Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

crypto dynamic-map and VPN

The system architecture is like this: A PIX firewall with a global public IP and inside is the private network. A remote locationn will try to access to the firewall via VPN connection.

1) What is the crypto dynamic-map used for? For a VPN, is the crypto map an optional or a MUST?

2) In order to disable the statement of:

access-list outside_cryptomap_dyn_20 line 1 permit ip any

--What are the differences between use statements a) and b) as follows, which is better:

a)no crypto dynamic-map dynamic-map-outside 20 match address outside_cryptomap_dyn_20


b) no access-list outside_cryptomap_dyn_20 line 1 permit ip any

Thanks to help.



Re: crypto dynamic-map and VPN

dynamic-map is used when the vpn client has no fixed public ip. e.g. a remote user establishing vpn via a dial-up connection or a home adsl user that being assigned a different ip from the isp.

alternatively, providing both sites have static public ips, then you can configure lan-lan vpn, which involves normal crypto map rather than dynamic crypto map.

the main difference between the two is that with normal crypto map (i.e. lan-lan), either sites can initiate the vpn; whereas with dynamic crypto map (i.e remote vpn client or ezvpn), only the client can initiate the vpn. nonetheless, once the vpn is fully established, both sites can access each other according to the crypto acl.

regarding the issue #2, the first statement is to remove the relation between the acl and the dynamic crypto map only, the acl will be sitting in the config; whereas the second statement is to delete the acl completely.

imagine the same acl has been shared by the dynamic crypto map and the no-nat. in that case, you don't want to use the second statement becase it will affect both dynmaic crypto map as well as the no-nat; thus you will use the first statement to just remove the mapping between the dynamic crypto map and the acl, and leave the acl in the pix config (for no-nat).

in fact, (from memory only) i don't think you can delete the acl without removing all the mapping/relationship. pix will report an error.