crypto map [name] interface [intf]
Applies a crypto map to an interface to enable IPsec VPN policy on that interface.
Overview
The 'crypto map [name] interface [intf]' command is a critical configuration step on Cisco ASA firewalls for enabling IPsec VPN functionality. It binds a previously defined crypto map (which contains IPsec policies, transform sets, peer addresses, and access lists) to a specific interface, typically the outside interface facing the internet or a WAN link. Without this command, the ASA will not process IPsec packets on that interface, even if the crypto map is fully configured.
IPsec VPNs provide secure encrypted tunnels between sites or for remote users. The crypto map acts as a policy container that defines what traffic to protect (via ACL), how to protect it (transform sets), and who the remote peer is. Applying it to an interface activates these policies on that interface. The ASA supports both static crypto maps (for site-to-site VPNs with fixed peers) and dynamic crypto maps (for remote access or dynamic peer discovery).
When troubleshooting VPN issues, verifying that the crypto map is correctly applied to the intended interface is a first step. Use 'show crypto map interface [intf]' to confirm. Common issues include applying the map to the wrong interface, missing the command entirely, or having multiple maps on the same interface (which is not allowed). The command is also used in high-availability setups where the crypto map must be applied to the active interface.
In the broader workflow, after configuring ISAKMP/IKE policies, IPsec transform sets, and the crypto map itself, the final step is to apply the crypto map to the interface. This command is ASA-specific; on Cisco IOS routers, the equivalent is 'crypto map [name]' under interface configuration mode. On ASA, it is a global config command.
crypto map [map-name] interface [interface-name]When to Use This Command
- Apply a site-to-site VPN crypto map to the outside interface for branch connectivity.
- Apply a dynamic crypto map to a dial-in interface for remote access VPN.
- Apply a crypto map to a DMZ interface for partner VPN termination.
- Apply a crypto map to a redundant interface pair for high-availability VPN.
Parameters
| Parameter | Syntax | Description |
|---|---|---|
| map-name | string | The name of the crypto map to apply. Must match an existing crypto map defined with 'crypto map [name] [seq-num]'. |
| interface-name | string | The name of the interface to which the crypto map is applied. Typically 'outside', 'inside', or a subinterface. |
Command Examples
Apply crypto map to outside interface
crypto map CMAP outside interface outsideThis command applies the crypto map named 'CMAP' to the interface named 'outside'. No output is generated on success.
Verify crypto map application
show crypto map interface outsideInterface: outside
Crypto Map Name: CMAP
Crypto Map Type: Static, IPsec-isakmp
Crypto Map Tag: CMAP, seq num: 10, local addr: 203.0.113.1
access-list CMAP_ACL extended permit ip 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0
Current peer: 198.51.100.1
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={TSET1,}
Replay detection: enabled
IKEv2: disabledThe output shows the crypto map is applied to interface 'outside', with local address 203.0.113.1, peer 198.51.100.1, and associated ACL and transform sets.
Understanding the Output
The 'show crypto map interface [intf]' command displays the crypto map configuration applied to a specific interface. Key fields include: Interface (the interface name), Crypto Map Name (the map identifier), Crypto Map Type (Static or Dynamic), Local Addr (the IP address of the interface), access-list (the ACL defining interesting traffic), Current peer (the remote VPN peer IP), Security association lifetime (in kilobytes/seconds), PFS (Perfect Forward Secrecy enabled or not), Transform sets (the encryption/hash algorithms), Replay detection (enabled/disabled), and IKEv2 (enabled/disabled). Healthy output shows correct peer IP, matching ACL, and valid transform sets. Problem values include 'no peer' or mismatched ACL entries.
Configuration Scenarios
Basic Site-to-Site VPN on Outside Interface
A company needs a site-to-site VPN between two ASAs. The crypto map is applied to the outside interface.
Topology
[ASA1] -- outside (203.0.113.1) --- Internet --- (198.51.100.1) outside -- [ASA2]Steps
- 1.Define ISAKMP policy: crypto ikev1 policy 10 authentication pre-share encryption aes-256 hash sha group 2 lifetime 86400
- 2.Define IPsec transform set: crypto ipsec ikev1 transform-set TSET esp-aes-256 esp-sha-hmac
- 3.Define ACL for interesting traffic: access-list VPN_ACL extended permit ip 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0
- 4.Create crypto map: crypto map CMAP 10 match address VPN_ACL
- 5.Set peer: crypto map CMAP 10 set peer 198.51.100.1
- 6.Set transform set: crypto map CMAP 10 set transform-set TSET
- 7.Apply to interface: crypto map CMAP interface outside
! ISAKMP policy crypto ikev1 policy 10 authentication pre-share encryption aes-256 hash sha group 2 lifetime 86400 ! Transform set crypto ipsec ikev1 transform-set TSET esp-aes-256 esp-sha-hmac ! ACL access-list VPN_ACL extended permit ip 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0 ! Crypto map crypto map CMAP 10 match address VPN_ACL crypto map CMAP 10 set peer 198.51.100.1 crypto map CMAP 10 set transform-set TSET ! Apply to interface crypto map CMAP interface outside
Verify: Use 'show crypto map interface outside' to verify the map is applied. Use 'show crypto ipsec sa' to see active security associations.
Watch out: Ensure the ACL is correctly mirrored on both sides; otherwise, traffic may not match and the tunnel won't come up.
Troubleshooting with This Command
When troubleshooting VPN issues on Cisco ASA, the first step is to verify that the crypto map is applied to the correct interface. Use 'show crypto map interface [intf]' to confirm. If the command returns nothing, the crypto map is not applied. Check for typos in the interface name or map name. If the map is applied but VPN is not working, examine the output for 'no peer' or 'no transform set' errors. Use 'debug crypto ikev1' or 'debug crypto ipsec' to see negotiation details. Common issues include ACL mismatches (traffic not matching), peer IP misconfiguration, or transform set incompatibility. Also ensure that the interface has a routable IP address and that ACLs on the interface permit UDP ports 500 and 4500 for IKE. If using dynamic crypto maps, verify that the dynamic map is referenced correctly in a static map. In high-availability setups, ensure the crypto map is applied to the active interface and that failover events reapply the map correctly.
CCNA Exam Tips
Remember that the crypto map must be applied to the interface for VPN to function; without this command, no IPsec traffic will be processed.
On ASA, you can apply only one crypto map per interface; applying a second will overwrite the first.
For dynamic crypto maps, use the 'crypto dynamic-map' command first, then reference it in a static crypto map with 'set peer' or 'match address'.
Common Mistakes
Forgetting to apply the crypto map to the interface after creating it, resulting in no VPN traffic.
Applying the crypto map to the wrong interface (e.g., inside instead of outside), causing VPN traffic to be dropped.
Using the same crypto map name for different interfaces without proper sequence numbers, leading to conflicts.
Platform Notes
On Cisco ASA, the 'crypto map [name] interface [intf]' command is executed in global configuration mode, unlike Cisco IOS where it is applied under interface configuration mode. ASA supports both IKEv1 and IKEv2, but the command syntax remains the same. For IKEv2, use 'crypto ikev2 policy' and 'crypto ipsec ikev2 transform-set'. The ASA also supports dynamic crypto maps for remote access VPN, which are applied similarly. On other platforms like Cisco IOS-XE, the command is 'crypto map [name]' under interface config. On Palo Alto firewalls, the equivalent is applying an IKE gateway and IPsec tunnel to an interface. Version differences: ASA 8.4(2) and later support IKEv2; earlier versions only IKEv1. Always check the ASA version for feature support.
Related Commands
crypto ipsec transform-set [name] esp-aes esp-sha-hmac
Defines an IPsec transform set specifying the encryption and authentication algorithms to protect VPN traffic, used when configuring an IPsec VPN policy.
crypto map [name] [seq] ipsec-isakmp
Creates or modifies a crypto map entry for IPsec VPN configuration, defining the security policies and peer parameters for IKE and IPsec negotiations.
Practice for the CCNA 200-301
Test your knowledge with hundreds of CCNA practice questions covering all exam domains.
Practice CCNA Questions