Courseiva
VPNPrivileged EXEC

show crypto map

Displays the configured crypto map entries, including their match criteria, peer addresses, and transform sets, used to verify IPsec VPN policy configuration.

Syntax·Privileged EXEC
show crypto map

When to Use This Command

  • Verify that a crypto map is correctly applied to an interface after configuring a site-to-site VPN.
  • Troubleshoot why IPsec traffic is not being encrypted by checking the crypto map match criteria.
  • Confirm the peer IP address and transform set for an existing VPN tunnel.
  • Check the status of dynamic crypto maps for remote access VPNs.

Command Examples

Basic show crypto map output

show crypto map
Crypto Map "CMAP" 10 ipsec-isakmp
    Peer = 192.168.2.1
    Extended IP access list 100
        access-list 100 permit ip 10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255
    Current peer: 192.168.2.1
    Security association lifetime: 4608000 kilobytes/3600 seconds
    PFS (Y/N): N
    Transform sets={TSET,}
    Interfaces using crypto map CMAP:
        GigabitEthernet0/0

Line 1: Crypto map name 'CMAP' with sequence number 10, type ipsec-isakmp. Line 2: Peer IP address (VPN endpoint). Line 3-4: Extended ACL used to match traffic to encrypt. Line 5: Current active peer. Line 6: SA lifetime in kilobytes and seconds. Line 7: Whether Perfect Forward Secrecy is enabled (N=no). Line 8: Transform set(s) used. Line 9-10: Interface(s) where this crypto map is applied.

Show crypto map with dynamic map

show crypto map
Crypto Map "DYNAMIC" 1 ipsec-isakmp dynamic
    Peer = 0.0.0.0
    Extended IP access list 101
        access-list 101 permit ip any any
    Current peer: 0.0.0.0
    Security association lifetime: 4608000 kilobytes/3600 seconds
    PFS (Y/N): N
    Transform sets={TSET,}
    No interfaces bound yet

Line 1: Dynamic crypto map (no static peer). Line 2: Peer 0.0.0.0 means peer is not predefined. Line 3-4: ACL matches any IP traffic. Line 5: No current peer. Line 6-8: Standard lifetime and PFS settings. Line 9: Transform set. Line 10: No interface currently bound (dynamic maps are often attached via a static map).

Understanding the Output

The output lists each crypto map entry by name and sequence number. The type (ipsec-isakmp, ipsec-manual, dynamic) indicates how the map is configured. 'Peer' shows the remote VPN endpoint IP; 0.0.0.0 means dynamic. The extended ACL defines which traffic triggers encryption. 'Current peer' is the active peer for the SA. Lifetime values (kilobytes/seconds) show when the SA will expire. PFS indicates if Perfect Forward Secrecy is used. Transform sets list the encryption and authentication algorithms. The 'Interfaces using crypto map' line confirms which interface(s) the map is applied to. For troubleshooting, ensure the ACL matches the desired traffic, the peer IP is correct, and the interface is listed. Missing interface means the map is not applied or the interface is down.

CCNA Exam Tips

1.

Remember that 'show crypto map' displays both static and dynamic maps; dynamic maps show peer 0.0.0.0.

2.

The ACL in the crypto map must match the interesting traffic; a common exam trick is to check if the ACL is correct.

3.

If the interface is not listed under 'Interfaces using crypto map', the map is not applied or the interface is down.

4.

Know that PFS (Perfect Forward Secrecy) is optional and can be enabled with 'set pfs'.

Common Mistakes

Confusing 'show crypto map' with 'show crypto ipsec sa' — the former shows configuration, the latter shows active SAs.

Forgetting that the ACL in the crypto map must be a numbered or named extended ACL; standard ACLs are not supported.

Assuming that a crypto map applied to an interface automatically creates an SA; traffic must match the ACL to trigger SA negotiation.

Related Commands

crypto map [name] [seq] ipsec-isakmp

Creates or modifies a crypto map entry for IPsec VPN configuration, defining the security policies and peer parameters for IKE and IPsec negotiations.

show crypto ipsec sa

Displays the current state and statistics of IPsec security associations (SAs) to verify VPN tunnel establishment and monitor encrypted traffic.

show crypto isakmp sa

Displays the current state of Internet Key Exchange (IKE) Security Associations (SAs) used for IPsec VPN tunnels, allowing verification of Phase 1 tunnel establishment.

Practice for the CCNA 200-301

Test your knowledge with hundreds of CCNA practice questions covering all exam domains.

Practice CCNA Questions