Cisco FirePOWER ASA 5500 series Configuration Manual page 527

Chapter 27 Configuring IPSec and ISAKMP
Use care when using the any keyword in permit entries in dynamic crypto maps. If the traffic covered
Tip
by such a permit entry could include multicast or broadcast traffic, insert deny entries for the
appropriate address range into the access list. Remember to insert deny entries for network and subnet
broadcast traffic, and for any other traffic that IPSec should not protect.
Dynamic crypto maps work only to negotiate SAs with remote peers that initiate the connection. The
security appliance cannot use dynamic crypto maps to initiate connections to a remote peer. With a
dynamic crypto map, if outbound traffic matches a permit entry in an access list and the corresponding
SA does not yet exist, the security appliance drops the traffic.
A crypto map set may include a dynamic crypto map. Dynamic crypto map sets should be the lowest
priority crypto maps in the crypto map set (that is, they should have the highest sequence numbers) so
that the security appliance evaluates other crypto maps first. It examines the dynamic crypto map set only
when the other (static) map entries do not match.
Similar to static crypto map sets, a dynamic crypto map set consists of all of the dynamic crypto maps
with the same dynamic-map-name. The dynamic-seq-num differentiates the dynamic crypto maps in a
set. If you configure a dynamic crypto map, insert a permit ACL to identify the data flow of the IPSec
peer for the crypto access list. Otherwise the security appliance accepts any data flow identity the peer
proposes.
Do not assign static (default) routes for traffic to be tunneled to a security appliance interface configured
Caution
with a dynamic crypto map set. To identify the traffic that should be tunneled, add the ACLs to the
dynamic crypto map. Use care to identify the proper address pools when configuring the ACLs
associated with remote access tunnels. Use Reverse Route Injection to install routes only after the tunnel
is up.
The procedure for using a dynamic crypto map entry is the same as the basic configuration described in
"Creating a Basic IPSec
a dynamic crypto map entry. You can also combine static and dynamic map entries within a single crypto
map set.
Create a crypto dynamic map entry as follows:
Step 1 (Optional) Assign an access list to a dynamic crypto map:
crypto dynamic-map dynamic-map-name dynamic-seq-num match address access-list-name
This determines which traffic should be protected and not protected.
For example:
crypto dynamic-map dyn1 10 match address 101
In this example, access list 101 is assigned to dynamic crypto map "dyn1." The map sequence number
is 10.
Specify which transform sets are allowed for this dynamic crypto map. List multiple transform sets in
Step 2
order of priority (highest priority first).
crypto dynamic-map dynamic-map-name dynamic-seq-num set transform-set transform-set-name1,
[transform-set-name2, ...transform-set-name9]
For example:
crypto dynamic-map dyn 10 set transform-set myset1 myset2
OL-10088-01
Configuration," except that instead of creating a static crypto map, you create
Cisco Security Appliance Command Line Configuration Guide
Configuring IPSec
27-25