Thats ok at the moment as I have control over both ends but what if I didnt? Is it possible to put a match ACL on a dynamic map? The IPs assigned to the client VPNs are a range from the PIX I have defined. i.e. 10.0.50.0/24

thanks

That is correct.

If you do not have control over the other end, you can apply an ACL to the dynamic crypto map.

In this case, since you have control on both sides, there's no need for that.

Federico.

How would I go about constructing an ACL for the dynamic, would it be

access-list dynamic allow ip 0.0.0.0 0.0.0.0 10.0.50.0 255.255.255.0 ?

or something?

Under the dynamic crypto map, you have the option to specify an ACL as with the static crypto maps:

For example:

You create the ACL named acl-name and apply it to the dynamic crypto map:

crypto dynamic-map dynmap 10 set transform-set myset
crypto dynamic-map dynmap 10 set reverse-route

crypto dynamic-map dynmap 10  match address acl-name

Federico.

Hi,

yup understand that bit but when you look at the proxy IDs for the remote clients its usually local ident 0.0.0.0 remote ident 10.0.50.x

thanks

Yes,

The remote VPN clients will have a local ident 0.0.0.0 because you can't know before hand where all the VPN clients are going to come from.

So, there's no point in restricting the IP addresses from where the remote VPN client connections can be established (unless you want to do it like this).

For ths L2L VPNs, need to make sure the interesting traffic is a mirror from the other end, in this way only the traffic specified would make it through the tunnel.

You can differentiate the internal access that has each L2L and remote VPN client connection.

So, if somebody is coming from a L2L peer VPN, it would only have access to the resources specified in the ACL for that VPN.

If somebody comes from that IP, but using the VPN client software, then will match against the dynamic crypto map.

Federico.