crypto am disable crypto ipsec security association replay

Transcript

1 CHAPTER 13 crypto am-disable through crypto ipsec security-association replay Commands Cisco ASA Series Command Reference, A through H Commands 13-1

2 Chapter crypto am-disable To disable IPsec IKEv1 inbound aggressive mode connections, use the crypto ikev1 am-disable no command in global configuration mode. To enable inbound aggressive mode connections, use the form of this command. crypto ikev1 am-disable no crypto ikev1 am-disable Syntax Description This command has no arguments or keywords. Defaults The default value is enabled. Command Modes The following table shows the modes in which you can enter the command: Security Context Firewall Mode Multiple Transpare Context Command Mode System Routed nt Single Global configuration • — • — Ye s — Ye s Command History Modification Release 7.0(1) The isakmp am-disable command was added. 7.2.(1) crypto isakmp am-disable command replaces the isakmp am-disable The command . 8.4(1) to am-disable crypto isakmp The command name was changed from . crypto ikev1 am-disable The following example, entered in global configuration mode, disables inbound aggressive mode Examples connections: crypto ikev1 am-disable ciscoasa(config)# Description Related Commands Command clear configure crypto Clears the ISAKMP configuration. isakmp clear configure crypto Clears the ISAKMP policy configuration. isakmp policy Clears the IKE runtime SA database. clear crypto isakmp sa show running-config Displays the active configuration. crypto isakmp Cisco ASA Series Command Reference, A through H Commands 13-2

3 Chapter crypto ca alerts expiration Expiration checking for all installed certi crypto ca alerts ficates is enabled by default with the command. To disable expiration checking, use the no expiration form of this command: crypto ca alerts expiration [begin ] [repeat ] [no] crypto ca alerts expiration [begin ] [repeat ] Syntax Description begin Set the interval at which the reminders are sent by configuring the number of days before expiration at which the first alert will go out. The range is from 1 to 90 days. repeat ificate is not renewed. The range is Configure the alert frequency if the cert 1 to 14 days. Expiration checking for all installe Defaults d certificate is enabled by default. The following table shows the modes in which you can enter the command: Command Modes Firewall Mode Security Context Multiple Transpare Command Mode Single nt Routed System Context Global configuration • Ye s • Ye s — • • Ye s Ye s Command History Modification Release 9.4(1) This command was added. Since the reminders are syslog messages, we do not anticipate a need for disabling. This command has Usage Guidelines little impact on performance because it is only checked once a day. By default we will send the first alert 60 days prior to expiration and once every week afte r that until the certificate is renewed and removed. tion and once every day after that. Irrespective of the In addition, an alert is sent on the day of the expira alerts configuration, a reminder is sent every day during the last week of expiration. Examples 100(config)# crypto ca ? configure mode commands/options: alerts Configure alerts 100(config)# crypto ca alerts ? configure mode commands/options: expiration Configure an alert for certificates nearing expiration 100(config)# crypto ca alerts expiration ? Cisco ASA Series Command Reference, A through H Commands 13-3

4 Chapter configure mode commands/options: begin Begin alert repeat Repeat alert 100(config)# crypto ca alerts expiration begin ? configure mode commands/options: <1-90> Days prior to expiration at which the first alert should be sent 100(config)# crypto ca alerts expiration begin 10 ? configure mode commands/options: repeat Repeat alert 100(config)# crypto ca alerts expiration begin 10 repeat ? configure mode commands/options: <1-14> Number of days at which the alert should be repeated after the prior alert 100(config)# crypto ca alerts expiration begin 10 repeat 1 100(config)# show run crypto ca ? exec mode commands/options: alerts Show alerts certificate Show certificate map entries server Show local certificate server configuration trustpoint Show trustpoints trustpool Show trustpool | Output modifiers 100(config)# show run crypto ca alerts crypto ca alerts expiration begin 10 repeat 1 100(config)# clear conf crypto ca ? configure mode commands/options: alerts Clear alerts certificate Clear certificate map entries server Clear Local CA server trustpoint Clear trustpoints trustpool Clear trustpool 100(config)# clear conf crypto ca alerts Related Commands Command Description Clears the configured crypto ca alerts. clear conf crypto ca alerts show run crypto ca Shows the configured crypto ca alerts. alerts Cisco ASA Series Command Reference, A through H Commands 13-4

5 Chapter crypto ca authenticate To install and authenticate the CA certificat es associated with a trustpoint, use the crypto ca authenticate command in global configuration mode. hexvalue crypto ca authenticate trustpoint [ fingerprint nointeractive] ] [ fingerprint Specifies a hash value consisting of alphanumeric charac ters that the ASA Syntax Description If a fingerprint is provided, the ASA uses to authenticate the CA certificate. compares it to the computed fingerprint of the CA certificate and accepts the certificate only if the two values matc h. If there is no fingerprint, the ASA erprint and asks whether to accept the certificate. displays the computed fing Identifies the hexadecimal hexvalue value of the fingerprint. trustpoint using no interactive mode; nointeractive Obtains the CA certificate for this intended for use by the device manager only. In this case, if there is no fingerprint, the ASA accepts th e certificate without question. Specifies the trustpoint from which to obtain the CA certificate. The trustpoint is 128 characters. maximum name length No default behavior or values. Defaults Command Modes The following table shows the modes in which you can enter the command: Security Context Firewall Mode Multiple Transpare Routed Command Mode Single nt Context System Global configuration • Ye s Ye s • — Ye s Ye s • • Command History Release Modification 7.0(1) This command was added. Usage Guidelines If the trustpoint is configured for SCEP enrollment, the CA certificate is downloaded through SCEP. If not, the ASA prompts you to paste the base-64 formatted CA certificate into the terminal. The invocations of this command do not be come part of the running configuration. Cisco ASA Series Command Reference, A through H Commands 13-5

6 Chapter Examples The following example shows the ASA requesting the certificate of the CA. The CA sends its certificate and the ASA prompts the administrator to verify the certificate of the CA by checking the CA certificate fingerprint. The ASA administrator should verify th e fingerprint value displayed with a known, correct value. If the fingerprint displayed by the ASA ma tches the correct value, you should accept the certificate as valid. crypto ca authenticate myca ciscoasa(config)# Certificate has the following attributes: Fingerprint: 0123 4567 89AB CDEF 0123 Do you accept this certificate? [yes/no] y # ciscoasa(config)# The following example shows the trustpoint tp9 config ured for terminal-based (manual) enrollment. The ASA prompts the administrator to paste the CA certificate into the terminal. After displaying the fingerprint of the certificate, the ASA prompts the administrator to confirm that the certificate should be retained. ciscoasa(config)# crypto ca authenticate tp9 Enter the base 64 encoded CA certificate. End with a blank line or the word "quit" on a line by itself MIIDjjCCAvegAwIBAgIQejIaQ3SJRIBMHcvDdgOsKTANBgkqhkiG9w0BAQUFADBA MQswCQYDVQQGEwJVUzELMAkGA1UECBMCTUExETAPBgNVBAcTCEZyYW5rbGluMREw DwYDVQQDEwhCcmlhbnNDQTAeFw0wMjEwMTcxODE5MTJaFw0wNjEwMjQxOTU3MDha MEAxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJNQTERMA8GA1UEBxMIRnJhbmtsaW4x ETAPBgNVBAMTCEJyaWFuc0NBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCd jXEPvNnkZD1bKzahbTHuRot1T8KRUbCP5aWKfqViKJENzI2GnAheArazsAcc4Eaz LDnpuyyqa0j5LA3MI577MoN1/nll018fbpqOf9eVDPJDkYTvtZ/X3vJgnEjTOWyz T0pXxhdU1b/jgqVE74OvKBzU7A2yoQ2hMYzwVbGkewIDAQABo4IBhzCCAYMwEwYJ KwYBBAGCNxQCBAYeBABDAEEwCwYDVR0PBAQDAgFGMA8GA1UdEwEB/wQFMAMBAf8w HQYDVR0OBBYEFBHr3holowFDmniI3FBwKpSEucdtMIIBGwYDVR0fBIIBEjCCAQ4w gcaggcOggcCGgb1sZGFwOi8vL0NOPUJyaWFuc0NBLENOPWJyaWFuLXcyay1zdnIs Q049Q0RQLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENO PUNvbmZpZ3VyYXRpb24sREM9YnJpYW5wZGMsREM9YmRzLERDPWNvbT9jZXJ0aWZp Y2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2JqZWN0Y2xhc3M9Y1JMRGlzdHJpYnV0 aW9uUG9pbnQwQ6BBoD+GPWh0dHA6Ly9icmlhbi13Mmstc3ZyLmJyaWFucGRjLmJk cy5jb20vQ2VydEVucm9sbC9CcmlhbnNDQS5jcmwwEAYJKwYBBAGCNxUBBAMCAQEw DQYJKoZIhvcNAQEFBQADgYEAdLhc4Za3AbMjRq66xH1qJWxKUzd4nE9wOrhGgA1r j4B/Hv2K1gUie34xGqu9OpwqvJgp/vCU12Ciykb1YdSDy/PxN4KtR9Xd1JDQMbu5 f20AYqCG5vpPWavCgmgTLcdwKa3ps1YSWGkhWmScHHSiGg1a3tevYVwhHNPA4mWo 7sQ= Certificate has the following attributes: Fingerprint: 21B598D5 4A81F3E5 0B24D12E 3F89C2E4 yes % Do you accept this certificate? [yes/no]: Trustpoint CA certificate accepted. % Certificate successfully imported ciscoasa(config)# Related Commands Command Description crypto ca enroll Starts enrollment with a CA. Installs a certificate received from crypto ca import certificate a CA in response to a manual enrollment request. crypto ca trustpoint Enters crypto ca trustpoint configuration mode for the indicated trustpoint. Cisco ASA Series Command Reference, A through H Commands 13-6

7 Chapter crypto ca certificate chain To enter certificate chain configuration mode for the indicated trustpoint, use the crypto ca certificate chain command in global configuration mode. crypto ca certificate chain trustpoint Syntax Description Specifies the trustpoint for co trustpoint nfiguring the certificate chain. No default values or behaviors. Defaults The following table shows the modes in which you can enter the command: Command Modes Security Context Firewall Mode Multiple Transpare Routed Command Mode System Single nt Context Global configuration Ye s — Ye s • Ye s • Ye s • • Command History Modification Release 7.0(1) This command was added. onfiguration mode for the trustpoint, central: Examples The following example enters certificate chain c crypto ca certificate chain central ciscoasa(config)# ciscoasa(config-cert-chain)# Description Command Related Commands clear configure crypto ca trustpoint Removes all trustpoints. Cisco ASA Series Command Reference, A through H Commands 13-7

8 Chapter crypto ca certificate map crypto ca certificate map To maintain a prioritized list of certificate mapping rules, use the command in global configuration mode. To remove a crypto CA configuration map rule, use the no form of the command. | map-name sequence-number } sequence-number crypto ca certificate map { sequence-number | map-name [ sequence-number ]} no crypto ca certificate map { Syntax Description Specifies a name for a certificate-to-group map. map-name sequence-number Specifies a number for the certificate map rule that you are creating. The range is 1 through 65535. You can use this number when creating a tunnel group map, which maps a tunnel group to a certificate map rule. Defaults is DefaultCertificateMap. map-name The default value for The following table shows the modes in which you can enter the command: Command Modes Security Context Firewall Mode Multiple Transpare Command Mode nt Single Routed System Context Global configuration • Ye s • Ye s • Ye s • Ye s — Command History Release Modification 7.0(1) This command was added. 7.2(1) option was added. map-name The Usage Guidelines Entering this command places the ASA in ca certificate map configuration mode, where you can configure rules based on the issuer and subject di stinguished names (DNs) of the certificate. The general form of these rules is as follows: sequence number orders the mapping rules. The DN match-criteria match-value • is either DN • . DNs are defined in the ITU-T X.509 standard. issuer-name or subject-name comprise the following ex • match-criteria pressions or operators: Cisco ASA Series Command Reference, A through H Commands 13-8

9 Chapter Limits the comparison to a specific DN attribute, such as common name (CN). tag attr Contains co Equal eq Does not contain nc Not equal ne The DN matching expressions are case insensitive. The following example enters ca certificate map Examples mode with a map named example-map and a sequence number of 1 (rule # 1), and specif ies that the common name (CN) attribute of the subject-name must match Example1: ciscoasa(config)# crypto ca certificate map example-map 1 ciscoasa(ca-certificate-map)# subject-name attr cn eq Example1 ciscoasa(ca-certificate-map)# mode with a map named example-map and a sequence The following example enters ca certificate map the value cisco anywhere within it: number of 1, and specif ies that the subject-name contain crypto ca certificate map example-map 1 ciscoasa(config)# subject-name co cisco ciscoasa(ca-certificate-map)# ciscoasa(ca-certificate-map)# Related Commands Command Description issuer-name Indicates that rule entry is applied to the issuer DN of the IPsec peer certificate. Indicates that rule entry is applied to the subject DN of the IPsec peer subject-name (crypto ca certificate map) certificate. Associates the certificate map entries created using the crypto ca tunnel-group-map certificate map enable command with tunnel groups. Cisco ASA Series Command Reference, A through H Commands 13-9

10 Chapter crypto ca crl request crypto ca To request a CRL based on the configuration parameters of the specified trustpoint, use the crl request command in crypto ca trustpoint configuration mode. crypto ca crl request trustpoint Syntax Description Specifies the trustpoint. The maximum number of characters allowed is trustpoint 128. No default behavior or values. Defaults The following table shows the modes in which you can enter the command: Command Modes Security Context Firewall Mode Multiple Transpare Context Routed Single System nt Command Mode Crypto ca trustpoint • — Ye s • Ye s • Ye s • Ye s configuration Command History Modification Release This command was added. 7.0(1) Invocations of this command do not become part of the running configuration. Usage Guidelines Examples The following example requests a CRL based on the trustpoint named central: ciscoasa(config)# crypto ca crl request central ciscoasa(config)# Related Commands Command Description crl configure Enters crl configuration mode. Cisco ASA Series Command Reference, A through H Commands 13-10

11 Chapter crypto ca enroll To start the enrollment pr ocess with the CA, use the crypto ca enroll command in global configuration mode. crypto ca enroll trustpoint [regenerate] [shared-secret | signing-certificate [ noconfirm ] (Optional) Suppresses all prompts. Enrollment options that might have been noconfirm Syntax Description prompted for must be preconfigured in the trustpoint. This option is for use in scripts, ASDM, or other noninteractive needs. Indicates whether or not a new key pair should be generated prior to regenerate building the enrollment request. shared-secret A value provided out-of-band by the CA that is used to confirm the authenticity and integrity of the messages exchanged with ASA.. The name of the trustpoint with a previously-issued device certificate used signing-certificate for signing the cmp enrollment request. trustpoint Specifies the name of the trustpoint to enroll with. The maximum number of characters allowed is 128. No default behavior or values. Defaults The following table shows the modes in which you can enter the command: Command Modes Security Context Firewall Mode Multiple Transpare Context System Single nt Command Mode Routed Global configuration — • • Ye s Ye s • Ye s • Ye s Command History Modification Release This command was added. 7.0(1) The option to regenerate was added, and the shared-secret and 9.7(1) signing-certificate keywords were added. Usage Guidelines When the trustpoint is configured for SCEP enro llment, the ASA displays a CLI prompt immediately ustpoint is configured for manual e console asynchronously. When the tr and status messages appear on th enrollment, the ASA writes a base-64-encoded PKCS10 certificate request to the console and then the CLI prompt appears. This command generates interactive prompts that vary, depending on the configured state of the referenced trustpoint. For this command to run successfully, the trustpoint must have been configured correctly. Cisco ASA Series Command Reference, A through H Commands 13-11

12 Chapter When a trustpoint is config ured for CMP, either a shared secret va lue (ir) or the name of the trustpoint sign the request (cr) can be specified that contains the cert that will , but not both. The shared-secret or signing-certificate keywords are only available when the trustpoint enrollment protocol is set to CMP. Examples The following example requests enrollment for an identity certificate with trustpoint tp1 using SCEP enrollment. The ASA prompts for information not stored in the trustpoint configuration. ciscoasa(config)# crypto ca enroll tp1 % % Start certificate enrollment .. % Create a challenge password. You will need to verbally provide this % password to the CA Administrator in order to revoke your certificate. % For security reasons your password will not be saved in the configuration. % Please make a note of it. Password: Re-enter password: % The fully-qualified domain name in the certificate will be: xyz.example.com % The subject name in the certificate will be: xyz.example.com % Include the router serial number in the subject name? [yes/no]: no % Include an IP address in the subject name? [no]: no Request certificate from CA [yes/no]: yes % Certificate request sent to Certificate authority. % The certificate request fingerprint will be displayed. % The ‘show crypto ca certificate’ command will also show the fingerprint. ciscoasa(config)# The following example shows manual enrollment of a CA certificate: ciscoasa(config)# crypto ca enroll tp1 % Start certificate enrollment .. % The fully-qualified domain name in the certificate will be: xyz.example.com % The subject name in the certificate will be: wb-2600-3.example.com if serial number not set in trustpoint, prompt: % Include the router serial number in the subject name? [yes/no]: no If ip-address not configured in trustpoint: yes % Include an IP address in the subject name? [no]: Enter Interface name or IP Address[]: 1.2.3.4 Display Certificate Request to terminal? [yes/no]: y Certificate Request follows: MIIBFTCBwAIBADA6MTgwFAYJKoZIhvcNAQkIEwcxLjIuMy40MCAGCSqGSIb3DQEJ AhYTd2ItMjYwMC0zLmNpc2NvLmNvbTBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDT IdvHa4D5wXZ+40sKQV7Uek1E+CC6hm/LRN3p5ULW1KF6bxhA3Q5CQfh4jDxobn+A Y8GoeceulS2Zb+mvgNvjAgMBAAGgITAfBgkqhkiG9w0BCQ4xEjAQMA4GA1UdDwEB /wQEAwIFoDANBgkqhkiG9w0BAQQFAANBACDhnrEGBVtltG7hp8x6Wz/dgY+ouWcA lzy7QpdGhb1du2P81RYn+8pWRA43cikXMTeM4ykEkZhLjDUgv9t+R9c= ---End - This line not part of the certificate request--- Redisplay enrollment request? [yes/no]: no ciscoasa(config)# Related Commands Command Description crypto ca authenticate Obtains the CA certificate for this trustpoint. CA in response to a manual enrollment crypto ca import Installs a certificate received from a pkcs12 request. crypto ca trustpoint Enters crypto ca trustpoint configuration mode for the indicated trustpoint. Cisco ASA Series Command Reference, A through H Commands 13-12

13 Chapter crypto ca export To export the ASA trustpoint configuration with all associated keys and certificates in PKCS12 format, or to export the device identity crypto ca export command in global certificate in PEM format, use the configuration mode. identity-certificate crypto ca export trustpoint Syntax Description Specifies that the enrolled identity-certificate certificate associated with the named trustpoint is to be displayed on the console. e certificate is to be displayed. The Specifies the name of the trustpoint whos trustpoint maximum number of characters allowe d for a trustpoint name is 128. No default values or behaviors. Defaults Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Transpare Command Mode Routed Context Single nt System Global configuration • Ye s • Ye s Ye s — • Ye s • Command History Release Modification This command was added. 7.0(1) This command was changed to accommodate certificate exporting in PEM format. 8.0(2) Invocations of this command do not become part of the active configuration. The PEM or PKCS12 data Usage Guidelines is written to the console. Web browsers use the PKCS12 format to store private keys with accompanying public key certificates protected with a password-based sy mmetric key. The ASA exports the ce rtificates and keys associated with a trustpoint in base64-encoded PKCS12 format. Th is feature can be used to move certificates and keys between ASAs. an X.509 certificate enclosed by PEM headers. PEM encoding of a certificate is a base64 encoding of This encoding provides a standard method for text-based transfer of certificates between ASAs. PEM encoding can be us ed to export the proxy-ldc-issuer certificate using an SSL/TLS protocol proxy when the ASA is acting as a client. The following example exports the PEM-formatted certificate for trustpoint 222 as a console display: Examples ciscoasa (config)# crypto ca export 222 identity-certificate Cisco ASA Series Command Reference, A through H Commands 13-13

14 Chapter Exported 222 follows: -----BEGIN CERTIFICATE----- MIIGDzCCBXigAwIBAgIKFiUgwwAAAAAFPDANBgkqhkiG9w0BAQUFADCBnTEfMB0G CSqGSIb3DQEJARYQd2Jyb3duQGNpc2NvLmNvbTELMAkGA1UEBhMCVVMxCzAJBgNV BAgTAk1BMREwDwYDVQQHEwhGcmFua2xpbjEWMBQGA1UEChMNQ2lzY28gU3lzdGVt czEZMBcGA1UECxMQRnJhbmtsaW4gRGV2VGVzdDEaMBgGA1UEAxMRbXMtcm9vdC1j YS01LTIwMDQwHhcNMDYxMTAyMjIyNjU3WhcNMjQwNTIwMTMzNDUyWjA2MRQwEgYD VQQFEwtKTVgwOTQwSzA0TDEeMBwGCSqGSIb3DQEJAhMPQnJpYW4uY2lzY28uY29t MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCvxxIYKcrb7cJpsiFKwwsQUph5 4M5Y3CDVKEVF+98HrD6rhd0n/d6R8VYSfu76aeJC5j9Bbn3xOCx2aY5K2enf3SBW Y66S3JeZBV88etFmyYJ7rebjUVVQZaFcq79EjoP99IeJ3a89Y7dKvYqq8I3hmYRe uipm1G6wfKHOrpLZnwIDAQABo4IDujCCA7YwCwYDVR0PBAQDAgWgMBoGA1UdEQQT MBGCD0JyaWFuLmNpc2NvLmNvbTAdBgNVHQ4EFgQUocM/JeVV3fjZh4wDe0JS74Jm pvEwgdkGA1UdIwSB0TCBzoAUYZ8t0+V9pox+Y47NtCLk7WxvIQShgaOkgaAwgZ0x HzAdBgkqhkiG9w0BCQEWEHdicm93bkBjaXNjby5jb20xCzAJBgNVBAYTAlVTMQsw CQYDVQQIEwJNQTERMA8GA1UEBxMIRnJhbmtsaW4xFjAUBgNVBAoTDUNpc2NvIFN5 c3RlbXMxGTAXBgNVBAsTEEZyYW5rbGluIERldlRlc3QxGjAYBgNVBAMTEW1zLXJv b3QtY2EtNS0yMDA0ghBaZ5s0Ng4SskMxF2NlIoxgMIIBSAYDVR0fBIIBPzCCATsw geuggeiggeWGgeJsZGFwOi8vd2luMmstYWQuRlJLLU1TLVBLSS5jaXNjby5jb20v Q049bXMtcm9vdC1jYS01LTIwMDQsQ049d2luMmstYWQsQ049Q0RQLENOPVB1Ymxp YyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24s REM9RlJLLU1TLVBLSSxEQz1jaXNjbyxEQz1jb20/Y2VydGlmaWNhdGVSZXZvY2F0 aW9uTGlzdD9iYXNlP29iamVjdGNsYXNzPWNSTERpc3RyaWJ1dGlvblBvaW50MEug SaBHhkVodHRwOi8vd2luMmstYWQuZnJrLW1zLXBraS5jaXNjby5jb20vQ2VydEVu cm9sbC9tcy1yb290LWNhLTUtMjAwNC5jcmwwggFCBggrBgEFBQcBAQSCATQwggEw MIG8BggrBgEFBQcwAoaBr2xkYXA6Ly8vQ049bXMtcm9vdC1jYS01LTIwMDQsQ049 QUlBLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNv bmZpZ3VyYXRpb24sREM9RlJLLU1TLVBLSSxEQz1jaXNjbyxEQz1jb20/Y0FDZXJ0 aWZpY2F0ZT9iYXNlP29iamVjdGNsYXNzPWNlcnRpZmljYXRpb25BdXRob3JpdHkw bwYIKwYBBQUHMAKGY2h0dHA6Ly93aW4yay1hZC5mcmstbXMtcGtpLmNpc2NvLmNv bS9DZXJ0RW5yb2xsL3dpbjJrLWFkLkZSSy1NUy1QS0kuY2lzY28uY29tX21zLXJv b3QtY2EtNS0yMDA0LmNydDANBgkqhkiG9w0BAQUFAAOBgQBlh7maRutcKNpjPbLk bdcafJfHQ3k4UoWo0s1A0LXzdF4SsBIKQmpbfqEHtlx4EsfvfHXxUQJ6TOab7axt hxMbNX3m7giebvtPkreqR9OYWGUjZwFUZ16TWnPA/NP3fbqRSsPgOXkC7+/5oUJd eAeJOF4RQ6fPpXw9LjO5GXSFQA== -----END CERTIFICATE----- ciscoasa (config)# Related Commands Command Description Obtains the CA certificate for this trustpoint. crypto ca authenticate crypto ca enroll Starts enrollment with a CA. a CA in response to a manual crypto ca import Installs a certificate received from enrollment request. crypto ca trustpoint Enters crypto ca trustpoint configuration mode for the indicated trustpoint. Cisco ASA Series Command Reference, A through H Commands 13-14

15 Chapter crypto ca import To install a certificate received from a CA in res ponse to a manual enrollment request or to import the certificate and key pair for a trustpoint using PKCS12 data, use the crypto ca import command in global configuration mode. [ crypto ca import trustpoint certificate ] nointeractive pkcs12 ] trustpoint crypto ca import passphrase [ nointeractive Syntax Description Tells the ASA to import a certificate from the CA represented by the certificate trustpoint. nointeractive (Optional) Imports a certificate using nointeractive mode, which suppresses all prompts. This option is for use in scripts, ASDM, or other noninteractive needs. Specifies the passphrase used to decrypt the PKCS12 data. passphrase pkcs12 Tells the ASA to import a certificate and key pair for a trustpoint, using PKCS12 format. Specifies the trustpoint with which trustpoint to associate the import action. The maximum number of characters allowed is 128. If you import PKCS12 data and the trustpoint uses RSA keys, the imported key pair is assigned the same name as the trustpoint. Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Security Context Firewall Mode Multiple Transpare Command Mode Routed System nt Single Context Global configuration • Ye s • Ye s — Ye s • Ye s • Command History Release Modification This command was added. 7.0(1) Examples The following example manually imports a certificate for the trustpoint Main: crypto ca import Main certificate ciscoasa (config)# % The fully-qualified domain name in the certificate will be: securityappliance.example.com Enter the base 64 encoded certificate. End with a blank line or the word “quit” on a line by itself [ certificate data omitted ] quit Cisco ASA Series Command Reference, A through H Commands 13-15

16 Chapter INFO: Certificate successfully imported ciscoasa (config)# The following example manually imports PKCS12 data to a trustpoint central: crypto ca import central pkcs12 ciscoasa (config)# Enter the base 64 encoded pkcs12. End with a blank line or the word "quit" on a line by itself: [ PKCS12 data omitted ] quit INFO: Import PKCS12 operation completed successfully ciscoasa (config)# The following example, entered in global configuration mode, generates a warning message because there is not enough space in NVRAM to save the RSA keypair: crypto ca import central pkcs12 mod 2048 ciscoasa(config)# INFO: The name for the keys will be: central Keypair generation process begin. Please wait... NV RAM will not have enough space to save keypair central. Remove any unnecessary keypairs and save the running config before using this keypair. ciscoasa(config)# Command Description Related Commands crypto ca export Exports a trustpoint certificate and key pair in PKCS12 format. crypto ca authenticate Obtains the CA certificate for a trustpoint. crypto ca enroll Starts enrollment with a CA. Enters the crypto ca trustpoint configuration mode for the indicated crypto ca trustpoint trustpoint. Cisco ASA Series Command Reference, A through H Commands 13-16

17 Chapter crypto ca reference-identity To configure a reference- crypto ca reference-identity command in identity object, use the ference-identity object, use the no form of this command. configuration mode. To delete a re reference_identity_name crypto ca reference-identity no crypto ca reference-identity reference_identity_name Enter the crypto ca reference-identity command in global configuration mode to place the ASA in ca-reference-identity mode. Enter the following reference-ids while in ca-reference-identity mode. Multiple reference-ids of any type may be added. Use the form of each command to remove no reference-ids. [ no ] cn-id value [ no ] dns-id value ] value [ no srv-id ] uri-id value no [ Syntax Description reference-identity-name Name of the reference-identity object. value Value of each reference-id. Common Name (CN), where the value matches the overall form of a domain cn-id name. The CN value cannot be free text. A CN-ID reference identifier does not identify an application service. dns-id A subjectAltName entry of type dNSName. This is a DNS domain name. A DNS-ID reference identifier does not identify an application service. srv-id A subjectAltName entry of type othe rName whose name form is SRVName as defined in RFC 4985. A SRV-ID identifier may contain both a domain name and an application service type. For example, a SRV-ID of “_imaps.example.net” would be split into a DNS domain name portion of “example.net” and an application service type portion of “imaps.” uri-id A subjectAltName entry of type unif ormResourceIdentifier whose value “host” component (or its equivalent) includes both (i) a “scheme” and (ii) a that matches the “reg-name” rule specified in RFC 3986. A URI-ID identifier must contain the DNS domain name, not the IP address, and not just the hostname. For example, a URI-ID of “s ip:voice.example.edu” would be split oice.example.edu” and an application into a DNS domain name portion of “v service type of “sip.” No default behavior or values. Command Default Cisco ASA Series Command Reference, A through H Commands 13-17

18 Chapter Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Transpare Command Mode nt Single Routed Context System Global configuration Ye s Ye s — Ye s • • • Ye s • Modification Release Command History We introduced this command. 9.6(2) command in global configuration mode to place the ASA in crypto ca reference-identity Enter the Usage Guidelines mode: ca-reference-identity mode. Enter the following reference-ids while in ca-reference-identity no form of each rence-ids of any type may be added. Use the cn-id, dns-id, srv-id, or uri-id. Multiple refe command to remove reference-ids. A reference identity is created when configuring on name. Once a reference e with a previously unused identity has been created, the four identifier types and their associated values can be added or deleted from the reference identity. ate contains at least one is expected if the certific When multiple entries are used, the following behavior instance of srv-id, uri-id, or dns-id: • If any instance of uri-id in the certificate matches any instance of uri-id on the named reference id, then the certificate matches the reference identity. If any instance of srv-id in the certificate matches any instance of srv-id on the named reference id, • then the certificate matches the reference identity. hes any instance of dns-id on the named reference id, If any instance of dns-id in the certificate matc • then the certificate matches the reference identity. • icate does not match the reference identity. If none of these scenarios exist, the certif the following behavior is expected if the certificate does not contain at When multiple entries are used, least one instance of srv-id, uri-id, or dns-id but does contain at least one cn-id: • If any instance of cn-id in the certificate matc hes any instance of cn-id on the named reference id, ty. Otherwise, the certificate does not match the then the certificate matches the reference identi reference identity. If the certificate does not contain at least one instance of srv-id, uri-id, dns-id, or cn-id, then the • certificate does not match the reference identity. When the ASA is acting as a TLS client, it supports rules for verification of an application server's identity as defined in RFC 6125. Re ference identities are configured on the ASA, to be compared to the identity presented in a server certificate during conn ection establishment. These identifiers are specific pes also specified in RFC 6125. instances of the four identifier ty and The reference identifiers cn-id MAY NOT contain information identifying the application dns-id service and MUST contain information identifying the DNS domain name. Cisco ASA Series Command Reference, A through H Commands 13-18

19 Chapter Examples The following example creates a refere nce-identity for a syslog server: ciscoasa(config)# crypto ca reference-identity syslogServer ciscoasa(config-ca-ref-identity)# dns-id syslog1-bxb.cisco.com ciscoasa(config-ca-ref-identity)# cn-id syslog1-bxb.cisco.com Related Commands Command Description Configures a Common Name Identifier in the reference-identity object. cn-id dns-id Configures and DNS domain name Identifier in a reference identity object. srv-id Configures a SRV-ID identifier in a reference identity object. Configures a URI identifier in uri-id a reference identity object. use a reference-identity object for a logging host Configures a logging server that can secure connection. Configures a Smart Call Home server that can use a reference-identity object call-home profile for a secure connection. destination address http Cisco ASA Series Command Reference, A through H Commands 13-19

20 Chapter crypto ca server (Deprecated) To set up and manage a local CA server on the ASA, use the crypto ca server command in global configuration mode. To delete the configured local CA server from the ASA, use the no form of this command. crypto ca server no crypto ca server Syntax Description This command has no arguments or keywords. A certificate authority server is not enabled on the ASA. Defaults Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Transpare Command Mode nt Single Routed Context System Global configuration — Ye s • — Ye s • — Command History Modification Release This command was added. 8.0(2) Provision to configure user’s FQDN for the enrollment URL, under smtp 9.12(1) command. If not configured, the ASAs’ FQDN will be used by default. This command is being deprecated and will be removed in a future release. There can only be one local CA on an ASA. Usage Guidelines form of the The crypto ca server command configures the CA server, but does not enable it. Use the no n mode to enable the local CA. shutdown command in ca server configuratio command, you establish the RSA keypair of the no shutdown When you activate the CA server with the CA and a trustpoint named LOCAL-CA-SERVER to hold the self-signed certificate. This newly generated self-signed certificate always has digital signature, CRL signing, and certificate signing key usage settings set. Beginning with version 9.12(1), ASA allows users to configure their FQDN for the enrollment URL. Typically, users have an internal DNS configured as the ASAs FQDN and an external DNS configured with the FQDN that is included in the enrollment email. Using the command, the users can fqdn configure their FQDN for the enrollment URLinstead of ASAs’ FQDN. If not configured, ASA uses its FQDN by default. Cisco ASA Series Command Reference, A through H Commands 13-20

21 Chapter The command deletes the configured local CA server, its RSA keypair, and the Caution no crypto ca server associated trustpoint, rega rdless of the current state of the local CA server. The following example enters ca server configuration mode, then lists the local CA server commands Examples available in that mode: ciscoasa(config)# crypto ca server ciscoasa(config-ca-server)# ? CA Server configuration commands: cdp-url CRL Distribution Point to be included in the issued certificates database Embedded Certificate Server database location configuration enrollment-retrieval Enrollment-retrieval timeout configuration exit Exit from Certificate Server entry mode help Help for crypto ca server configuration commands issuer-name Issuer name keysize Size of keypair in bits to generate for certificate enrollments lifetime Lifetime parameters no Negate a command or set its defaults otp One-Time Password configuration options renewal-reminder Enrollment renewal-reminder time configuration shutdown Shutdown the Embedded Certificate Server smtp SMTP settings for enrollment E-mail notifications subject-name-default Subject name default configuration for issued certificates smtp The following example shows configuration of user’s command and the verification under fqdn output: crypto ca server ciscoasa(config)# ciscoasa(config-ca-server)# smtp fqdn asa1-localCA.server.amazon.com ciscoasa(config-ca-server)# show run crypto ca server crypto ca server smtp fqdn asa1-localCA.server.amazon.com form of the The following example uses the no crypto ca server command in ca server configuration mode to delete the configured an d enabled CA server from the ASA: ciscoasa(config-ca-server)# no crypto ca server Certificate server 'remove server' event has been queued for processing. ciscoasa(config)# Related Commands Command Description debug crypto ca server Shows debugging messages when you configure the local CA server. Displays the status and parameters of the configured CA server. show crypto ca server Displays local CA server certificates. show crypto ca server cert-db Cisco ASA Series Command Reference, A through H Commands 13-21

22 Chapter crypto ca server crl issue To force the issuance of a Certific ate Revocation List (CRL), use the crypto ca server crl issue command in privileged EXEC mode. crypto ca server crl issue Syntax Description This command has no arguments or keywords. Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Security Context Firewall Mode Multiple Transpare nt Context Routed Single System Command Mode Ca server configuration — — Ye s • — Ye s • Global configuration — Ye s • — Ye s • — Privileged EXEC Ye s • — — Ye s • — Command History Release Modification This command was added. 8.0(2) the CRL is reissued automatically at expiration by Use this command to recover a lost CRL. Normally, Usage Guidelines crypto ca server crl issue resigning the existing CRL. The command regenerates the CRL based on the quired to regenerate a CRL based on the certificate certificate database and should only be used as re database contents. Examples The following example forces the issuan ce of a CRL by the local CA server: ciscoasa(config-ca-server)# crypto ca server crl issue A new CRL has been issued. ciscoasa(config-ca-server)# Related Commands Description Command cdp-url Specifies the certificate revocation list distribution point to be included in the certificates i ssued by the CA. Provides access to the ca server conf iguration mode command set, which crypto ca server allows you to configure and manage the local CA. Cisco ASA Series Command Reference, A through H Commands 13-22

23 Chapter Command Description crypto ca server revoke CA server as revoked in the Marks a certificate issued by the local certificate database and CRL. show crypto ca server crl Displays the current CRL of the local CA. Cisco ASA Series Command Reference, A through H Commands 13-23

24 Chapter crypto ca server revoke To mark a certificate issued by the local Certificate Authority (CA) server as revoked in the certificate database and the CRL, use the crypto ca server revoke command in privileged EXEC mode. crypto ca server revoke cert-serial-no Syntax Description icate to be revoked, which must be in Specifies the serial number of the certif cert-serial-no hexadecimal format. Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Security Context Firewall Mode Multiple Transpare Routed Command Mode System Context Single nt Ca server configuration — Ye s • — • — Ye s Global configuration • — • Ye s Ye s — — Privileged EXEC • Ye s — — — Ye s • Command History Modification Release This command was added. 8.0(2) crypto You revoke a specific certificate that has been i ssued by the local CA on an ASA by entering the Usage Guidelines command on that ASA. Revocation is accomplished when this command marks the ca server revoke certificate as revoked in the certificate database on the CA server and in the CRL. You specify the certificate to be revoked by entering the cert ificate serial number in hexadecimal format. r the specified certificate is revoked. The CRL is regenerated automatically afte The following example revokes the certificate with the serial number 782ea09f issued by the local CA Examples server: crypto ca server revoke 782ea09f ciscoasa(config-ca-server)## Certificate with the serial number 0x782ea09f has been revoked. A new CRL has been issued. ciscoasa(config-ca-server)# Cisco ASA Series Command Reference, A through H Commands 13-24

25 Chapter Related Commands Command Description Forces the issuance of a CRL. crypto ca server crl issue crypto ca server unrevoke Unrevokes a revoked certificate issued by the local CA server. Removes a user from the CA server user database. crypto ca server user-db remove Displays the current CRL of the local CA. show crypto ca server crl Displays users included in the CA server user database. show crypto ca server user-db Cisco ASA Series Command Reference, A through H Commands 13-25

26 Chapter crypto ca server unrevoke To unrevoke a revoked certificate issued by the local CA server, use the crypto ca server unrevoke command in privileged EXEC mode. crypto ca server unrevoke cert-serial-no Syntax Description cert-serial-no Specifies the serial number of the certif icate to be unrevoked, which must be in hexadecimal format. Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Security Context Firewall Mode Multiple Transpare System Context Routed Single Command Mode nt Ca server configuration • — Ye s • Ye s — — Global configuration • Ye s — — Ye s • — Privileged EXEC Ye s Ye s — • • — — Command History Release Modification This command was added. 8.0(2) Usage Guidelines by the local CA on an ASA by entering the crypto ca server You unrevoke a revoked certificate issued unrevoke command. The validity of the certificate is restored when this command marks the certificate as valid in the certificate database and removes it from the CRL. You specify the certificate to be unrevoked by entering the certificate se rial number in hexadecimal format. ecified certificate is unrevoked. The CRL is regenerated after the sp Examples 782ea09f issued by the local CA certificate with the serial number The following example unrevokes the server: ciscoasa(config-ca-server)# crypto ca server unrevoke 782ea09f Certificate with the serial number 0x782ea09f has been unrevoked. A new CRL has been issued. ciscoasa(config-ca-server)# Cisco ASA Series Command Reference, A through H Commands 13-26

27 Chapter Related Commands Command Description crypto ca server Provides access to the ca server configuration mode command set, which allows you to configure and manage the local CA. crypto ca server crl issue Forces the issuance of a CRL. crypto ca server revoke Marks a certificate issued by the lo cal CA server as revoked in the certificate database and CRL. crypto ca server user-db add Adds a user to the CA server user database. show crypto ca server cert-db Displays local CA server certificates. e CA server user database. Displays users included in th show crypto ca server user-db Cisco ASA Series Command Reference, A through H Commands 13-27

28 Chapter crypto ca server user-db add crypto ca server user-db add To insert a new user into the CA server user database, use the command in privileged EXEC mode. [ dn crypto ca server user-db add ] [ email e-mail-address ] user dn Syntax Description Specifies a subject-name di stinguished name for certificates issued to the dn dn added user. If a DN string contains sp aces, enclose value with double quotes. You can only use commas to separate DN attributes (for example, “OU=Service, O=Company, Inc.”). e-mail-address email Specifies the e-mail address for the new user. ant enrollment privileges. The username Specifies a single user to whom to gr user can be a simple username or an e-mail address. Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Transpare Context Command Mode Routed nt Single System Ca server configuration • — • Ye s — Ye s — Global configuration — • Ye s — — Ye s • Privileged EXEC — • Ye s — Ye s • — Command History Release Modification This command was added. 8.0(2) Usage Guidelines The user argument can be a simple username such as user1 or an e-mail address such as [email protected] The username must match the username specified by the end user in the enrollment page. crypto ca server The username is added to the database as a user without privileges. You must use the allow command to grant enrollment privileges. The username argument , along with the one-time password, is used to enroll the user on the enrollment interface page. Note For e-mail notification of the one-time password (OTP), an e-mail address should be specified either in username email-address the argument. A missing e-mail address at mailing time generates an error. or Cisco ASA Series Command Reference, A through H Commands 13-28

29 Chapter The email e-mail-address keyword-argument pair is used only as an e-mail address to notify the user for enrollment and renewal reminders and does not appear in the issued certificate. with any questions and is notified Inclusion of the e-mail address ensu res that the user can be contacted of the required one-time password for enrollment. If an optional DN is not specified for a user, the subject name DN is formed using the username and the , subject-name-default. subject-name-default DN setting as cn= username Examples The following example adds a user to the user databa se with a username of [email protected] with a complete subject-name DN: crypto ca server user-db add dn “cn=Jane Doe, ou=engineering, ciscoasa(config-ca-server)# o=Example, l=RTP, st=NC, c=US” ciscoasa(config-ca-server)# The following example grants enrollment privileges to the user named user2. crypto ca server user-db allow user2 ciscoasa(config-ca-server)# ciscoasa(config-ca-server) Description Related Commands Command crypto ca server Provides access to the ca server conf iguration mode command set, which allows you to configure and manage a local CA. Permits a specific user or a subset of users in the CA server database to crypto ca server user-db allow enroll with the CA. Deletes a user from the CA server database. crypto ca server user-db remove crypto ca server user-db Copies the user information in the CA server database to the file specified write by the database path command. local CA database. The default location Specifies a path or location for the database path is flash memory. Cisco ASA Series Command Reference, A through H Commands 13-29

30 Chapter crypto ca server user-db allow To permit a user or a group of users to enroll in the local CA server database, use the crypto ca server user-db allow command in privileged EXEC mode. This command also includes options to generate and display one-time passwords or to e-mail them to users. ] | crypto ca server user-db allow { username | all-unenrolled display-otp all-certholders } [ [ email-otp ] [ replace-otp ] all-certholders Specifies that enrollment privileges be granted to all users in the database Syntax Description who have been issued a certificate, whether the certificate is valid or not. This is equivalent to granting renewal privileges. Specifies that enrollment privileges be granted to all users in the database all-unenrolled who have not been issued a certificate. email-otp (Optional) Sends the specified users one-time passwords by e-mail to their configured e-mail addresses. (Optional) Specifies that one-time passw ords be regenerated for all specified replace-otp users who originally had valid one-time passwords. (Optional) Displays the one-time passwords for all specified users on the display-otp console. username ant enrollment privileges. The username Specifies a single user to whom to gr can be a simple username or e-mail address. Defaults No default behavior or values. The following table shows the modes in which you can enter the command: Command Modes Security Context Firewall Mode Multiple Transpare Command Mode Routed nt Context Single System Ca server configuration — Ye s • Ye s — • — Global configuration — • Ye s — • Ye s — Privileged EXEC • — • Ye s — — Ye s Command History Modification Release 8.0(2) This command was added. keyword generates OTPs for all specified users. These new OTPs replace any valid ones Usage Guidelines The replace-otp specified users. generated for the Cisco ASA Series Command Reference, A through H Commands 13-30

31 Chapter The OTP is not stored on the ASA, but is generated and regenerated as required to notify a user or to authenticate a user during enrollment. Examples The following example grants enrollment privileges to all users in the database who have not enrolled yet: ciscoasa(config-ca-server)# crypto ca server user-db allow all-unenrolled ciscoasa(config-ca-server)# The following example grants enrollment privileges to the user named user1: ciscoasa(config-ca-server)# crypto ca server user-db allow user1 ciscoasa(config-ca-server)# Description Command Related Commands crypto ca server Provides access to the ca server conf iguration mode command set, which allows you to configure and manage a local CA. Adds a user to the CA server user database. crypto ca server user-db add crypto ca server user-db Copies the user information in the CA server database to the file specified write by the database path command. enrolled user can retrieve a PKCS12 enrollment-retrieval Specifies the time in hours that an enrollment file. Displays all certificates issued by the local CA. show crypto ca server cert-db Cisco ASA Series Command Reference, A through H Commands 13-31

32 Chapter crypto ca server user-db email-otp To e-mail the OTP to a specific user or a subset of users in the local CA server database, use the crypto ca server user-db email-otp command in privileged EXEC mode. username crypto ca server user-db email-otp { } | all-unenrolled | all-certholders Syntax Description ll users in the database who have been Specifies that OTPs are e-mailed to a all-certholders issued a certificate, whether that certificate is valid or not. ll users in the database who have never Specifies that the OTPs are e-mailed to a all-unenrolled hold expired or revoked certificate(s). been issued a certificate, or who only e-mailed to that user. The username can Specifies that the OTP for a single user is username be a username or an e-mail address. No default behaviors or values. Defaults Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Transpare Routed Command Mode nt System Context Single Ca server configuration Ye s — — • Ye s — • Global configuration — Ye s • — Ye s • — Privileged EXEC Ye s Ye s — — — • • Command History Modification Release This command was added. 8.0(2) The following example e-mails the OTP to all unenrolled users in the database: Examples crypto ca server user-db email-otp all-unenrolled ciscoasa(config-ca-server)# ciscoasa(config-ca-server)# The following example e-mails the OTP to the user named user1: ciscoasa(config-ca-server)# crypto ca server user-db email-otp user1 ciscoasa(config-ca-server)# Cisco ASA Series Command Reference, A through H Commands 13-32

33 Chapter Related Commands Command Description Displays the one-time password for a specific user or a subset of users in crypto ca server user-db show-otp the CA server database. show crypto ca server Displays all certificates issued by the local CA. cert-db show crypto ca server Displays users included in the CA server user database. user-db Cisco ASA Series Command Reference, A through H Commands 13-33

34 Chapter crypto ca server user-db remove To remove a user from the local CA server user database, use the crypto ca server user-db remove command in privileged EXEC mode. user-db remove username crypto ca server Syntax Description Specifies the name of the user to remove in username the form of a username or an e-mail address. Defaults No default behavior or values. The following table shows the modes in which you can enter the command: Command Modes Security Context Firewall Mode Multiple Transpare Routed Command Mode Single System Context nt CA server configuration Ye s — — • — Ye s • Global configuration — — Ye s • — • Ye s Privileged EXEC — — Ye s • — Ye s • Command History Modification Release 8.0(2) This command was added. Usage Guidelines This command removes a username from the CA user database so that user cannot enroll. The command also providees the option to revoke previously issued, valid certificates. Examples The following example removes a user with a username, user1, from the CA server user database : crypto ca server user-db remove user1 ciscoasa(config-ca-server)# WARNING: No certificates have been automatically revoked. Certificates issued to user user1 should be revoked if necessary. ciscoasa(config-ca-server)# Related Commands Description Command crypto ca server crl issue Forces the issuance of a CRL. crypto ca server revoke Marks a certificate issued by the local CA server as revoked in the certificate database and CRL. Cisco ASA Series Command Reference, A through H Commands 13-34

35 Chapter Command Description Displays users included in the CA server user database. show crypto ca server user-db Writes the user information configured in the local CA database to the file crypto ca server user-db write specified by the database path command. Cisco ASA Series Command Reference, A through H Commands 13-35

36 Chapter crypto ca server user-db show-otp To display the OTP for a specific us er or a subset of users in the local CA server database, use the crypto ca server user-db show-otp command in privileged EXEC mode. crypto ca server user-db show-otp { username | all-certholders | all-unenrolled } Syntax Description Displays the OTPs for all users in the database who have been issued a all-certholders certificate, whether the certificate is currently valid or not. Displays the OTPs for all users in the database who have never been issued all-unenrolled a certificate, or who only hold expired or revoked certificate(s). can be username ngle user be displayed. The Specifies that the OTP for a si username a username or an e-mail address. No default behaviors or values. Defaults The following table shows the modes in which you can enter the command: Command Modes Security Context Firewall Mode Multiple Transpare Single nt Command Mode Routed Context System Ca server configuration • — — Ye s • Ye s — Global configuration • — — Ye s • — Ye s Privileged EXEC • — — Ye s Ye s • — Command History Release Modification 8.0(2) This command was added. The following example displays the OTP for all users who have valid or invalid certificates in the Examples database: crypto ca server user-db show-otp all-certholders ciscoasa(config-ca-server)# ciscoasa(config-ca-server)# The following example displays the OTP for the user named user1: crypto ca server user-db show-otp user1 ciscoasa(config-ca-server)# ciscoasa(config-ca-server)# Cisco ASA Series Command Reference, A through H Commands 13-36

37 Chapter Related Commands Command Description Adds a user to the CA server user database. crypto ca server user-db add Allows a specific user or a subset of users in the CA server database to crypto ca server user-db allow enroll with the local CA. crypto ca server user-db E-mails the one-time password to a specifi c user or to a subset of users in email-otp the CA server database. show crypto ca server Displays all certificates issued by the local CA. cert-db Cisco ASA Series Command Reference, A through H Commands 13-37

38 Chapter crypto ca server user-db write To configure a directory location to store all the local CA database files, use the crypto ca server command in privileged EXEC mode. user-db write crypto ca server user-db write Syntax Description This command has no keywords or arguments. Defaults No default behaviors or values. The following table shows the modes in which you can enter the command: Command Modes Security Context Firewall Mode Multiple Transpare Routed Command Mode System Context Single nt Ca server configuration • Ye s • — Ye s — — Global configuration • — — Ye s • — Ye s Privileged EXEC • — Ye s • — — Ye s Command History Modification Release This command was added. 8.0(2) Usage Guidelines The -based configurat ion data to the command is used to save new user user-db write crypto ca server storage specified by the database path configuration. The information is generated when new users are crypto ca server user-db allow and crypto ca server user-db add added or allowed with the commands. Examples The following example writes the user information configured in the local CA database to storage: crypto ca server user-db write ciscoasa(config-ca-server)# ciscoasa(config-ca-server)# Command Related Commands Description crypto ca server user-db Adds a user to the CA server user database. add Specifies a path or location for the local CA database. The default location database path is flash memory. Cisco ASA Series Command Reference, A through H Commands 13-38

39 Chapter Command Description Removes a user from the CA server user database. crypto ca server user-db remove Displays all certificates issued by the local CA. show crypto ca server cert-db show crypto ca server Displays users included in the CA server user database. user-db Cisco ASA Series Command Reference, A through H Commands 13-39

40 Chapter crypto ca trustpoint To enter the crypto ca trustpoint configuration mode for the specified trustpoint, use the crypto ca trustpoint command in global configuration mode. To remove the specified trustpoint, use the form no of this command. crypto ca trustpoint trustpoint-name no crypto ca trustpoint trustpoint-name [ noconfirm] noconfirm Suppresses all interactive prompting Syntax Description trustpoint-name Identifies the name of the trustpoint to manage. The maximum name length allowed is 128 characters. No default behavior or values. Defaults Command Modes The following table shows the modes in which you can enter the command: Security Context Firewall Mode Multiple Transpare Command Mode Single nt Routed System Context Global configuration • Ye s • Ye s — Ye s • • Ye s Command History Modification Release 7.0(1) This command was added. 7.2(1) , match certificate map Added options to support the OCSP. These include ocsp disable-nonce , . revocation-check , and ocsp url and Added options to support certificate validation. These include id-usage 8.0(2) The following are being deprecated: validation-policy. . accept-subordinates, id-cert-issuer support-user-cert-validation , and The 8.0(4) self option was added to support enrollment of self-signed enrollment s, such as between phone proxy and certificates between trusted enterprise TLS proxy. command to declare a CA. Issuing this command puts you in crypto ca Usage Guidelines Use the crypto ca trustpoint trustpoint configuration mode. tpoint represents a CA identity and possibly a This command manages trustpoint information. A trus device identity, based on a certificate issued by the CA. The commands within the trustpoint mode control CA-specific configuration parameters, which specify how the ASA obtains the CA certificate, for user certificates the authentication policies how the ASA obtains its certificate from the CA, and issued by the CA. Cisco ASA Series Command Reference, A through H Commands 13-40

41 Chapter You can specify characteristics for the trustpoint using the following commands: • rtificates subordinate to the CA accept-subordinates —Deprecated. Indicates whether CA ce livered during phase one IKE exchange when not associated with the trustpoint are accepted if de previously installed on the ASA. auto-enroll —Configures the parameters that control if CMPv2 auto update is used, when it is • ter a percentage of the absolute lifetime of the triggered, and if a new keypair is generated. En Then specify if you want to generate a new key certificate after which auto-enroll will be necessary. [no] auto-enroll [] [regenerate] while renewing the certificate: • crl required | optional | nocheck —Specifies CRL configuration options. crl configure —Enters crl configuration mode (see the crl command). • • default enrollment —Returns all enrollment pa rameters to their system default values. Invocations of this command do not become part of the active configuration. • address —During enrollment, asks the CA to include the specified email address in the subject email alternative name extension of the certificate. • url —Specifies either CMP or SCEP enrollment to enroll with this enrollment protocol cmp|scep trustpoint and configures the enrollment URL ( url ). • enrollment retry period —Specifies a retry period in minutes for SCEP enrollment. • —Specifies a maximum number of perm itted retries for SCEP enrollment. enrollment retry count • enrollment terminal —Specifies cut and paste enrollment with this trustpoint. • enrollment self —Specifies enrollment that gene rates a self-signed certificate. enrollment url with this trustpoint and configures the —Specifies the SCEP enrollment to enroll • enrollment URL ( url ). exit —Leaves the configuration mode. • • fqdn —During enrollment, asks the CA to include th e specified FQDN in the subject alternative fqdn name extension of the certificate. • id-cert-issuer —Deprecated. Indicates whether the system accepts peer certi ficates issued by the CA associated with this trustpoint. • id-usage — Specifies how the enrolled identity of a trustpoint can be used. • ip-addr ip-address —During enrollment, asks the CA to include the IP address of the ASA in the certificate. name —Specifies the key pair whose public key is to be certified. • keypair • RSA or EDCSA ,whose public key is to be keypair []—Specifies the keypair, as either certified and their modulus bits or elliptic curve bits. • match certificate map-name override ocsp —Matches a certificate map to an OCSP override rule. • ocsp disable-nonce —Disables the nonce extension, which cryptographically binds revocation requests with responses to avoid replay attacks. • ocsp url —Specifies that the OCSP server at this URL check all certificates associated with this trustpoint for revocation status. exit —Leaves the configuration mode. • • password string —Specifies a challenge phrase that is re gistered with the CA during enrollment. The CA typically uses this phrase to au thenticate a subsequent revocation request. —Specifies the revocation checking meth od, which includes CRL, OCSP, and • revocation check none. Cisco ASA Series Command Reference, A through H Commands 13-41

42 Chapter • serial-number —During enrollment, asks the CA to in clude the ASA serial number in the certificate. X.500 name —During enrollment, asks the CA to include the specified subject DN in • subject-name the certificate. If a DN string includes a comma, enclose the value string with double quotes (for example, O=”Company, Inc.”) —Deprecated. If enabled, the configuration settings to validate a • support-user-cert-validation remote user certificate can be taken from this trustp oint, provided that it is authenticated to the CA that issued the remote certificate. This option applies to the configuration data associated with the subcommands crl required | optional | nocheck and all settings in the CRL mode. ing certificates associated with user —Specifies trustpoint conditions for validat • validation-policy connections. When you try to connect, a warning occurs to indi cate that the trustpoint does not contain an ID Note certificate when an attempt is made to retrieve the ID certificate from the trustpoint. Examples The following example enters ca trustpoint configur ation mode for managing a trustpoint named central: ciscoasa(config)# crypto ca trustpoint central ciscoasa(ca-trustpoint)# Command Description Related Commands Removes all trustpoints. clear configure crypto ca trustpoint crypto ca authenticate Obtains the CA certificate for this trustpoint. Enters crypto ca certificate map configuration mode. Defines crypto ca certificate map certificate-based ACLs. crypto ca crl request Requests a CRL based on configuration parameters of a specified trustpoint. CA in response to a manual enrollment Installs a certificate received from a crypto ca import request. Cisco ASA Series Command Reference, A through H Commands 13-42

43 Chapter crypto ca trustpool export To export the certificates that constitute the PKI trustpool, use the crypto ca trustpool export command in privileged EXEC configuration mode. crypto ca trustpool export filename Syntax Description The file in which to store the exported trustpool certificates. filename Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Security Context Firewall Mode Multiple Transpare Routed Command Mode System Context Single nt Privileged EXEC configuration • Ye s — • Ye s • — Ye s Command History Release Modification This command was added. 9.0(1) Usage Guidelines e trustpool to the indicated filepath in pem-coded This command copies the entire contents of the activ format. Examples ciscoasa# crypto ca trustpool export disk0:/exportfile.pem Trustpool certificates exported to disk0:/exportfile.pem ciscoasa# ciscoasa# more exportfile.pem -----BEGIN CERTIFICATE----- MIIEMjCCAxqgAwIBAgIBATANBgkqhkiG9w0BAQUFADB7MQswCQYDVQQGEwJHQjEb MBkGA1UECAwSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHDAdTYWxmb3JkMRow GAYDVQQKDBFDb21vZG8gQ0EgTGltaXRlZDEhMB8GA1UEAwwYQUFBIENlcnRpZmlj YXRlIFNlcnZpY2VzMB4XDTA0MDEwMTAwMDAwMFoXDTI4MTIzMTIzNTk1OVowezEL MAkGA1UEBhMCR0IxGzAZBgNVBAgMEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UE Related Commands Command Description crypto ca trustpool Imports the certificates that constitute the PKI trustpool. import Cisco ASA Series Command Reference, A through H Commands 13-43

44 Chapter crypto ca trustpool import To import the certificates that constitute the PKI trustpool, use the crypto ca trustpool import command in global configuration mode. crypto ca trustpool import [clean] url url [ noconfirm [ signature-required ]] Syntax Description l certificates prior to import. Removes all downloaded trustpoo clean noconfirm Suppresses all interactive prompts. signature-required Indicates that only signed files are accepted. url The location of the trustpool file to be imported. No default behavior or values. Defaults The following table shows the modes in which you can enter the command: Command Modes Security Context Firewall Mode Multiple Transpare Routed Command Mode Single Context System nt Global configuration — — Ye s • Ye s • Ye s • Command History Modification Release This command was added. 9.0(1) The option to use the ASA’s default trusted CA list was removed. 9.12(1) signature on the file when a trustpool bundle is This command provides the ability to validate the Usage Guidelines downloaded from cisco.com. A valid signature is not mandatory when downloading bundles from other sources or in a format that does not support signatures. Users are info rmed of the signature status and ept the bundle or not. are given the option to acc The possible interactive warnings are: Cisco bundle format with invalid signature • • Non-cisco bundle format Cisco bundle format with valid signature • The option is selected. If the noconfirm keyword is allowed only if the signature-required signature-required keyword is included but the signature is not present or cannot be verified, the import fails. Note Unless you have verified the legitimacy of the file through some other means, do not install the certificates if a file sign ature cannot be verified, Cisco ASA Series Command Reference, A through H Commands 13-44

45 Chapter import command when The following example shows the behavior of the crypto ca trustpool suppressing interactive prompting and requiring signatures: ciscoasa(config)# crypto ca trustpool import url ? configure mode commands/options: disk0: Import from disk0: file system disk1: Import from disk1: file system flash: Import from flash: file system ftp: Import from ftp: file system http: Import from http: file system https: Import from https: file system smb: Import from smb: file system system: Import from system: file system tftp: Import from tftp: file system ciscoasa(config)# crypto ca trustpool import url http://mycompany.com ? exec mode commands/options: noconfirm Specify this keyword to suppress all interactive prompting. crypto ca trustpool import url http://mycompany.com noconfirm ? ciscoasa(config)# exec mode commands/options: signature-required Indicate that only signed files will be accepted Command Description Related Commands Exports the certificates that constitute the PKI trustpool. crypto ca trustpool export Cisco ASA Series Command Reference, A through H Commands 13-45

46 Chapter crypto ca trustpool policy To enter a submode that provides the command s that define the trustpool policy, use the crypto ca trustpool policy command in global configuration mode. To set up the automatic import of a trustpool certificate bundle, specify the URL which the ASA uses to download and import the bundle. crypto ca trustpool policy Syntax Description This command has no arguments or keywords. Configure automatic import of trustpool certificates auto-import auto-import [time Set custom time and custom URL for downloading certificates in trustpool if ] [url you need to schedule this download during off peak hours or any other ] convenient times. Specify the download time in hours, minutes, and seconds. An attempt is auto-import time made for every 24 hours at this specified time. If not provided, the default time of 22:00 hours is used. auto-import url Specify automatic import of trustpool certificates. If not provided, the default Cisco URL is used. No default behavior or values. Defaults The automatic import option is turned off by default. Command Modes The following table shows the modes in which you can enter the command: Security Context Firewall Mode Multiple Transpare Command Mode Routed nt System Single Context Global configuration • — Ye s Ye s • — • Ye s Object configuration • Yes———— Command History Release Modification 9.0(1) This command was added. The auto-import command option was added. 9.5(2) Examples crypto ca trustpool ? ciscoasa(config)# configure mode commands/options: policy Define trustpool policy Cisco ASA Series Command Reference, A through H Commands 13-46

47 Chapter ciscoasa(config)# crypto ca trustpool policy ? ciscoasa(config-ca-trustpool)# CA Trustpool configuration commands: crl CRL options exit Exit from certificate authority trustpool entry mode match Match a certificate map no Negate a command or set its defaults revocation-check Revocation checking options auto-import Configure automatic import of trustpool certificates ciscoasa(config-ca-trustpool)# ciscoasa(config-ca-trustpool)# auto-import? crypto-ca-trustpool mode commands/options: time Specify the auto import time in hours, minutes, and seconds Default is 22:00:00. An attempt is made every 24 hours at the specified time. url Specify the HTTP based URL address for automatic import of trustpool certificates ciscoasa(config-ca-trustpool)# ciscoasa(config-ca-trustpool)# auto-import url ? crypto-ca-trustpool mode commands/options: LINE URL for automatic import ciscoasa(config-ca-trustpool)# ciscoasa(config-ca-trustpool)# auto-import time ? H:M:S Specify the auto import time in hours, minutes & seconds. E.g. 18:00:00 (attempt to import is made at every 24 hours at 6PM) ciscoasa(config-ca-trustpool)# Description Related Commands Command Displays the configured trustpool policy. show crypto ca trustpool policy Cisco ASA Series Command Reference, A through H Commands 13-47

48 Chapter crypto ca trustpool remove To remove a single specified certificate from the PKI trustpool, use the crypto ca trustpool remove command in privileged EXEC configuration mode. crypto ca trustpool remove cert fingerprint [noconfirm] Syntax Description Hex data. cert fingerprint Specify this keyword to suppress all interactive prompting. noconfirm No default behavior or values. Defaults The following table shows the modes in which you can enter the command: Command Modes Security Context Firewall Mode Multiple Transpare System Context Single nt Command Mode Routed Privileged EXEC configuration • • — — — Ye s Ye s Command History Release Modification This command was added. 9.0(1) Usage Guidelines Because this command will commit a change to the trus ted root certificate content, interactive users will be prompted to confirm their actions. Examples ciscoasa# crypto ca trustpool remove ? Hex-data Certificate fingerprint crypto ca trustpool remove 497904b0eb8719ac47b0bc11519b74d0 ? ciscoasa# noconfirm Specify this keyword to suppress all interactive prompting. Related Commands Description Command from the trustpool. clear crypto ca Removes all certificates trustpool Exports the certificates that constitute the PKI trustpool. crypto ca trustpool export Imports the certificates that constitute the PKI trustpool. crypto ca trustpool import Cisco ASA Series Command Reference, A through H Commands 13-48

49 Chapter crypto dynamic-map match address To match the address of an access list for the dynamic crypto map entry, use the crypto dynamic-map command in global configuration mode. To disable the address match, use the no form match address of this command. crypto dynamic-map dynamic-map-name dynamic-seq-num match address acl_name no crypto dynamic-map dynamic-map-name dynamic-seq-num match address acl_name Syntax Description Identifies the access list to be matched for the dynamic crypto map entry. acl-name dynamic-map-name Specifies the name of the dynamic crypto map set. Specifies the sequence number that corresponds to the dynamic crypto map dynamic-seq-num entry. No default behavior or values. Defaults Command Modes The following table shows the modes in which you can enter the command: Security Context Firewall Mode Multiple Transpare Command Mode Routed Context System Single nt Ye s Ye s — • Ye s • • — Global configuration Command History Release Modification This command was added. 7.0(1) 9.0(1) Support for multiple context mode was added. Usage Guidelines See the crypto map match address command for additional information about this command. Examples crypto dynamic-map The following example shows the use of the command to match address of an access list named aclist1: # crypto dynamic-map mymap 10 match address aclist1 ciscoasa(config) ciscoasa(config)# Cisco ASA Series Command Reference, A through H Commands 13-49

50 Chapter Command Related Commands Description clear configure crypto Clears all configuration for all the dynamic crypto maps. dynamic-map show running-config crypto Displays all configuration for all the dynamic crypto maps. dynamic-map Cisco ASA Series Command Reference, A through H Commands 13-50

51 Chapter crypto dynamic-map set df-bit To set the per-signature algorithm (SA) do-not-fragment (DF) policy, use the crypto dynamic-map set df-bit command in global configuration mode. To disable the DF policy, use the no form of this command. ] copy-df crypto dynamic-map name priority set df-bit [ clear-df | set-df | copy-df no crypto dynamic-map name priority set df-bit [ clear-df | | set-df ] Specifies the name of the crypto dynamic map set. name Syntax Description priority Specifies the priority that you assign to the crypto dynamic map entry. Defaults The default setting is off. The following table shows the modes in which you can enter the command: Command Modes Security Context Firewall Mode Multiple Transpare Routed Command Mode System Context Single nt Global configuration — • Ye s • Ye s • Ye s — Command History Release Modification 9.0(1) This command was added. The original DF policy command is retained and acts as a global policy setting on an interface, but it is Usage Guidelines command. crypto map superseded for an SA by the Cisco ASA Series Command Reference, A through H Commands 13-51

52 Chapter crypto dynamic-map set ikev1 transform-set To specify the IKEv1 transform sets to use in a dynamic crypto map entry, use the crypto dynamic-map set ikev1 transform-set command in global configuration mode. dynamic-map-name dynamic-seq-num set ikev1 transform-set crypto dynamic-map [... transform-set-name11 ] transform-set-name1 To remove the transform sets from the dynamic crypto map entry, specify the transform set name in the no form of this command: no crypto dynamic-map set ikev1 transform-set dynamic-map-name dynamic-seq-num transform-set-name1 [... transform-set-name 11] To remove the dynamic crypto map entry, use the no form of the command and specify all or none of the transform sets: set ikev1 transform-set dynamic-map-name dynamic-seq-num no crypto dynamic-map Syntax Description dynamic-map-name Specifies the name of the dynamic crypto map set. dynamic-seq-num Specifies the sequence number that co rresponds to the dynamic crypto map entry. Specifies one or more names of the transform sets. Any transform sets named transform-set-name1 in this command must be defined in the crypto ipsec ikev1 transform-set transform-set-name11 command. Each crypto map entry supports up to 11 transform sets. No default behavior or values. Defaults The following table shows the modes in which you can enter the command: Command Modes Firewall Mode Security Context Multiple Transpare Command Mode nt Single Routed Context System Global configuration — Ye s • • Ye s — • Ye s Command History Release Modification 7.0 This command was added. 7.2(1) Changed the maximum number of transform sets in a crypto map entry. keyword. 8.4(1) Added the ikev1 9.0(1) Support for multiple context mode was added. Cisco ASA Series Command Reference, A through H Commands 13-52

53 Chapter A dynamic crypto map is a crypto map without all of the parameters configured. It acts as a policy Usage Guidelines namically learned, as the result of an IPsec template where the missing parameters are later dy negotiation, to match the peer requirements. The ASA applies a dynamic crypto map to let a peer negotiate a tunnel if its IP address is not already id entified in a previous static or dynamic crypto map. This occurs with the following types of peers: Peers with dynamically assigned public IP addresses. • Both LAN-to-LAN and remote access peers can use DHCP to obtain a public IP address. The ASA uses this address only to initiate the tunnel. • Peers with dynamically assign ed private IP addresses. Peers requesting remote access tunnels typically have private IP addresses assigned by the headend. Generally, LAN-to-LAN tunnels have a predetermined set of private networks that are used to configure static maps and therefore used to establish IPsec SAs. As an administrator configuring static crypto maps, you might not know the IP addresses that are dynamically assigned (via DHCP or some other method), and you might not know the private IP addresses of other clients, regardless of how they we re assigned. VPN clients typically do not have static IP addresses; they require a dynamic crypto map to allow IPsec negotiation to occur. For example, the headend assigns the IP address to a Cisco VPN client during IKE negotiation, which the client then uses to negotiate IPsec SAs. Dynamic crypto maps can ease IPsec configuration and we recommend them for use in networks where the peers are not always predetermined. Use dynamic crypto maps for Cisco VPN clients (such as mobile users) and routers that obtain dynamically assigned IP addresses. Tip Use care when using the any keyword in permit entries in dynamic crypto maps. If the traffic covered entries for the deny by such a entry could include multicast or broadcast traffic, insert permit appropriate address rang deny entries for network and subnet e into the access list. Remember to insert broadcast traffic, and for any other tr affic that IPsec should not protect. Dynamic crypto maps work only to negotiate SAs w ith remote peers that initiate the connection. The ASA cannot use dynamic crypto maps to initiate co nnections to a remote peer. With a dynamic crypto map configured, if the outbound traffic matches a permit entry in an access list and the corresponding SA does not yet exist, the ASA drops the traffic. A crypto map set may include a dynamic crypto map. Dynamic crypto map sets should be the lowest priority crypto maps in the crypto map set (that is, they should have the highest sequence numbers) so that the ASA evaluates other crypto maps first. It examines the dynamic crypto map set only when the other (static) map entries do not match. Similar to static crypto map sets, a dynamic crypto ma p set consists of all of the dynamic crypto maps with the same dynamic map name. The dynamic sequence number differentiates the dynamic crypto maps in a set. If you configure a dynamic crypto map, insert a permit ACL to identify the data flow of the IPsec peer for the crypto acces s list. Otherwise the ASA accepts an y data flow identity the peer proposes. Caution Do not assign static (def ault) routes for traffic to be tunneled to a ASA interface configured with a dynamic crypto map set. To identify the traffic that should be tunneled, add the ACLs to the dynamic crypto map. Use care to identify the proper addre ss pools when configuring th e ACLs associated with n to install routes only after the tunnel is up. remote access tunnels. Use Reverse Route Injectio tries within a single crypto map set. You can combine static and dynamic map en Cisco ASA Series Command Reference, A through H Commands 13-53

54 Chapter amic0” consisting of the same The following example creates a dyna Examples mic crypto map entry named “dyn ten transform sets. transform-set 3des-md5 3des-sha ciscoasa(config)# crypto dynamic-map dynamic0 1 set ikev1 56des-md5 56des-sha 128aes-md5 128aes-sha 192aes-md5 192aes-sha 256aes-md5 256aes-sha ciscoasa(config)# Related Commands Command Description Configures an IKEv1 transform set. crypto ipsec ikev1 transform-set crypto map set transform-set Specifies the transform sets to use in a crypto map entry. clear configure crypto dynamic-map Clears all dynamic crypto maps from the configuration. show running-config crypto dynamic-map Displays the dynamic crypto map configuration. show running-config crypto map Displays the crypto map configuration. Cisco ASA Series Command Reference, A through H Commands 13-54

55 Chapter crypto dynamic-map set ikev2 ipsec-proposal To specify the IPsec proposals for IKEv2 to use in a dynamic crypto map entry, use the crypto dynamic-map set ikev2 ipsec-proposal command in global configuration mode. To remove the names of the transform sets from a dynamic crypto map entry, use the no form of this command. crypto dynamic-map dynamic-map-name set ikev2 ipsec-proposal transform-set-name1 [... ] transform-set-name11 crypto dynamic-map dynamic-map-name set ikev2 ipsec-proposal no transform-set-name1 [... ] transform-set-name11 Specifies the name of the dynamic crypto map set. dynamic-map-name Syntax Description transform-set-name1 Specifies one or more names of the transform sets. Any transform sets named in this command must be defined in the crypto ipsec ikev2 transform-set transform-set-name11 command. Each crypto map entry supports up to 11 transform sets. No default behavior or values. Defaults The following table shows the modes in which you can enter the command: Command Modes Firewall Mode Security Context Multiple Transpare Command Mode Routed Single System nt Context Global configuration — Ye s • • Ye s — • Ye s Command History Release Modification 8.4(1) This command was added. 9.0(1) Support for multiple context mode was added. Cisco ASA Series Command Reference, A through H Commands 13-55

56 Chapter crypto dynamic-map set nat-t-disable To disable NAT-T for connections based on this crypto map entry, use the crypto dynamic-map set nat-t-disable command in global configuration mode. To enable NAT-T for this crypto may entry, use the form of this command. no crypto dynamic-map dynamic-map-name dynamic-seq-num set nat-t-disable no crypto dynamic-map dynamic-map-name dynamic-seq-num set nat-t-disable Syntax Description dynamic-map-name Specifies the name of the crypto dynamic map set. dynamic-seq-num Specifies the number that you assign to the crypto dynamic map entry. Defaults The default setting is off. The following table shows the modes in which you can enter the command: Command Modes Security Context Firewall Mode Multiple Transpare Command Mode Routed nt System Context Single Global configuration — — Ye s • Ye s • Ye s • Command History Modification Release This command was added. 7.0(1) 9.0(1) Support for multiple context mode was added. isakmp nat-traversal Usage Guidelines Use the command to globally enable NAT-T. Then you can use the crypto dynamic-map set nat-t-disable command to disable NAT-T for specific crypto map entries. The following command disables NAT-T for the crypto dynamic map named mymap: Examples ciscoasa(config)# crypto dynamic-map mymap 10 set nat-t-disable ciscoasa(config)# Related Commands Command Description clear configure crypto Clears all configuration for all the dynamic crypto maps. dynamic-map r all the dynamic crypto maps. Displays all configuration fo show running-config crypto dynamic-map Cisco ASA Series Command Reference, A through H Commands 13-56

57 Chapter crypto dynamic-map set peer See the crypto map set peer command for additional information about this command. crypto dynamic-map dynamic-map-name dynamic-seq-num set peer ip_address | hostname no crypto dynamic-map dynamic-map-name dynamic-seq-num set peer ip_address | hostname Syntax Description Specifies the name of the dynamic crypto map set. dynamic-map-name Specifies the sequence number that corresponds to the dynamic crypto map dynamic-seq-num entry. to map entry by hostname, as defined Identifies the peer in the dynamic cryp hostname command. by the name o map entry by IP address, as defined Identifies the peer in the dynamic crypt ip_address command. by the name Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Transpare Single System Routed Context nt Command Mode Global configuration — Ye s • Ye s • — • Ye s Command History Release Modification This command was added. 7.0(1) 9.0(1) Support for multiple context mode was added. namic-map named mymap to the IP address 10.0.0.1: The following example shows setting a peer for a dy Examples ciscoasa(config)# crypto dynamic-map mymap 10 set peer 10.0.0.1 ciscoasa(config)# Description Related Commands Command Clears all configuration for all the dynamic crypto maps. clear configure crypto dynamic-map show running-config crypto Displays all configuration for all the dynamic crypto maps. dynamic-map Cisco ASA Series Command Reference, A through H Commands 13-57

58 Chapter crypto dynamic-map set pfs To set IPsec to ask for PFS when re for this dynamic crypto map entry questing new security associations ests for new security associations, use the crypto or that IPsec requires PFS when receiving requ command in global configuration mode. To specify that IPsec should not request dynamic-map set pfs PFS, use the no form of this command. crypto dynamic-map map-name map-index set pfs [ group1 | group2 | group5 | group14 | group19 | group20 | group21 | group24 ] group1 no crypto dynamic-map map-name map-index set pfs [ | | group2 | group5 | group14 | group20 | group21 | group24 ] group19 Specifies that IPsec should use the 768-bit Diffie-Hellman prime modulus group1 Syntax Description group when performing the new Diffie-Hellman exchange. group2 Specifies that IPsec should use the 10 24-bit Diffie-Hellman prime modulus group when performing the new Diffie-Hellman exchange. group5 Specifies that IPsec should use the 15 36-bit Diffie-Hellman prime modulus group when performing the new Diffie-Hellman exchange. Specifies which Diffie-Hellman key exchange group to use. group14 group19 Specifies which Diffie-Hellman key exchange group to use. group20 Specifies which Diffie-Hellman key exchange group to use. group21 Specifies which Diffie-Hellman key exchange group to use. Specifies which Diffie-Hellman key exchange group to use. group24 map-name Specifies the name of the crypto map set. Specifies the number you assi map-index gn to the crypto map entry. By default, PFS is not set. Defaults The following table shows the modes in which you can enter the command: Command Modes Firewall Mode Security Context Multiple Transpare Command Mode Routed Single Context System nt Global configuration Ye s — Ye s • • • Ye s • Ye s Command History Release Modification 7.0(1) This command was modified to add Diffie-Hellman group 7. 8.0(4) The group 7 command option was deprecated. Attempts to configure group 7 will generate an error message and use group 5 instead. Support for multiple context mode was added. 9.0(1) Cisco ASA Series Command Reference, A through H Commands 13-58

59 Chapter With PFS, every time a new security association is negotiated, a new Diffie-Hellman exchange occurs, which requires additio nal processing time. PFS adds another level of security because if one key is ever cracked by an attacker, only the data sent with that key is compromised. The crypto dynamic-map commands, such as match address , set peer , and set pfs are described with the crypto map commands. If the peer initiates the negotiatio n and the local configuration specifies PFS, the peer must perform a PFS exchange or the negotiatio n fails. If the local config uration does not specify of group2. If the local configurat a group, the ASA assumes a default ion does not specify PFS, it accepts any offer of PFS from the peer. When interacting with the Cisco VPN Client, the AS A does not use the PFS value, but instead uses the value negotiated during Phase 1. association is Examples The following example specifies that PFS should be used whenever a new security p 10. The group specified is group 2: negotiated for the crypto dynamic-map myma ciscoasa(config)# crypto dynamic-map mymap 10 set pfs group2 ciscoasa(config)# Related Commands Command Description all the dynamic crypto maps. Clears all configuration for clear configure crypto dynamic-map Displays all configuration for all the dynamic crypto maps. show running-config crypto dynamic-map Cisco ASA Series Command Reference, A through H Commands 13-59

60 Chapter crypto dynamic-map set reverse route See the crypto map set reverse-route command for additional information about this command. crypto dynamic-map dynamic-map-name dynamic-seq-num set reverse route set reverse route dynamic-map-name dynamic-seq-num no crypto dynamic-map Syntax Description dynamic-map-name Specifies the name of the crypto map set. gn to the crypto map entry. Specifies the number you assi dynamic-seq-num Defaults The default value for this command is off. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Transpare Routed Command Mode nt Single Context System Global configuration • • — — Ye s • Ye s Ye s Command History Release Modification This command was added. 7.0(1) 9.0(1) Support for multiple context mode was added. Examples The following command enables Reverse Route Injection for the crypto dynamic map named mymap: crypto dynamic-map mymap 10 set reverse route ciscoasa(config)# ciscoasa(config)# Related Commands Command Description clear configure crypto dynamic-map Clears all configuration for all the dynamic crypto maps. show running-config crypto Displays all configuration for all the dynamic crypto maps. dynamic-map Cisco ASA Series Command Reference, A through H Commands 13-60

61 Chapter crypto dynamic-map set security-association lifetime To override (for a particular dynamic crypto map entr y) the global lifetime value, which is used when negotiating IPsec security associations, use the crypto dynamic-map set security-association lifetime command in global configuration mode. To reset a dynamic crypto map entry's lifetime value to the global value, use the no form of this command. crypto dynamic-map map-name seq-num set security-association lifetime { seconds number | kilobytes { | unlimited }} number no crypto dynamic-map map-name seq-num set security-association lifetime { seconds number | kilobytes { number | unlimited }} Specifies the volume of traffic (in kilo number bytes) that can pass between peers using | { kilobytes Syntax Description unlimited a given security association before that security association expires. The range } is 10 to 2147483647 kbytes. The global default is 4,608,000 kilobytes. access VPN connections. It applies to This setting does not apply to remote site-to-site VPN only. Specifies the name of the crypto map set. map-name econds a security associatio seconds number n will live before it Specifies the number of s expires. The range is 120 to 214783647 seconds. The global default is 28,800 seconds (eight hours). This setting applies to both remo te access and site-to-site VPN. assign to the crypto map entry. seq-num Specifies the number that you Defaults The default number of kilobytes is 4,608,000; the default number of seconds is 28,800. Command Modes The following table shows the modes in which you can enter the command: Security Context Firewall Mode Multiple Transpare Single Context System Command Mode nt Routed Global configuration • • Ye s • Ye s • — Ye s Ye s Command History Release Modification This command was added. 7.0(1) 9.0(1) Support for multiple context mode was added. Added 9.1(2) argument. unlimited Usage Guidelines The dynamic crypto map's security associations ar e negotiated according to the global lifetimes. IPsec security associations use shared secret keys. These keys and their securi ty associations time out together. Cisco ASA Series Command Reference, A through H Commands 13-61

62 Chapter Assuming that the particular crypto map entry has lifetime values configured, when the ASA requests new security associations during security associatio n negotiation, it specifies its crypto map lifetime values in the request to th e peer; it uses these values as the life time of the new security associations. When the ASA receives a negotiation request from the peer, it uses the smaller of the lifetime values proposed by the peer or the locally configured life time values as the lifetime of the new security associations. For site-to-site VPN connections, there are two li fetimes: a “timed” lifetime and a “traffic-volume” lifetime. The security association expires after the fi rst of these lifetimes is reached. For remote access VPN sessions, only the timed lifetime applies. Note The ASA lets you change crypto map, dynamic map, and IPsec settings on-the-fly. If you do so, the ASA brings down only the connections af fected by the change. If you change an existing access list associated list, the result is that only the deleting an entry within the access with a crypto map, specifically by is brought down. Connections based on other entries in the access list are not associated connection affected. ssociation lifetime seconds To change the timed lifetime, use the crypto dynamic-map set security-a command. The timed lifetime causes the keys and secu rity association to time out after the specified number of seconds have passed. The following command, entered in global configurat Examples rity association lifetime ion mode, specifies a secu in seconds and kilobytes for the dynamic crypto dynamic map mymap: ciscoasa(config)# crypto dynamic-map mymap 10 set security-association lifetime seconds 1400 kilobytes 3000000 ciscoasa(config)# Related Commands Command Description Clears all configuration fo r all crypto dynamic maps. clear configure crypto dynamic-map Displays the crypto dynamic map configuration. show running-config crypto dynamic-map Cisco ASA Series Command Reference, A through H Commands 13-62

63 Chapter crypto dynamic-map set tfc-packets To enable dummy Traffic Flow Confidential ity (TFC) packets on an IPsec SA, use the crypto command in global configuration mode. To disable TFC packets on an dynamic-map set tfc-packets IPsec SA, use the no form of this command. crypto dynamic-map name priority set tfc-packets [ burst length | auto ] [ payload-size bytes | auto ] [ timeout second | auto ] payload-size bytes | no crypto dynamic-map name priority set tfc-packets [ burst length | auto ] [ timeout second | auto ] ] [ auto Specifies the name of the crypto map set. name Syntax Description assign to the crypto map entry. Specifies the priority that you priority Defaults No default behaviors or values. The following table shows the modes in which you can enter the command: Command Modes Security Context Firewall Mode Multiple Transpare Context Command Mode Routed nt Single System Global configuration — Ye s • Ye s • Ye s • Ye s • Command History Modification Release This command was added. 9.0(1) This command configures the existing DF policy (at an SA level) for the crypto map. Usage Guidelines Cisco ASA Series Command Reference, A through H Commands 13-63

64 Chapter crypto dynamic-map set validate-icmp-errors messages, received through an IPsec tunnel, that To specify whether to validate incoming ICMP error are destined for an interior host on the private network, use the crypto dynamic-map set validate-icmp-errors command in global configuration mode. To remove validation of incoming ICMP error messages from a crypto dynamic map entry, use the no form of this command. name priority set validate-icmp-errors crypto dynamic-map name priority set validate-icmp-errors no crypto dynamic-map Syntax Description name Specifies the name of the crypto dynamic map set. Specifies the priority that you assign to the crypto dynamic map entry. priority Defaults No default behaviors or values. The following table shows the modes in which you can enter the command: Command Modes Firewall Mode Security Context Multiple Transpare Routed nt Single Command Mode Context System Global configuration • Ye s • — Ye s • Ye s • Ye s Command History Modification Release 9.0(1) This command was added. This crypto map command is valid only fo Usage Guidelines r validating incoming ICMP error messages. Cisco ASA Series Command Reference, A through H Commands 13-64

65 Chapter crypto engine accelerator-bias To change the allocation of the cryptographic cores on Symmetric Multi-Processing (SMP) platforms, crypto engine accelerator-bias command in global configuration mode. To remove the use the command from the configuration, use the no form of this command. crypto engine accelerator-bias balanced | ipsec | ssl ] [ no crypto engine accelerator-bias [ balanced | ipsec | ssl ] Syntax Description balanced Equally distributes cryptographic hard ware resources (Admin/SSL and IPsec cores) ipsec -client Allocates cryptographic hardware resour ces to favor IPsec cores (includes SRTP encrypted voice traffic). Allocates cryptographic hardware resources to favor Admin/SSL cores. ssl-client The following table shows the modes in which you can enter the command: Command Modes Firewall Mode Security Context Multiple Transpare Routed nt Single Command Mode Context System Global configuration — Ye s • Ye s • Ye s • Ye s • Command History Release Modification This command was added. 9.0(1) e following platforms: ASA 5585, 5580, 5545/5555, Cryptographic core rebalancing is available on th Usage Guidelines and ASASM. that require crypto operations. You must apply it in This command causes traffic disruption to services a maintenance window and without IPsec failure being configured. Cisco ASA Series Command Reference, A through H Commands 13-65

66 Chapter Examples The following examples show the options available fo r configuring the crypto engine acccelerator-bias command: crypto engine ? ciscoasa (config)# configure mode commands/options: accelerator-bias Specify how to allocate crypto accelerator processors crypto engine accelerator-bias ? ciscoasa (config)# configure mode commands/options balanced - Equally distribute crypto hardware resources ipsec-client - Allocate crypto hardware resources to favor IPsec/Encrypted Voice (SRTP) ssl-client - Allocate crypto hardware resources to favor SSL ciscoasa (config)# crypto engine accelerator-bias ssl Cisco ASA Series Command Reference, A through H Commands 13-66

67 Chapter crypto engine large-mod-accel To switch large modulus operations on an ASA 5510, 5520, 5540, or 5550 from software to hardware, use the crypto engine large-mod-accel uration mode. To remove the command in global config command from the configuration, use the no form of this command. crypto engine large-mod-accel no crypto engine large-mod-accel This command has no arguments or keywords. Syntax Description Defaults By default, the ASA performs large modulus operations in the software. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Transpare Command Mode Routed System Context Single nt Global configuration • Ye s • Ye s • Ye s — • Ye s Command History Release Modification This command was added. 8.3(2) 9.0(1) Support for multiple context mode was added. This command is available only with the ASA models 5510, 5520, 5540, and 5550. It switches large Usage Guidelines modulus operations from software to hardware. The switch to ha rdware accelerates the following: • 2048-bit RSA public key certificate processing. Diffie Hellman Group 5 (DH5) key generation. • ecessary to improve the connections per second. We recommend that you use this command when n Depending on the load, it might have a limited performance impact on SSL throughput. We also recommend that you use either form of this command during a low-use or maintenance period to minimize a temporary packet loss th at can occur during the transition of processing from software to hardware or hardware to software. Note The ASA 5580/5500-X platforms already integrate this capability to switch large modulus operations; therefore, crypto engine commands are not applicable on these platforms. Cisco ASA Series Command Reference, A through H Commands 13-67

68 Chapter Examples The following example switches large modulus operations from software to hardware: ciscoasa(config)# crypto engine large-mod-accel The following example removes the previous comma nd from the configuration and switches large modulus operations back to software: no crypto engine large-mod-accel ciscoasa(config)# Related Commands Command Description Shows if large modulus operatio show running-config ns are switched to hardware. crypto engine clear configure crypto Returns large modulus operations to software. This command is equivalent no crypto engine large-mod-accel command. engine to the Cisco ASA Series Command Reference, A through H Commands 13-68

69 Chapter crypto ikev1 enable To enable ISAKMP IKEv1 negotiation on the interf ace on which the IPsec peer communicates with the ASA, use the crypto ikev1 enable command in global configuration mode. To disable ISAKMP IKEv1 on the interface, use the no form of this command. crypto ikev1 enable interface-name no crypto ikev1 enable interface-name Syntax Description interface-name Specifies the name of the interface on which to enable or disable ISAKMP IKEv1 negotiation. Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Security Context Firewall Mode Multiple Transpare Command Mode Routed Context System Single nt Global configuration Ye s • Ye s — • • — Ye s Command History Release Modification This 7.0(1) command was added. isakmp enable isakmp enable command replaced the isakmp enable crypto 7.2(1) The command. 8.4(1) command enable With the addition of IKEv2 capability, the crypto isakmp command. crypto ikev1 enable was changed to the Support for multiple context mode was added. 9.0(1) The following example, entered in global configuration mode, shows how to disable ISAKMP on the Examples inside interface: inside no crypto isakmp enable ciscoasa(config)# Description Command Related Commands clear configure crypto Clears all the ISAKMP configuration. isakmp clear configure crypto Clears all ISAKMP policy configuration. isakmp policy Cisco ASA Series Command Reference, A through H Commands 13-69

70 Chapter Command Description clear crypto isakmp sa Clears the IKE runtime SA database. show running-config Displays all the active configuration. crypto isakmp Cisco ASA Series Command Reference, A through H Commands 13-70

71 Chapter crypto ikev1 ipsec-over-tcp To enable IPsec over TCP, use the command in global configuration mode. crypto ikev1 ipsec-over-tcp no form of this command. To disable IPsec over TCP, use the [ port port1...port10 ] crypto ikev1 ipsec-over-tcp no crypto ikev1 ipsec-over-tcp [ port port1...port10 ] Syntax Description (Optional) Specifies the ports on which the device accepts IPsec over TCP port1...port10 port connections. You can list up to 10 ports. Port numbers can be in the range of 1-65535. The default port number is 10000. The default value is disabled. Defaults Command Modes The following table shows the modes in which you can enter the command: Security Context Firewall Mode Multiple Transpare Routed Command Mode Context Single nt System Global configuration • • Ye s — Ye s — Command History Release Modification command was added. 7.0(1) isakmp ipsec-over-tcp The crypto isakmp ipsec-over-tcp 7.2.(1) The isakmp command replaced the ipsec-over-tcp . command to crypto isakmp ipsec-over-tcp The command name was changed from 8.4(1) . crypto ikev1 ipsec-over-tcp ion mode, enables IPsec over TCP on port 45: This example, entered in global configurat Examples ciscoasa(config)# crypto ikev1 ipsec-over-tcp port 45 ciscoasa(config)# Related Commands Description Command clear configure crypto Clears all the ISAKMP configuration. isakmp clear configure crypto Clears all ISAKMP policy configuration. isakmp policy Clears the IKE runtime SA database. clear crypto isakmp sa show running-config Displays all the active configuration. crypto isakmp Cisco ASA Series Command Reference, A through H Commands 13-71

72 Chapter crypto ikev1 limit max-in-negotiation-sa To limit the number of IKEv1 in-negotiation (open) SAs on the ASA, use the crypto ikev1 limit max-in-negotiation-sa command in global configuration mode. To disable limits on the number of open SAs, use the form of this command: no crypto ikev1 limit max-in-negotiation-sa threshold percentage threshold percentage no crypto ikev1 limit max-in-negotiation-sa Syntax Description threshold percentage The percentage of the total allowed SA s for the ASA that are allowed to be in negotiation (open). After reaching the threshold, additional connections are denied. The range is 1 to 100%. The default is 20% for all ASA platforms except ASA5506/ASA5508 (which is 100%). Defaults The default is 20%. The ASA limits the number of open SAs to 20% except ASA5506/ASA5508. The command limits the maximum number of SAs that can crypto ikev1 limit-max-in-negotiation-sa Usage Guidelines be in negotiation at any time. 1 crypto ikev1 limit max in-negotiation-sa command stops further connections from negotiating to The that the cookie-challenge feature event memory and/or CPU attacks protect current connections and pr may be unable to thwart. The following table shows the modes in which you can enter the command: Command Modes Security Context Firewall Mode Multiple Transpare Single Command Mode Routed nt Context System Global configuration • — Ye s Ye s — Ye s • • Command History Modification Release 9.1(2) This command was added. Examples The following example limits the number of IKEv1 connections that are in negotiation to 70 percent of the maximum allowable IKEv1 connections: ciscoasa(config)# crypto ikev1 limit max in-negotiation-sa 70 Cisco ASA Series Command Reference, A through H Commands 13-72

73 Chapter Related Commands Command Description Limits the number of IKEv1 connections on the ASA, crypto ikev1 limit max-sa Clears all the ISAKMP configuration. clear configure crypto isakmp Clears all ISAKMP policy configuration. clear configure crypto isakmp policy Clears the IKE runtime SA database. clear crypto isakmp sa Displays all the active configuration. show running-config crypto isakmp Cisco ASA Series Command Reference, A through H Commands 13-73

74 Chapter crypto ikev1 policy To create an IKEv1 securi ty association (SA) for IP sec connections, use the crypto ikev2 policy command in global configuration mode. To remove the policy, use the no form of this command: crypto ikev1 policy priority no crypto ikev1 policy priority Syntax Description priority The policy suite priority. The range is 1-65535, with 1 being the highest and 65535 the lowest There is no default behavior or values. Defaults Usage Guidelines The command enters IKEv1 policy configuration mode, in which you specify additional IKEv1 SA nicate securely in phase settings. An IKEv1 SA is a key used in phase 1 to enable IKEv1 peers to commu command, you can use additional commands to set the SA crypto ikev1 policy 2. After entering the encryption algorithm, DH group, integrity algorithm, lifetime, and hash algorithm. The following table shows the modes in which you can enter the command: Command Modes Firewall Mode Security Context Multiple Transpare Routed Single System Command Mode Context nt Global configuration — • — Ye s • Ye s • Ye s Command History Release Modification 8.4(1) This command was added. 9.0(1) Support for multiple context mode was added. The following example creates the priority 1 IKEv1 SA and enters enters IKEv1 policy configuration Examples mode: crypto ikev1 policy 1 ciscoasa(config)# ciscoasa(config-ikev2-policy)# Command Description Related Commands crypto ikev2 Enables the ASA to send cookie challenges to peer devices in response to cookie-challenge SA initiate packets, Cisco ASA Series Command Reference, A through H Commands 13-74

75 Chapter Command Description Clears all the ISAKMP configuration. clear configure crypto isakmp clear configure crypto Clears all ISAKMP policy configuration. isakmp policy clear crypto isakmp sa Clears the IKE runtime SA database. show running-config Displays all the active configuration. crypto isakmp Cisco ASA Series Command Reference, A through H Commands 13-75

76 Chapter crypto ikev2 cookie-challenge To enable the ASA to send cookie challenges to peer devices in response to SA initiate packets, use the crypto ikev2 cookie-challenge command in global configuration mode. To disable cookie challenges, use the no form of this command: crypto ikev2 cookie-challenge threshold percentage | always | never no crypto ikev2 cookie-challenge threshold percentage | always | never The percentage of the total allowed SA threshold percentage s for the ASA that are in negotiation, Syntax Description which triggers cookie challenges for an y future SA negotiations. The range is zero to 99%. The default is 50%. always Always cookie-challenges incoming SAs. Never cookie-challenges incoming SAs. never Defaults No default behavior or values. Usage Guidelines Cookie challenging a peer prevents possible denial-of-s ervice (DoS) attacks. An attacker initiates a DoS attack when the peer device sends an SA initiate packet and the ASA sends its response, but the peer device does not respond further. If the peer device does this continually, all the allowed SA requests on the ASA can be used up until it stops responding. command limits the number crypto ikev2 cookie-challenge Enabling a threshold percentage using the of open SA negotiations. For example, with the default setting of 50%, when 50% of the allowed SAs any additional SA initiate packets that arrive. For are in negotiation (open), the ASA cookie-challenges the Cisco ASA 5580 with 10000 allowed IKEv2 SAs, after 5000 SAs have become open, any more incoming SAs are cookie-challenged. crypto kev2 limit max in-negotiation-sa command, configure the If used in conjunction with the imum in-negotiation threshold for an effective cookie-challenge threshold lower than the max cross-check. The following table shows the modes in which you can enter the command: Command Modes Firewall Mode Security Context Multiple Transpare Context System Routed Command Mode nt Single Global configuration • Ye s — • Ye s — • Ye s Command History Release Modification 8.4(1) This command was added. 9.0(1) Support for multiple context mode was added. Cisco ASA Series Command Reference, A through H Commands 13-76

77 Chapter Examples In the following example, the cookie-challenge threshold is set to 30%: ciscoasa(config)# crypto ikev2 cookie-challenge 30 Description Related Commands Command Limits the number of IKEv2 connections on the ASA, crypto ikev2 limit max-sa crypto ikev2 limit Limits the number of IKEv2 in-negotiation (open) SAs on the ASA. max-in-negotiation-sa clear configure crypto Clears all the ISAKMP configuration. isakmp clear configure crypto Clears all ISAKMP policy configuration. isakmp policy Clears the IKE runtime SA database. clear crypto isakmp sa Displays all the active configuration. show running-config crypto isakmp Cisco ASA Series Command Reference, A through H Commands 13-77

78 Chapter crypto ikev2 enable ace on which the IPsec peer communicates with the To enable ISAKMP IKEv2 negotiation on the interf crypto ikev2 enable command in global configuration mode. To disable ISAKMP IKEv2 ASA, use the on the interface, use the no form of this command. crypto ikev2 enable client-services [ port port ]] interface-name [ interface-name [ client-services [ port port ]] no crypto ikev2 enable Syntax Description interface-name Specifies the name of the interface on which to enable or disable ISAKMP IKEv2 negotiation. onnections on the interface. Client client-services Enables client services for IKEv2 c Secure Mobility services include enhanced Anyconnect client features including software updates, client pr ofiles, GUI localization (translation) and customization, Cisco Secure Desktop, and SCEP proxy. If you disable client services, the AnyConnect client still establishes basic IPsec connections with IKEv2. Specifies a port to enable client se rvices for IKEv2 connections. The range port port is 1-65535. The default is port 443. No default behavior or values. Defaults The following table shows the modes in which you can enter the command: Command Modes Firewall Mode Security Context Multiple Transpare Routed Command Mode nt Single System Context Global configuration Ye s • Ye s — Ye s • • — Command History Modification Release This command was added. 8.4(1) Support for multiple context mode was added. 9.0(1) Using this command alone will not enable client services. Usage Guidelines The following example, entered in global configuration mode, shows how to enable IKEv2 on the outside Examples interface: ciscoasa(config)# crypto ikev2 enable outside client-services port 443 Cisco ASA Series Command Reference, A through H Commands 13-78

79 Chapter Related Commands Command Description Clears all the ISAKMP configuration. clear configure crypto isakmp Clears all ISAKMP policy configuration. clear configure crypto isakmp policy Clears the IKE runtime SA database. clear crypto isakmp sa Displays all the active configuration. show running-config crypto isakmp Cisco ASA Series Command Reference, A through H Commands 13-79

80 Chapter crypto ikev2 fragmentation To configure fragmentation settings for IKEv2, use the command in global crypto ikev2 fragmentation configuration mode. crypto ikev2 fragmentation [ mtu [no] ] | [ preferred-method [ ietf | cisco ]] mtu-size no crypto ikev2 fragmentation [ mtu mtu-size ] | [ preferred-method [ ietf | cisco ]] The MTU size, 68-1500. The MTU value used should include the mtu-size Syntax Description IPv4/IPv6 header + UDP header size. If you specify a value, the same value is used for both IPv4 and IPv6. The preferred fragmentation method: Standard RFC-7383 based method preferred-method ietf ( cisco ) or Cisco Proprietary method ( ). Defaults By default both the IKEv2 Fragmentation methods are enabled, the MTU is 576 for IPv4 or 1280 for IPv6, and the IETF method is preferred: Command Modes The following table shows the modes in which you can enter the command: Security Context Firewall Mode Multiple Transpare Context Single nt Routed System Command Mode Global configuration • Ye s — — Ye s • • Ye s Command History Release Modification This command was added. 9.6(1) Usage Guidelines Use this command to: • Set the MTU used to determine whether the IKE pa ckets need fragmentation, packets exceeding this value will be fragmented. fragmentation method. • Change the preferred • Disable IKE fragmentation all together. IETF RFC-7383 standard based IKEv2 fragmentation method will be used when both peers specify done after fragmentation, support and preference during negotiation. Using th is method, encryption is providing individual protection for each IKEv2 Fragment message. Cisco proprietary fragmentation will be used if it is the only method provided by a peer, such as the AnyConnect client, or if both peers specify support and preference during negotiation. Using this method fragmentation is done after encryption. The receiving peer cannot decrypt or authenticate the message until all fragments are received. Cisco ASA Series Command Reference, A through H Commands 13-80

81 Chapter Examples The following example, entered in global configuration mode, shows how to enable IKEv2 on the outside interface: Change the MTU value to 600: ciscoasa(config)# crypto ikev2 fragmentation mtu 600 od of fragmentation to Cisco: To change the preferred meth ciscoasa(config)# crypto ikev2 fragmentation preferred-method cisco Description Related Commands Command Shows the MTU. show crypto ikev2 sa detail Displays the configuration. show running-config all crypto ikev2 Cisco ASA Series Command Reference, A through H Commands 13-81

82 Chapter crypto ikev2 limit max-in-negotiation-sa To limit the number of IKEv2 in-negotiation (open) SAs on the ASA, use the crypto ikev2 limit max in-negotiation-sa command in global configuration mode. To disable limits on the number of open SAs, use the no form of this command: crypto ikev2 limit max in-negotiation-sa threshold percentage no crypto ikev2 limit max in-negotiation-sa threshold percentage Syntax Description threshold percentage The percentage of the total allowed SA s for the ASA that are allowed to be in negotiation (open). After reaching the threshold, additional connections are denied. The range is 1 to 100%. The default is 100%. The default is disabled. The ASA does not limit the number of open SAs. Defaults command limits the maximum number of SAs that can Usage Guidelines The crypto ikev2 limit-max-in-negotiation-sa crypto ikev2 cookie-challenge command, be in negotiation at any time. If used in conjunction with the configure the cookie-challenge threshold lower than this limit for an effective cross-check. Unlike the crypto ikev2 cookie-challenge command which challenges incoming connections with a command stops further connections from crypto kev2 limit max in-negotiation-sa cookie, the negotiating to protect current connections and prevent memory and/or CPU attacks that the cookie-challenge feature may be unable to thwart. The following table shows the modes in which you can enter the command: Command Modes Security Context Firewall Mode Multiple Transpare System nt Context Routed Single Command Mode Global configuration — Ye s — • Ye s • • Ye s Command History Modification Release This command was added. 8.4(1) Support for multiple context mode was added. 9.0(1) Examples The following example limits the number of IKEv2 connections that are in negotiation to 70 percent of the maximum allowable IKEv2 connections: ciscoasa(config)# crypto ikev2 limit max in-negotiation-sa 70 Cisco ASA Series Command Reference, A through H Commands 13-82

83 Chapter Related Commands Command Description Limits the number of IKEv2 connections on the ASA, crypto ikev2 limit max-sa crypto ikev2 Enables the ASA to send cookie challenges to peer devices in response to cookie-challenge SA initiated packets, clear configure crypto Clears all the ISAKMP configuration. isakmp clear configure crypto Clears all ISAKMP policy configuration. isakmp policy Clears the IKE runtime SA database. clear crypto isakmp sa Displays all the active configuration. show running-config crypto isakmp Cisco ASA Series Command Reference, A through H Commands 13-83

84 Chapter crypto ikev2 limit max-sa To limit the number of IKEv2 connections on the ASA, use the crypto ikev2 limit max-sa command in global configuration mode. To disable the limit on the number of connections, use the no form of this command: crypto ikev2 limit max-sa number number no crypto ikev2 limit max-sa Syntax Description wed on the ASA. After reaching the number The number of IKEv2 connections allo limit, additional connections are denied. The range is 1 to 10000. The default is disabled. The ASA does not limit the number of IKEv2 connections. The maximum Defaults ons equals the maximum number of connections specified by the number of allowed IKEv2 connecti license. crypto ikev2 limit max-sa Usage Guidelines The command limits the maximum number of SAs on the ASA. crypto ikev2 cookie-challenge command, configure the If used in conjunction with the cookie-challenge threshold lower than this limit for an effective cross-check. The following table shows the modes in which you can enter the command: Command Modes Firewall Mode Security Context Multiple Transpare Single System Command Mode Context nt Routed Global configuration • • Ye s — • Ye s — Ye s Command History Modification Release 8.4(1) This command was added. 9.0(1) Support for multiple context mode was added. The following example limits the number of IKEv2 connections to 5000: Examples crypto ikev2 limit max-sa 5000 ciscoasa(config)# Cisco ASA Series Command Reference, A through H Commands 13-84

85 Chapter Related Commands Command Description Enables the ASA to send cookie challenges to peer devices in response to crypto ikev2 cookie-challenge SA initiated packets, clear configure crypto Clears all the ISAKMP configuration. isakmp clear configure crypto Clears all ISAKMP policy configuration. isakmp policy Clears the IKE runtime SA database. clear crypto isakmp sa show running-config Displays all the active configuration. crypto isakmp Cisco ASA Series Command Reference, A through H Commands 13-85

86 Chapter crypto ikev2 notify To allow an administrator to enable sending an IKE notification to the peer when an inbound packet is received on an SA that does not match the traffic selectors for that SA, use the crypto ikev2 notify command. To disable sending this notification, use the no form of the command: crypto ikev2 notify invalid-selectors [no] crypto ikev2 notify invalid-selectors Syntax Description invalid-selectors Notify the peer if a packet is received on an SA but does not match the traffic selectors. notify Enable/disable IKEv2 notification to be sent to the peer. Sending the notification is disabled by default. Defaults The following table shows the modes in which you can enter the command: Command Modes Firewall Mode Security Context Multiple Transpare Command Mode Routed nt Single System Context Global configuration Ye s Ye s • Ye s • • • Ye s — Command History Release Modification 9.4(1) This command was added. Examples 100/act(config) # crypto ikev2 ? configure mode commands/options: cookie-challenge Enable and configure IKEv2 cookie challenges based on half-open SAs enable Enable IKEv2 on the specified interface limit Enable limits on IKEv2 SAs policy Set IKEv2 policy suite redirect Set IKEv2 redirect remote-access Configure IKEv2 for Remote Access notify Enable/Disable IKEv2 notifications to be sent to the peer 100/act(config)# crypto ikev2 notify ? configure mode commands/options: invalid-selectors Notify the peer if a packet is received on an SA but does not match the traffic selectors Cisco ASA Series Command Reference, A through H Commands 13-86

87 Chapter crypto ikev2 policy To create an IKEv2 security IPsec connections, use the association (SA) for AnyConnect command in global configuration mode. To remove the policy, use the no form of crypto ikev2 policy this command: crypto ikev2 policy priority policy_index no crypto ikev2 policy priority policy_index Syntax Description policy index Accesses the IKEv2 policy configuration mode. priority The policy suite priority. The range is 1-65535, with 1 being the highest and 65535 the lowest. Group [1] [2] [5] beco mes group [1] [2] [5] [14] [24] to as part of IKEv2 key derivation. support Diffie-Hellman groups 14 and 24 Nodefault behavior or values. Defaults An IKEv2 SA is a key used in phase 1 to enable IK Ev2 peers to communicate securely in phase 2. After Usage Guidelines command, you enter IKEv2 policy configuration mode, in which you crypto ikev2 policy entering the specify additional IKEv2 SA settings. You can use additional commands to set the SA encryption algorithm, DH group, integrity algorithm, lifetime, and hash algorithm. The following table shows the modes in which you can enter the command: Command Modes Firewall Mode Security Context Multiple Transpare Command Mode Context nt Single System Routed Global configuration Ye s Ye s • • — • — Ye s Command History Modification Release This command was added. 8.4(1) Support for multiple context mode was added. Added policy index option. 9.0(1) Examples The following example creates the priority 1 IKEv2 SA and enters enters IKEv2 policy configuration mode: crypto ikev2 policy 1 ciscoasa(config)# ciscoasa(config-ikev2-policy)# Cisco ASA Series Command Reference, A through H Commands 13-87

88 Chapter Related Commands Command Description Enables the ASA to send cookie challenges to peer devices in response to crypto ikev2 cookie-challenge SA initiated packets, clear configure crypto Clears all the ISAKMP configuration. isakmp clear configure crypto Clears all ISAKMP policy configuration. isakmp policy Clears the IKE runtime SA database. clear crypto isakmp sa show running-config Displays all the active configuration. crypto isakmp Cisco ASA Series Command Reference, A through H Commands 13-88

89 Chapter crypto ikev2 redirect h load-balancing redirection from master to cluster member occurs, To specify the IKEv2 phase at whic command in global configuration mode. To remove the command, use the use the crypto ikev2 redirect form of this command: no during-auth } { during-init crypto ikev2 redirect | | during-auth } no crypto ikev2 redirect { during-init Syntax Description during-auth Enables load-balancing redirection to a cluster member during the IKEv2 authentication exchange. Enables load-balancing redirection to a cluster member during the IKEv2 during-init SA initiated exchange. Defaults The default is load-balancing redirection to a cluster member, which occurs during the IKEv2 authentication exchange. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Transpare Routed Command Mode nt Single System Context Global configuration • — Ye s • — Ye s Command History Release Modification This command was added. 8.4(1) to a cluster member to occur during the The following example sets the load Examples -balancing redirection IKEv2 initiated exchange: crypto ikev2 redirect during-init ciscoasa(config)# Command Related Commands Description crypto ikev2 Enables the ASA to send cookie challenges to peer devices in response to SA initiated packets, cookie-challenge Clears all the ISAKMP configuration. clear configure crypto isakmp Clears all ISAKMP policy configuration. clear configure crypto isakmp policy Cisco ASA Series Command Reference, A through H Commands 13-89

90 Chapter Command Description clear crypto isakmp sa Clears the IKE runtime SA database. show running-config Displays all the active configuration. crypto isakmp Cisco ASA Series Command Reference, A through H Commands 13-90

91 Chapter crypto ikev2 remote-access trust-point To specify a global trustpoint to be referenced and used as the identity certifi cate trustpoint of the ASA for AnyConnect IKEv2 connections, use the crypto ikev2 remote-access trust-point command in tunnel group configuration mode. To remove the command from the configuration, use the no form of the command: crypto ikev2 remote-access trust-point name [ line number ] ] line number no crypto ikev2 remote-access trust-point name [ name The name of the trustpoi nt, up to 65 characters. Syntax Description line number Specifies where in the line number you want the trustpoint inserted. Typically, this option is used to insert a trustpoint at the top without removing and readding the other line. If a line is not specified, the ASA adds the trustpoint at the end of the list. Defaults No default behavior or values. command to configure a trustpoint for the ASA to Usage Guidelines Use the crypto ikev2 remote-access trust-point authenticate itself to the AnyConnect client for all IKEv2 connections. Using this command allows the AnyConnect client to support group selection for the user. You can configure two trustpoints at the same time: two RSA, two ECDSA, or one of each. The ASA e first one that the client supports. If ECDSA is scans the configured trustpoint list and chooses th preferred, you should configure that trustpoint before the RSA trustpoint. If you try to add a trustpoint that already exists, you receive an error. If you use the no crypto ikev2 command without specifying which trustpoint name to remove, all trustpoint remote-access trustpoint configuration is removed. The following table shows the modes in which you can enter the command: Command Modes Firewall Mode Security Context Multiple Transpare Context System Routed Command Mode nt Single Tunnel-group configuration • Ye s — • Ye s — • Ye s Command History Release Modification 8.4(1) This command was added.. 9.0(1) Support for multiple context mode and the configuration of two trustpoints were added. Cisco ASA Series Command Reference, A through H Commands 13-91

92 Chapter : cisco_asa_trustpoint Examples The following example specifies the trustpoint ciscoasa(config)# crypto ikev2 remote-access trust-point cisco_asa_trustpoint Cisco ASA Series Command Reference, A through H Commands 13-92

93 Chapter crypto ipsec df-bit To configure DF-bit policy for IPsec packets, use the ipsec df-bit command in global crypto configuration mode. [ crypto ipsec df-bit | copy-df | set-df ] interface clear-df (Optional) Specifies that the outer IP header will have the DF bit cleared and clear-df Syntax Description that the ASA may fragment the packet to add the IPsec encapsulation. copy-df (Optional) Specifies that the ASA will look in the original packet for the outer DF bit setting. set-df (Optional) Specifies that the outer IP header will have the DF bit set; however, iginal packet had the DF bit cleared. the ASA may fragment the packet if the or interface Specifies an interface name. nd is enabled without a specified setting, the ASA Defaults This command is disabled by default. If this comma setting as the default. copy-df uses the The following table shows the modes in which you can enter the command: Command Modes Firewall Mode Security Context Multiple Transpare System Single nt Routed Context Command Mode Global configuration Ye s • — • Ye s • Ye s • Ye s Command History Release Modification 7.0(1) This command was added. Support for multiple context mode was added. 9.0(1) The DF bit with IPsec tunnels feature lets you specify whether or not the ASA can clear, set, or copy the Usage Guidelines Don’t Fragment (DF) bit from the encapsulated header. The DF bit within the IP header determines whether or not a device is allowed to fragment a packet. command in global configuration mode to configure the ASA to specify the Use the ipsec df-bit crypto DF bit in an encapsulated header. This command treats the DF-bit setting of the clear-text packet and when encryption is applied. it to the outer IPsec header either clears, set, or copies When encapsulating tunnel mode IPsec traffic, use the clear-df setting for the DF bit. This setting lets the device send packets larger than the available MTU size. Also, this setting is appropriate if you do not know the available MTU size. Cisco ASA Series Command Reference, A through H Commands 13-93

94 Chapter Caution Packets will get dropped if you set the following conflicting configuration: crypto ipsec fragmentation after-encryption (fragment packets) crypto ipsec df-bit set-df outside (set the DF bit) Examples The following example, entered in global configuration mode, sets the IPsec DF policy to clear-df : ciscoasa(config)# ipsec df-bit clear-df outside crypto ciscoasa(config)# Related Commands Command Description crypto ipsec fragmentation Configures the fragmentation policy for IPsec packets. Displays the DF-bit policy for a specified interface. show crypto ipsec df-bit Displays the fragmentation policy for a specified interface. show crypto ipsec fragmentation Cisco ASA Series Command Reference, A through H Commands 13-94

95 Chapter crypto ipsec fragmentation To configure the fragmentation po licy for IPsec packets, use the crypto ipsec fragmentation command in global configuration mode. crypto ipsec fragmentation { after-encryption | before-encryption } interface ackets that are close to the maximum Specifies the ASA to fragment IPsec p after-encryption Syntax Description (disables prefragmentation). MTU size after encryption before-encryption ackets that are close to the maximum Specifies the ASA to fragment IPsec p MTU size before encryption (enables prefragmentation). interface Specifies an interface name. Before-encryption is enabled by default. Defaults The following table shows the modes in which you can enter the command: Command Modes Firewall Mode Security Context Multiple Transpare Routed Command Mode nt Single Context System Global configuration • Ye s • Ye s • Ye s • — Ye s Command History Modification Release 7.0(1) This command was added. 9.0(1) Support for multiple context mode was added. When a packet is near the size of the MTU of the outbound link of the encrypting ASA, and it is Usage Guidelines encapsulated with IPsec headers, it is likely to ex ceed the MTU of the outbound link. This causes packet fragmentation after encryption, which makes the decrypting device reassemble in the process path. Prefragmentation for IPsec VPNs increases the performan ce of the device when decrypting by letting it operate in the high performance CEF path instead of the process path. Prefragmentation for IPsec VPNs le ts an encrypting device predeter mine the encapsulated packet size from information available in transform sets, which ar e configured as part of the IPsec SA. If the device of the output interface, the device fragments the predetermines that the packet will exceed the MTU packet before encrypting it. This avoids process level reassembly before decryption and helps improve decryption performance and overall IPsec traffic throughput. The minimum MTU allowed on an IPv6 enabled interface is 1280 bytes; however, if IPsec is enabled on ead of IPsec encryption. the interface, the MTU value should not be set belo w 1380 because of the overh Setting the interface below 1380 bytes may result in dropped packets. Cisco ASA Series Command Reference, A through H Commands 13-95

96 Chapter Caution Packets will get dropped if you set the following conflicting configuration: crypto ipsec fragmentation after-encryption (fragment packets) crypto ipsec df-bit set-df outside (set the DF bit) Examples The following example, entered in global configur ation mode, enables pre fragmentation for IPsec packets on the inside interface only: ipsec fragmentation before-encryption inside crypto ciscoasa(config)# ciscoasa(config)# The following example, entered in global configuration mode, disables prefragmentation for IPsec packets on the interface: ciscoasa(config)# crypto ipsec fragmentation after-encryption inside ciscoasa(config)# Related Commands Command Description crypto ipsec df-bit Configures the DF-bit policy for IPsec packets. show crypto ipsec fragmentation Displays the fragmentation policy for IPsec packets. show crypto ipsec df-bit Displays the DF-bit policy for a specified interface. Cisco ASA Series Command Reference, A through H Commands 13-96

97 Chapter crypto ipsec ikev1 transform-set To create or remove an IKEv1 transform set, use the crypto ipsec ikev1 transform-set command in global configuration mode. To remove a transform set, use the no form of this command. crypto ipsec ikev1 transform-set transform-set-name encryption [ authentication ] transform-set-name encryption no crypto ipsec ikev1 transform-set ] [ authentication (Optional) Specify one of the following authentication methods to ensure the authentication Syntax Description integrity of IPsec data flows: as the hash algorithm. to use the MD5/HMAC-128 esp-md5-hmac to use the SHA/HMAC-160 as the hash algorithm. esp-sha-hmac to not use HMAC authentication. esp-none encryption Specify one of the following encryption methods to protect IPsec data flows: esp-aes to use AES with a 128-bit key. esp-aes-192 to use AES with a 192-bit key. to use AES with a 256-bit key. esp-aes-256 esp-des to use 56-bit DES-CBC. esp-3des to use triple DES algorithm. esp-null to not use encryption. Name of the transform set being created transform-set-name or modified. To view the transform e configuration, enter the sets already present in th show running-config ipsec command. The default authentication setting is esp-none (no authentication). Defaults Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Transpare nt System Routed Context Command Mode Single Global configuration • Ye s — • Ye s • Ye s • Ye s Command History Release Modification 7.0 This command was added. 7.2(1) This section was rewritten. keyword was added. 8.4(1) The ikev1 9.0(1) Support for multiple context mode was added. Cisco ASA Series Command Reference, A through H Commands 13-97

98 Chapter Usage Guidelines This command identifies the IPsec en cryption and hash algorithms to be used by the transform set. Following the configuration of a transform set, you assign it to a crypto map. You can assign up to six transform sets to a crypto map. When the peer attempts to establish an IPsec session, the ASA evaluates the peer using the access list of each crypto map unti l it finds a match. The ASA then evaluates all of the protocols, algorithms, and other settings negotiated by the peer using those in the transform sets assigned to the crypto map until it finds a match. If the ASA ma tches the peer’s IPsec negotiations to the settings in a transform set, it applies them to the protected tr affic as part of its IPsec security association. The the peer to an access list and find an exact match of ASA terminates the IPsec session if it fails to match the security settings of the peer to those in a transform set assigned to the crypto map. You can specify either the encryption or the authenti cation first. You can specify the encryption without specifying the authentication. If you specify the authentication in a transform set that you are creating, you must specify the encryption with it. If you specify only the authentication in a transform set that you are modifying, the transform set retains its current encryption setting. If you are using AES encryption, we recommend that you use the isakmp policy priority group 5 command, also in in global configuration mode, to assign Diffie-Hellman group 5 to accommodate the large key sizes provided by AES. Tip When you apply transform sets to a crypto map or a dynamic crypto map and view the transform sets assigned to it, you will find it helpful if the names of the transform sets reflect their configuration. For example, the name “3des-md5” in the first exampl e below shows the encryption and authentication used and authentication settings are the actual encryption in the transform set. The values that follow the name assigned to the transform set. Examples The following commands show all possible encryption and authentication options, excluding those that specify no encryption and no authentication: ciscoasa(config)# crypto ipsec ikev1 transform-set 3des-md5 esp-3des esp-md5-hmac ciscoasa(config)# crypto ipsec ikev1 transform-set 3des-sha esp-3des esp-sha-hmac ciscoasa(config)# crypto ipsec ikev1 transform-set 56des-md5 esp-des esp-md5-hmac ciscoasa(config)# crypto ipsec ikev1 transform-set 56des-sha esp-des esp-sha-hmac ciscoasa(config)# crypto ipsec ikev1 transform-set 128aes-md5 esp-aes esp-md5-hmac ciscoasa(config)# crypto ipsec ikev1 transform-set 128aes-sha esp-aes esp-sha-hmac ciscoasa(config)# crypto ipsec ikev1 transform-set 192aes-md5 esp-aes-192 esp-md5-hmac ciscoasa(config)# crypto ipsec ikev1 transform-set 192aes-sha esp-aes-192 esp-sha-hmac ciscoasa(config)# crypto ipsec ikev1 transform-set 256aes-md5 esp-aes-256 esp-md5-hmac ciscoasa(config)# crypto ipsec ikev1 transform-set 256aes-sha esp-aes-256 esp-sha-hmac ciscoasa(config)# Related Commands Command Description show running-config ipsec Displays the configuration of all transform sets. crypto map set transform-set Specifies the transform sets to use in a crypto map entry. crypto dynamic-map set transform-set Specifies the transform sets to use in a dynamic crypto map entry. Displays the crypto map configuration. show running-config crypto map Displays the dynamic crypto map configuration. show running-config crypto dynamic-map Cisco ASA Series Command Reference, A through H Commands 13-98

99 Chapter crypto ipsec ikev1 transform-set mode transport To specify the transport mode for IPsec IKEv1 connections, use the crypto ipsec ikev1 transform-set command in global configuration mode. To remove the command, use the no form of mode transport this command: crypto ipsec ikev1 transform-set transform-set-name mode { transport } } no crypto ipsec ikev1 transform-set transform-set-name mode { transport Syntax Description Name of the transform set being modified. To view the transform sets already transform-set-name command. show running-config ipsec present in the configuration, enter the Defaults The default setting for the transport mode is disabled. IPsec uses the networked tunnel mode. Command Modes The following table shows the modes in which you can enter the command: Security Context Firewall Mode Multiple Transpare Command Mode Routed System Context nt Single Global configuration — Ye s • Ye s • • Ye s • Ye s Command History Release Modification This command was added. 7.0(1) This command was rewritten. 7.2(1) 8.4(1) keyword was added. ikev1 The 9.0(1) Support for multiple context mode was added. Usage Guidelines command to specify the host-to-host mode transport Use the crypto ipsec ikev1 transform-set transport mode for IPsec, instead of the default networked tunnel mode. The following commands show all possible encryption and authentication options, excluding those that Examples specify no encryption and no authentication: ciscoasa(config)# crypto ipsec ikev1 transform-set ciscoasa(config)# Description Related Commands Command show running-config ipsec Displays the configuration of all transform sets. crypto map set transform-set Specifies the transform sets to use in a crypto map entry. Cisco ASA Series Command Reference, A through H Commands 13-99

100 Chapter Command Description crypto dynamic-map set transform-set Specifies the transform sets to use in a dynamic crypto map entry. show running-config crypto map Displays the crypto map configuration. show running-config crypto dynamic-map Displays the dynamic crypto map configuration. Cisco ASA Series Command Reference, A through H Commands 13-100

101 Chapter crypto ipsec ikev2 ipsec-proposal To create an IKEv2 proposal, use the crypto ipsec ikev2 ipsec-proposal command in global configuration mode.To remove the proposal, use the no form of this command. crypto ipsec ikev2 ipsec-proposal proposal tag proposal_name no crypto ipsec ikev2 ipsec-proposal proposal tag proposal_name Syntax Description Accesses the IPsec ESP proposal sub-mode. proposal name The name of the IKEv2 IPsec proposal proposal tag , a string from 1 to 64 characters. Defaults No default behavior or values. Command Modes The following table shows the modes in which you can enter the command: Security Context Firewall Mode Multiple Transpare Routed System Single Command Mode nt Context Global configuration • — Ye s • Ye s Ye s • Ye s • Command History Modification Release This command was added. 8.4(1) 9.0(1) Support for multiple context mode was added. proposal configuration mode, in which you can This command creates a proposal and enters ipsec Usage Guidelines specify multiple encryption and integrity types for the proposal. The following example creates the IPsec proposal name Examples d secure, and enters IPsec proposal configuration mode: ciscoasa(config)# crypto ipsec ikev2 ipsec-proposal secure ciscoasa(config-ipsec-proposal)# Command Related Commands Description show running-config ipsec Displays the configuration of all transform sets. crypto map set transform-set Specifies the transform sets to use in a crypto map entry. Specifies the transform sets to use in a dynamic crypto crypto dynamic-map set transform-set map entry. Cisco ASA Series Command Reference, A through H Commands 13-101

102 Chapter Command Description Displays the crypto map configuration. show running-config crypto map show running-config crypto dynamic-map Displays the dynamic crypto map configuration. Cisco ASA Series Command Reference, A through H Commands 13-102

103 Chapter crypto ipsec ikev2 sa-strength-enforcement Ensures that the strength of the IKEv2 encryption cipher is higher than the strength of its child IPsec SA’s encryption ciphers. To di sable this feature, use the no form of this command. crypto ipsec ikev2 sa-strength-enforcement no crypto ipsec ikev2 sa-strength-enforcement Defaults Enforcement is disabled by default. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Transpare Command Mode Routed Context System Single nt Global configuration • • • Ye s Ye s Ye s • Ye s — Command History Modification Release This command was added. 9.1(2) stronger encryption cipher than its parent IKEv2 Security is not increased when a child SA has a Usage Guidelines tice to configure the IP connection. It is good security prac sec so this does not happen. The strength enforcement setting only affects the encryption cipher; it does not alter the integrity or key exchange algorithms. The IKEv2 system compares the relative strength of each child SA’s selected encryption cipher as follows: the child SA is not stronger than the When enabled, verifies th at the configured encryption cipher for parent IKEv2 encryption cipher. If found, then the child SA will be updated to use the parent cipher. If no compatible cipher is found, then the child SA negotiation is be aborted. The syslog and debug message logs these actions. order of strength, from highest to lowest. Ciphers The supported encryption ciphers are listed below in on the same line have equivalent strength for purposes of this check. AES-GCM-256, AES-CBC-256 • • AES-GCM-192, AES-CBC, 192 AES-GCM-128, AES-CBC-128 • 3DES • DES • AES-GMAC (any size), NULL • Cisco ASA Series Command Reference, A through H Commands 13-103

104 Chapter Description Command Related Commands show running-config ipsec Displays crypto ipsec ikev2 sa-strength-enforcement when enabled. Cisco ASA Series Command Reference, A through H Commands 13-104

105 Chapter crypto ipsec inner-routing-lookup To enable IPsec inner routing lookup, use the command in crypto ipsec inner-routing-lookup no form of this command. configuration mode. To disable IPsec inner routing lookup, use the crypto ipsec inner-routing-lookup no crypto ipsec inner-routing-lookup Syntax Description This command has no arguments or keywords. Command Default IPsec inner-routing-lookup is disabled by default. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Transpare System nt Context Routed Command Mode Single Global configuration • • Ye s Ye s • Ye s — Ye s • Command History Release Modification 9.6(2) We introduced this command. Usage Guidelines By default, per-packet adjacency lookups are done for the outer ESP packets, but lookups are not done for packets sent thro ugh the IPsec tunnel. In some network topologies, when a routing update has altered the inner packet’s path, but the local IPsec tunnel is still up, packets through the tunnel may not be routed correctly and fail to reach their destination. To prevent this, enable per-packet routing lookups for the IPsec inner packets. To avoid any performance impact from these lookups, this feature is disabl ed by default. Enable it only when necessary. This command, when configured, is only applicable for non-VTI based tunnels. The following example configures and shows that inner-routing-lookup is enabled.: Examples crypto ipsec inner-routing-lookup ciscoasa(config)# show run crypto ipsec ciscoasa(config)# crypto ipsec inner-routing-lookup Related Commands Description Command Show the running crypto ipsec configuration. show run crypto ipsec Cisco ASA Series Command Reference, A through H Commands 13-105

106 Chapter crypto ipsec profile To create a new IPsec profile, use the crypto ipsec profile command in the Global Configuration mode. Use the no form of the command to delete the IPsec profile. name crypto ipsec profile name no crypto ipsec profile Syntax Description e. The name can contain less than 65 Specifies a name for a new IPsec profil name characters. No default behavior or values. Defaults The following table shows the modes in which you can enter the command. Command Modes Security Context Firewall Mode Multiple Transpare Routed Command Mode System Context nt Single Global Configuration • • • No • - Ye s • No Ye s Command History Release Modification We introduced this command and its submodes. 9.7(1) Examples In the following example, VTIi psec is the new IPsec profile: ciscoasa(config)# crypto ipsec profile VTIipsec Description Related Commands Command responder-only Sets the VTI tunnel interface to responder only mode. set ikev1 transform-set Specifies the IKEv1 transform set to be used in the IPsec profile configuration. Specifies the PFS group to be used in the IPsec profile configuration. set pfs set Specifies the duration of security association in the IPsec profile security-association configuration. This is specified in kilobytes or seconds, or both. lifetime defines the certificate to be used while initiating Specifies a trustpoint that set trustpoint a VTI tunnel connection. Cisco ASA Series Command Reference, A through H Commands 13-106

107 Chapter crypto ipsec security-association lifetime To configure global lifetime values, use the crypto ipsec security-association lifetime command in fetime value to the default value, use the no form of this global configuration mode. To reset a global li command. crypto ipsec security-association lifetime { seconds number | kilobytes { number | unlimited} } kilobytes no crypto ipsec securi { seconds number | ty-association lifetime { number | unlimited} } number bytes) that can pass between peers using Specifies the volume of traffic (in kilo | { kilobytes Syntax Description a given security association before that security association expires. The range } unlimited is 10 to 2147483647 kbytes. The default is 4,608,000 kilobytes. This setting does not apply to remote access VPN connections. It applies to site-to-site VPN only. econds a security associatio Specifies the number of s n will live before it number seconds expires. The range is 120 to 214783647 seconds. The default is 28,800 seconds (eight hours). te access and site-to-site VPN. This setting applies to both remo Does not send Kilobytes in quick mode 1 packet when ASA is the initiator of unlimited the tunnel. The default number of kilobytes is 4,608,000; the default number of seconds is 28,800. Defaults The following table shows the modes in which you can enter the command: Command Modes Security Context Firewall Mode Multiple Transpare Single nt Routed System Context Command Mode Global configuration • Ye s • Ye s • Ye s Ye s — • Command History Modification Release This command was added. 7.0(1) Support for multiple context mode was added. 9.0(1) The 9.1(2) argument was added. unlimited The crypto ipsec security-association lifetime command changes global lifetime values used when Usage Guidelines negotiating IPsec security associations. IPsec security associations use shared secret keys. These keys and their securi ty associations time out together. Cisco ASA Series Command Reference, A through H Commands 13-107

108 Chapter lifetime values configured, when the ASA requests Assuming that the particular crypto map entry has no new security associations during negotiation, it specifies its global lifetime value in the request to the peer; it uses this value as the lifetime of the ne w security associations. When the ASA receives a negotiation request from the peer, it uses the smaller of the lifetime values proposed by the peer or the locally configured lifetime value as the lifetime of the new security associations. For site-to-site VPN connections, there are two li fetimes: a “timed” lifetime and a “traffic-volume” lifetime. The security association expires after the fi rst of these lifetimes is reached. For remote access VPN sessions, only the timed lifetime applies. and IPsec settings on the fly. If this is changed, The ASA lets the user change crypto map, dynamic map, the ASA brings down only the connections affected by the change. If the user changes an existing access list associated with a crypto map, specifically by deleting an entry within the access list, the result is that only the associated connection is br ought down. Connections based on other entries in the access list are not affected. To change the global timed lifetime, use the crypto ipsec security-asso ciation lifetime seconds e security association to time ou command. The timed lifetime causes th t after the specified number of seconds have passed. crypto ipsec security-association lifetime To change the global traffic-volume lifetime, use the kilobytes command. The traffic-volume lifetime causes the security association to time out after the specified amount of traffic (in kilobytes) has been protected by the securi ty associations' key. to mount a successful key recovery attack, because the attacker has Shorter lifetimes can make it harder less data encrypted under the same key to work with. However, shorter lifetimes require more CPU processing time for establishing new security associations. The security association (and corresponding keys) ex pires according to whicheve r occurs sooner, either after the number of seconds has passed or after the amount of traffic in kilobytes has passed. Examples The following example specifies a global t imed lifetime for security associations: ciscoasa(config)# crypto ipsec-security association lifetime seconds 240 ciscoasa(config)# Related Commands Command Description (that is, global lifetimes and clear configure crypto map Clears all IPsec configuration transform sets). show running-config crypto map Displays all configuration for all the crypto maps. Cisco ASA Series Command Reference, A through H Commands 13-108

109 Chapter crypto ipsec security-association pmtu-aging To enable path maximum transfer unit (PMTU) aging, use the crypto ipsec security-association pmtu-aging command in global configuration mode. To di sable PMTU aging, use the no form of the command: ssociation pmtu-aging reset-interval crypto ipsec security-a no crypto ipsec security-association pmtu-aging reset-interval Sets the interval at which the PMTU value is reset. reset-interval Syntax Description Defaults This feature is enabled by default. The following table shows the modes in which you can enter the command: Command Modes Firewall Mode Security Context Multiple Transpare Routed Command Mode nt Single Context System Global configuration • Ye s — Ye s • Ye s • Ye s • Command History Modification Release 9.0(1) This command was added. Usage Guidelines The reset interval is specified in seconds. Cisco ASA Series Command Reference, A through H Commands 13-109

110 Chapter crypto ipsec security-association replay To configure the IPsec antire play window size, use the crypto ipsec security-association replay the window size to the default value, use the no form command in global configuration mode. To reset of this command. crypto ipsec security-association replay { window-size n | disable } no crypto ipsec security-association replay { window-size n | disable } n Sets the window size. Values can be 64, 128, 256, 512, or 1024. The default Syntax Description is 64. disable Disables antireplay checking. Defaults The default window size is 64. Command Modes The following table shows the modes in which you can enter the command: Firewall Mode Security Context Multiple Transpare Command Mode Routed Single nt System Context Global configuration Ye s — • Ye s — • Ye s • Command History Modification Release 7.2(4)/8.0(4) This command was added. Support for multiple context mode was added. 9.0(1) Cisco IPsec authentication provides antireplay protec tion from an attacker duplicating encrypted packets Usage Guidelines urity association antireplay is a by assigning a unique sequence numb er to each encrypted packet. (Sec security service in which the receiver can reject ol d or duplicate packets to protect itself from replay een before. The encryptor assigns attacks.) The decryptor checks off the sequence numbers that it has s sequence numbers in an increasing order. The decryp tor remembers the value X of the highest sequence number that it has already seen. N is the window size, and the decryptor also remembers whether it has seen packets having sequence numbers from X-N+1 through X. Any packet with the sequence number X-N is discarded. Currently, N is set at 64, so only 64 packets can be tracked by the decryptor. At times, however, the 64-packet window size is not sufficient. For example, QoS gives priority to high-priority packets, which could cause some low-priority packets to be discarded even though they s received by the decryptor; this event can generate warning syslog could be one of the last 64 packet messages that are false alarms. The crypto ipsec security-association replay command lets you expand keep track of more than 64 packets. the window size, allowing the decryptor to Cisco ASA Series Command Reference, A through H Commands 13-110

111 Chapter Increasing the antireplay window size has no impact on throughput and security. The impact on memory is insignificant because only an extra 128 bytes per incoming IPsec SA is needed to store the sequence number on the decryptor. It is recommended that you use the full 1024 window size to eliminate any future antireplay problems. Examples The following example specifies the antireplay window size for security associations: crypto ipsec security-association replay window-size 1024 ciscoasa(config)# ciscoasa(config)# Related Commands Command Description Clears all IPsec configuration (that is, global lifetimes and clear configure crypto map transform sets). shape Enables traffic shaping. Enables priority queuing. priority show running-config crypto map Displays all configuration for all the crypto maps. Cisco ASA Series Command Reference, A through H Commands 13-111

112 Chapter Cisco ASA Series Command Reference, A through H Commands 13-112

Related documents

DER Directory

DER Directory

FAA CONSULTANT DER DIRECTORY May 9, 2019 AIR-6F0, Delegation & Organizational Procedures Branch This directory is generated from information in the FAA Designee Information Network (DIN). If you are a...

More info »
Michigan Merit Curriculum: Visual Arts, Music, Dance, and Theatre

Michigan Merit Curriculum: Visual Arts, Music, Dance, and Theatre

R I G O R • R E L E V A NC E • R E L AT I ONS H I P S • R I G O R • R E L E VA N C E • R E L AT I ONS H I P S • R I G O R • R E L E V A NC E • R E L A T I O N S H I P S • R I G O R • R E L E V A N C E...

More info »
NI XNET Hardware and Software Manual   National Instruments

NI XNET Hardware and Software Manual National Instruments

XNET NI-XNET Hardware and Software Manual NI-XNET Hardware and Software Manual July 2014 372840H-01

More info »
delgado14a

delgado14a

Journal of Machine Learning Research 15 (2014) 3133-3181 Submitted 11/13; Revised 4/14; Published 10/14 Do we Need Hundreds of Classifiers to Solve Real World Classification Problems? Manuel Fern ́and...

More info »
SARA R4/N4 series

SARA R4/N4 series

R4/N4 series SARA - System Integration Manual System Integration Manual - SARA R4/N4 Abstract This document - R4/N4 series describes the features and the integration of the size - optimized SARA cellu...

More info »
A 01.00

A 01.00

M.P.S.C. No. 13 - Electric Second Revised Sheet No. A 1.00 Consumers Energy Company - Cancels First Revised Sheet No. A 1.00 (To revise link to website) - CONSUMERS ENERGY COMPANY BOOK RATE FOR ELECTR...

More info »
GFratings

GFratings

PHASE 1 AND PHASE 2 REVIEWS (November 2016) Table 1: Jurisdictions that have undergone only Phase 1 Reviews Exchange of Access to Information Information Availability of Information Jurisdiction Type ...

More info »
201510 cfpb ecoa baseline review modules

201510 cfpb ecoa baseline review modules

CFPB ECOA Baseline Review Examination Procedures [Click&type] Exam Date: Equal Credit [Click&type] Exam ID No.: Opportunity Act [Click&type] Prepared By: [Click&type] Reviewer: [Click&type] Docket #: ...

More info »
On Denoting

On Denoting

Mind Association !"#$%"&'(") *+',&-./01#2%-'-3"4#5+//%66 7&+-8%1# ;%<#7%-(%/:#=&6>#[email protected]:#;&>#AB#.!8'>:#?CDA0:#EE>#@[email protected] 9("4:# I+J6(/,%4#JK1#!LM&-4#N"(O%-/('K#I-%//#&"#J%,36M#&M#',%#9("4#*//&8(3'(&" h...

More info »
Copy of SITESv2 Scorecard Summary

Copy of SITESv2 Scorecard Summary

SITES v2 Rating System For Sustainable Land Design and Development

More info »
Microsoft Word   10 Commentary 2 Sassen  5 November

Microsoft Word 10 Commentary 2 Sassen 5 November

!"#$%"&'()*+,-').&(*)/#+01&%(2&-#33#2').&-4%'(15& %(.&'()*+1*-)'#(16& .6.N-6!.6..O/! .#$(+)&/0&1234&5+#6(--#+&#6&/#78#"#92:&& ;<=&>3#?&@%"":&ABA&C(-)&<DD34&/):&& '(*&E#+,:&'E&<BBD;:&F/G& -H-DI7#"JK$8%...

More info »
DoD 5400.11 R, May 14, 2007

DoD 5400.11 R, May 14, 2007

DoD 5400.11-R DEPARTMENT OF DEFENSE PRIVACY PROGRAM May 14, 2007 OFFICE OF THE DIRECTOR, ADMINISTRATION AND MANAGEMENT

More info »
Technical Line: Lessee model comes together as leases project progresses

Technical Line: Lessee model comes together as leases project progresses

Applying IFRS IFRS 15 Revenue from Contracts with Customers A closer look at IFRS 15, the revenue recognition standard (Updated October 2018)

More info »
40002505m

40002505m

DEFENSE LOGISTICS AGENCY HEADQUARTERS DoD 4000.25-5-M 8725 SUITE 2533 JOHN KINGMAN ROAD, J. VIRGINIA FT. 22060-622 BELVOIR, 1 REPLY IN DLMSO REFER TO FOREWORD the authority of Department of This manua...

More info »
tr.book

tr.book

116th Congress, 1st Session – – – – – – – – – – – – – House Document 116-2 8 THE 2019 ANNUAL REPORT OF THE BOARD OF TRUSTEES OF THE FEDERAL OLD-AGE AND SURVIVORS INSURANCE AND FEDERAL DISABILITY INSUR...

More info »
Layout 1

Layout 1

Clin ical ce Prac Guid eline s Qual it y for Pal lia ve Ca re THIRD EDITI ON F O R Q U A L I C A R E P A L L I ATIV E TY

More info »
SPACETRACK REPORT NO. 3

SPACETRACK REPORT NO. 3

SPACETRACK REPORT NO. 3 Models for Propagation of NORAD Element Sets Felix R. Hoots Ronald L. Roehrich December 1980 Package Compiled by TS Kelso 31 December 1988 General perturbations element sets ge...

More info »
UNSCEAR 2008 Report Vol.I

UNSCEAR 2008 Report Vol.I

This publication contains: VOLUME I: SOURCES SOURCES AND EFFECTS Report of the United Nations Scientific Committee on the Effects of Atomic Radiation to the General Assembly OF IONIZING RADIATION Scie...

More info »
WordSmith Tools Manual

WordSmith Tools Manual

WordSmith Tools Manual Version 6.0 © 2015 Mike Scott Lexical Analysis Software Ltd. Stroud, Gloucestershire, UK

More info »