Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

How to configure dynamic maps in a PIX 500 series Firewall with software version PIX 7.x ?

Core issue

Dynamic maps are used on the PIX Firewall when the IP address of an incoming client connection is  not known. Clients can use any global IP address from any location to connect  to the PIX. Cisco VPN clients and EZVPN users are considered dynamic clients.


To configure a dynamic map on PIX 7.x, perform these steps:

  1. Define the transform set to be used during IPSec    security association (SA) negotiation. Specify Data Encryption Standard (DES), Triple DES (3DES) or Advanced Encryption Standard (AES) as the encryption algorithm:

    crypto ipsec transform-set trmset1 esp-aes-256 esp-sha-hmac

  2. Create a dynamic crypto map entry and add it to a static crypto map:

    crypto dynamic-map map2 10 set transform-set trmset1

    crypto map map1 10 ipsec-isakmp dynamic map2

  3. Bind the crypto map to the outside interface:

    crypto map map1 interface outside

For additional information on dynamic maps, refer toPIX-to-PIX (Version 7.x and Later) Dynamic-to-Static IPsec with NAT and VPN Client Configuration Example.