Hope someone can help. I have a PIX setup for several fixed L2L IPSEC VPNs and also allowed Cisco VPN clients to VPN in. I have found that if traffic on one of the fixed VPNs doesnt match its access list it fires up a connection using the dynamic map rather than just dropping the traffic.
When a VPN request connection comes to the PIX, the PIX will attempt to match it against the policies in sequential order.
If it does not find a match on the specific crypto map for the peer, it will continue and find a match on the dynamic crypto map for the VPN clients, since it will accept any policies with any interesting traffic (unless restricted).
To fix this, the best is to ensure that all the fixed L2L tunnels terminated on the PIX have the ACLs for interesting traffic defined exactly the samee way on both ends of the tunnel.
Thats ok at the moment as I have control over both ends but what if I didnt? Is it possible to put a match ACL on a dynamic map? The IPs assigned to the client VPNs are a range from the PIX I have defined. i.e. 10.0.50.0/24
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...