Comment
Author: Admin | 2025-04-28
The ASA accepts any data flow identity the peer proposes. Caution Do not assign module default routes for traffic to be tunneled to a ASA interface configured with a dynamic crypto map set. To identify the traffic that should be tunneled, add the ACLs to the dynamic crypto map. Use care to identify the proper address pools when configuring the ACLs associated with remote access tunnels. Use Reverse Route Injection to install routes only after the tunnel is up. Create a crypto dynamic map entry using either single or multiple context mode. You can combine static and dynamic map entries within a single crypto map set. Procedure Step 1 (Optional) Assign an ACL to a dynamic crypto map: crypto dynamic-map dynamic-map-name dynamic-seq-num match address access-list-name This determines which traffic should be protected and not protected. Dynamic-map-name specifies the name of the crypto map entry that refers to a pre-existing dynamic crypto map. Dynamic-seq-num specifies the sequence number that corresponds to the dynamic crypto map entry. Example: In this example, ACL 101 is assigned to dynamic crypto map dyn1. The map sequence number is 10. crypto dynamic-map dyn1 10 match address 101 Step 2 Specify which IKEv1 transform sets or IKEv2 proposals are allowed for this dynamic crypto map. List multiple transform sets or proposals in order of priority (highest priority first) using the command for IKEv1 transform sets or IKEv2 proposals: crypto dynamic-map dynamic-map-name dynamic-seq-num set ikev1 transform-set transform-set-name1, [transform-set-name2, …transform-set-name9] crypto dynamic-map dynamic-map-name dynamic-seq-num set ikev2 ipsec-proposal proposal-name1 [proposal-name2,
Add Comment