Adrian Collier - Cisco LAN-to-LAN VPN Issues: Asymmetric Functionality & Dynamic Crypto Maps

Cisco LAN-to-LAN VPN Issues: Asymmetric Functionality & Dynamic Crypto Maps

When configuring Crypto Maps its essential that you correctly place the Dynamic Crypto Map entry. Otherwise you'll spend hours troubleshooting something that's easily fixed. Here's the documentation on how to correctly configure a Crypto Map with a Dynamic Crypto Map entry.



A crypto map set may include a dynamic crypto map. Dynamic crypto map sets should be the lowest priority crypto maps in the crypto map set (that is, they should have the highest sequence numbers) so that the adaptive security appliance evaluates other crypto maps first. It examines the dynamic crypto map set only when the other (static) map entries do not match.



Below is how NOT to configure a Crypto Map



crypto map abcmap 10 ipsec-isakmp dynamic dynamic_map
crypto map abcmap 20 match address l2l_list
crypto map abcmap 20 set peer 10.10.10.10
crypto map abcmap 20 set transform-set myset3
crypto map abcmap interface outside



Make sure you set that Crypto Dynamic Map entry with the highest sequence number!



crypto map abcmap 10 match address l2l_list
crypto map abcmap 10 set peer 10.10.10.10
crypto map abcmap 10 set transform-set myset3
crypto map abcmap 65535 ipsec-isakmp dynamic dynamic_map
crypto map abcmap interface outside



Cisco ASA 5500 Series Configuration Guide using the CLI, 8.2
Cisco ASA 5500 Series Configuration Guide using the CLI, 8.3
Cisco ASA 5500 Series Configuration Guide using the CLI, 8.4



<
>