1-10
Cisco ASA Series CLI Configuration Guide
 
Chapter 1      Configuring LAN-to-LAN IPsec VPNs
  Creating a Crypto Map and Applying It To an Interface
For IPsec to succeed, both peers must have crypto map entries with compatible configurations. For two 
crypto map entries to be compatible, they must, at a minimum, meet the following criteria:
• The crypto map entries must contain compatible crypto access lists (for example, mirror image 
access lists). If the responding peer uses dynamic crypto maps, the entries in the ASA crypto access 
list must be “permitted” by the peer’s crypto access list.
• The crypto map entries each must identify the other peer (unless the responding peer is using a 
dynamic crypto map).
• The crypto map entries must have at least one transform set in common.
If you create more than one crypto map entry for a given interface, use the sequence number (seq-num) 
of each entry to rank it: the lower the seq-num, the higher the priority. At the interface that has the crypto 
map set, the ASA evaluates traffic against the entries of higher priority maps first.
Create multiple crypto map entries for a given interface if either of the following conditions exist:
• Different peers handle different data flows.
• You want to apply different IPsec security to different types of traffic (to the same or separate peers), 
for example, if you want traffic between one set of subnets to be authenticated, and traffic between 
another set of subnets to be both authenticated and encrypted. In this case, define the different types 
of traffic in two separate access lists, and create a separate crypto map entry for each crypto access 
list.
To create a crypto map and apply it to the outside interface in global configuration mode, perform the 
following steps in either single or multiple context mode:
Step 1 To assign an access list to a crypto map entry, enter the crypto map match address command. 
The syntax is crypto map map-name seq-num match address aclname. In the following example the 
map name is abcmap, the sequence number is 1, and the access list name is 
l2l_list.
hostname(config)# crypto map abcmap 1 match address l2l_list
hostname(config)#
Step 2 To identify the peer (s) for the IPsec connection, enter the crypto map set peer command. 
The syntax is crypto map map-name seq-num set peer {ip_address1 | hostname1}[... ip_address10 | 
hostname10]. In the following example the peer name is 10.10.4.108.
hostname(config)# crypto map abcmap 1 set peer 10.10.4.108
hostname(config)#
Step 3 To specify an IKEv1 transform set for a crypto map entry, enter the crypto map ikev1 set transform-set 
command.
The syntax is crypto map map-name seq-num ikev1 set transform-set transform-set-name. 
In the following example the transform set name is FirstSet.
hostname(config)# crypto map abcmap 1 set transform-set FirstSet
hostname(config)#
Step 4 To specify an IKEv2 proposal for a crypto map entry, enter the crypto map ikev2 set ipsec-proposal 
command:
The syntax is crypto map map-name seq-num set ikev2 ipsec-proposal proposal-name. 
In the following example the proposal name is secure.
With the crypto map command, you can specify multiple IPsec proposals for a single map index. In that 
case, multiple proposals are transmitted to the IKEv2 peer as part of the negotiation, and the order of the 
proposals is determined by the administrator upon the ordering of the crypto map entry.