OK it all depends on when you use dynamic crypto maps and the rule is that dynamic maps are used for remote users who need occasional access and for whom you do not have all the necessary information to create a staic crypto map, sich as IP address.
So a. You always create dynamic crypto maps with higher numbers. b. Because a dynamic map does not contain all the information necessary for an SA to be formed, if an outbound request falls through to a dynaminc map then it will be dropped. An inbound request can fall throiugh to a dynamic map and the proicess can begin for to form an SA Does this make sense for you ? Hunt Lee wrote: > > I am very confused with the following Crypto Map question: > > In the MCNS book (by Cisco Press), it said that if a static > crypto map entry > sees outbound IP traffic that should be protected and the > crypto map > specifies the use of IKE, then a Security Assoication is > negotiated with the > remote peer according to the paramenters included in the crypto > map entry > ( => I understand this, as that's what IKE is for) > > However, the book also said that if a dynamic crypto map entry > sees outbound > traffic that should be protected and NO Security Association > exists, then > the packet will be dropped - why? I thought the pre-requsitite > for dynamic > crypto map is to use IKE. And if IKE is used, wouldn't it be > able to > negotiate a Security Association like the first scenario? > > Any help will be greatly appreciated. > > Best Regards, > Hunt Lee > IP Solution Analyst > Cable & Wireless > > Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=27914&t=27909 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
