

kilobytes

(Optional) If you want the security associations for

this crypto map to be negotiated using shorter IPSec

security association lifetimes than the globally

specified lifetimes, specify a key lifetime for the

crypto map entry.

Step 6

Router(config-crypto-m)# set pfs [group1 | group2 |

group5]

(Optional) Specifies that IPSec should ask for perfect

forward secrecy when requesting new security

associations for this crypto map entry or should

demand perfect forward secrecy in requests received

from the IPSec peer.

Step 7

Router(config-crypto-m)# exit

Exits crypto-map configuration mode and returns to

global configuration mode.

Step 8

Repeat these steps to create additional crypto map entries as required.

Command Purpose

previous next

Top Automotive Device Types

Top Automotive Brands

Top Baby Care Device Types

Top Baby Care Brands

Top Car Audio & Video Device Types

Top Car Audio & Video Brands

Top Cellphone Device Types

Top Cellphone Brands

Top Communications Device Types

Top Communications Brands

Top Computer Device Types

Top Computer Brands

Top Fitness Device Types

Top Fitness Brands

Top Home Audio Device Types

Top Home Audio Brands

Top Household Appliance Device Types

Top Household Appliance Brands

Top Kitchen Appliance Device Types

Top Kitchen Appliance Brands

Top Laundry Appliance Device Types

Top Laundry Appliance Brands

Top Lawn & Garden Device Types

Top Lawn & Garden Brands

Top Marine Equipment Device Types

Top Marine Equipment Brands

Top Musical Instrument Device Types

Top Musical Instrument Brands

Top Outdoor Cooking Device Types

Top Outdoor Cooking Brands

Top Personal Care Device Types

Top Personal Care Brands

Top Photography Device Types

Top Photography Brands

Top Portable Media Device Types

Top Portable Media Brands

Top Power Tools Device Types

Top Power Tools Brands

Top TV and Video Device Types

Top TV and Video Brands

Top Videogame Device Types

Top Videogame Brands

Cisco Systems C7200 Network Cables User Manual