Cisco PIX 525 Specifikace Strana 405

  • Stažení
  • Přidat do mých příruček
  • Tisk
  • Strana
    / 604
  • Tabulka s obsahem
  • ŘEŠENÍ PROBLÉMŮ
  • KNIHY
  • Hodnocené. / 5. Na základě hodnocení zákazníků
Zobrazit stránku 404
23-17
Cisco Security Appliance Command Line Configuration Guide
OL-6721-01
Chapter 23 Configuring IPSec and ISAKMP
Configuring IPSec
For example:
crypto map mymap 10 set peer 192.168.1.100
The security association is set up with the peer having an IP address of 192.168.1.100. Specify
multiple peers by repeating this command.
c. Specify which transform sets are allowed for this crypto map entry. List multiple transform sets in
order of priority (highest priority first). You can specify up to six transform sets.
crypto map
map-name seq-num
set transform-set
transform-set-name1
[transform-set-name2
, …
transform-set-name6
]
For example:
crypto map mymap 10 set transform-set myset1 myset2
In this example, when traffic matches access list 101, the security association can use either
“myset1” (first priority) or “myset2” (second priority) depending on which transform set matches
the peer’s transform set.
d. (Optional) Specify security association lifetime for the crypto map entry, if you want the security
associations for this entry to be negotiated using different IPSec security association lifetimes other
than the global lifetimes.
crypto map
map-name seq-num
set security-association lifetime {seconds seconds |
kilobytes kilobytes}
For example:
crypto map mymap 10 set security-association lifetime seconds 2700
This example shortens the timed lifetime for the crypto map “mymap 10” to 2700 seconds
(45 minutes). The traffic volume lifetime is not changed.
e. (Optional) Specify that IPSec should ask for perfect forward secrecy when requesting new security
associations for this crypto map entry, or should require PFS in requests received from the peer:
crypto map map-name
seq-num
set pfs [group1 | group2 | group5 | group7]
For example:
crypto map mymap 10 set pfs group2
This example specifies using PFS whenever a new security association is negotiated for the crypto
map “mymap 10.” The 1024-bit Diffie-Hellman prime modulus group is used when a new security
association is negotiated using the Diffie-Hellman exchange.
Step 4 Apply a crypto map set to an interface for evaluating IPSec traffic:
crypto map
map-name
interface
interface-name
For example:
crypto map mymap interface outside
In this example, the security appliance evaluates the traffic going through the outside interface against
the crypto map “mymap” to determine whether it needs to be protected.
Zobrazit stránku 404
1 2 ... 400 401 402 403 404 405 406 407 408 409 410 ... 603 604

Komentáře k této Příručce

Žádné komentáře