Hunt Dynamic crypto maps are used when we don't know ahead of time some of the parameters for the SA or IKE associations to be made. This would be the case if someone is ringing in from home and it is not a device (router, firewall) to device(router, firewall) situation where the parameters can be set up eg roaming users IP address. This would also be associated, I believe, with a transport type connection.
So an outbound connection cannot be made when the dynamic parameters of the remote site/device must be set from an inbound connection. Therefore, any outbound traffic MUST only be received once the remote user has set up an SA with the device. It follows from the above that outbound traffic that needs to be encrypted on a dynamic crypto map, where an SA has not been established must be dropped. Sorry for the convoluted nature of the argument but the line above says it all. Cheers Jim Gillen Snr Communications Engineer AUSTRAC Ph: 9950 0842 Fax: 9950 0074 >>> "Hunt Lee" 1/12/01 19:43:05 >>> This message has been scanned by MAILSweeper. ************************************************************ I am very confused with the following Crypto Map question: In the MCNS book (by Cisco Press), it said that if a static crypto map entry sees outbound IP traffic that should be protected and the crypto map specifies the use of IKE, then a Security Assoication is negotiated with the remote peer according to the paramenters included in the crypto map entry ( => I understand this, as that's what IKE is for) However, the book also said that if a dynamic crypto map entry sees outbound traffic that should be protected and NO Security Association exists, then the packet will be dropped - why? I thought the pre-requsitite for dynamic crypto map is to use IKE. And if IKE is used, wouldn't it be able to negotiate a Security Association like the first scenario? Any help will be greatly appreciated. Best Regards, Hunt Lee IP Solution Analyst Cable & Wireless ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.mimesweeper.com ********************************************************************** Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=27953&t=27909 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]