crypto dynamic-map and VPN

Unanswered Question
Nov 15th, 2005

The system architecture is like this: A PIX firewall with a global public IP and inside is the private network. A remote locationn will try to access to the firewall via VPN connection.

1) What is the crypto dynamic-map used for? For a VPN, is the crypto map an optional or a MUST?

2) In order to disable the statement of:

access-list outside_cryptomap_dyn_20 line 1 permit ip any 10.10.10.0 255.255.255.248

--What are the differences between use statements a) and b) as follows, which is better:

a)no crypto dynamic-map dynamic-map-outside 20 match address outside_cryptomap_dyn_20

AND

b) no access-list outside_cryptomap_dyn_20 line 1 permit ip any 10.10.10.0 255.255.255.248

Thanks to help.

Scott

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
jackko Tue, 11/15/2005 - 15:33

dynamic-map is used when the vpn client has no fixed public ip. e.g. a remote user establishing vpn via a dial-up connection or a home adsl user that being assigned a different ip from the isp.

alternatively, providing both sites have static public ips, then you can configure lan-lan vpn, which involves normal crypto map rather than dynamic crypto map.

the main difference between the two is that with normal crypto map (i.e. lan-lan), either sites can initiate the vpn; whereas with dynamic crypto map (i.e remote vpn client or ezvpn), only the client can initiate the vpn. nonetheless, once the vpn is fully established, both sites can access each other according to the crypto acl.

regarding the issue #2, the first statement is to remove the relation between the acl and the dynamic crypto map only, the acl will be sitting in the config; whereas the second statement is to delete the acl completely.

imagine the same acl has been shared by the dynamic crypto map and the no-nat. in that case, you don't want to use the second statement becase it will affect both dynmaic crypto map as well as the no-nat; thus you will use the first statement to just remove the mapping between the dynamic crypto map and the acl, and leave the acl in the pix config (for no-nat).

in fact, (from memory only) i don't think you can delete the acl without removing all the mapping/relationship. pix will report an error.

Actions

Login or Register to take actions

This Discussion

Posted November 15, 2005 at 11:29 AM
Stats:
Replies:1 Avg. Rating:5
Views:287 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard