Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
674
Views
5
Helpful
1
Replies

crypto dynamic-map and VPN

otnj2ee
Level 1
Level 1

‎11-15-2005 11:29 AM - edited ‎02-21-2020 02:06 PM

The system architecture is like this: A PIX firewall with a global public IP and inside is the private network. A remote locationn will try to access to the firewall via VPN connection.

1) What is the crypto dynamic-map used for? For a VPN, is the crypto map an optional or a MUST?

2) In order to disable the statement of:

access-list outside_cryptomap_dyn_20 line 1 permit ip any 10.10.10.0 255.255.255.248

--What are the differences between use statements a) and b) as follows, which is better:

a)no crypto dynamic-map dynamic-map-outside 20 match address outside_cryptomap_dyn_20

AND

b) no access-list outside_cryptomap_dyn_20 line 1 permit ip any 10.10.10.0 255.255.255.248

Thanks to help.

Scott

Labels:
0 Helpful
1 Reply 1

jackko
Level 7
Level 7

‎11-15-2005 03:33 PM

dynamic-map is used when the vpn client has no fixed public ip. e.g. a remote user establishing vpn via a dial-up connection or a home adsl user that being assigned a different ip from the isp.

alternatively, providing both sites have static public ips, then you can configure lan-lan vpn, which involves normal crypto map rather than dynamic crypto map.

the main difference between the two is that with normal crypto map (i.e. lan-lan), either sites can initiate the vpn; whereas with dynamic crypto map (i.e remote vpn client or ezvpn), only the client can initiate the vpn. nonetheless, once the vpn is fully established, both sites can access each other according to the crypto acl.

regarding the issue #2, the first statement is to remove the relation between the acl and the dynamic crypto map only, the acl will be sitting in the config; whereas the second statement is to delete the acl completely.

imagine the same acl has been shared by the dynamic crypto map and the no-nat. in that case, you don't want to use the second statement becase it will affect both dynmaic crypto map as well as the no-nat; thus you will use the first statement to just remove the mapping between the dynamic crypto map and the acl, and leave the acl in the pix config (for no-nat).

in fact, (from memory only) i don't think you can delete the acl without removing all the mapping/relationship. pix will report an error.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents