Question, Dynamic VPN

Hey all,

This has always bugged the crap out of me and I can't find an answer anywhere.

On a static to dynamic VPN, Pix, Router, whatever platform, doesn't matter, how the heck does the static end know what traffic to put in the tunnel? On the static side you give it the nonat for the dynamic side, you give it a as the peer, but you don't specify the "match address" in the map.....On the dynamic side you give it everything, peer ip, nonat and the appropriate "match address" in the map.

How the heck does it know what traffic to put in to that tunnel?


Reply to
Brian V
Loading thread data ...

Answering with respect to PIX 5/6:

On a PIX with static IP address that is to receive connections from a dynamic device, you configure a crypto dynamic-map with at least a transform set, and you "inject" that dynamic-map into the regular crypto map with a special keyword. You do *not* specify a peer at all (not even as

Optionally, you may put in a match address clause, which may go either in the dynamic-map entry or the main crypto-map entry that refers to the dynamic map.

If you do specify a match address clause and there is a destination of 'any' in it, then when the PIX negotiates the connection, it will automatically narrow the 'any' down to just the address assigned to the dynamic peer (via 'ip pool' or 'vpngroup address-pool')

If you do not specify a match address clause, then the PIX automatically creates a temporary ACL with a source of 'any' and a destination of the address assigned to the dynamic peer, and the PIX then attaches that temporary ACL with a temporary match address clause, and then proceeds as if the match address had originally been there.

Reply to
Walter Roberson

Heya Walter, Thanks for the reply. Would it be safe to assume (damn I hate that word) that it uses a dynamic ACL for the dynamic site? You say it does a temp permit all, then it must tighten that down....I can't seem to find anything on CCO regarding this and how it works. About that not specifying the peer...I could see that being used for cert based VPN, but you would have to specify a when using preshared's. Out of the 100's of tunnels I've knocked up, all of them have been preshared. Am I wrong here? I can't see how to do preshared with specifying the

formatting link


Reply to
Brian V Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.