Core issue
Dynamic maps are used on the PIX Firewall when the IP address of an incoming client connection is not known. Clients can use any global IP address from any location to connect to the PIX. Cisco VPN clients and EZVPN users are considered dynamic clients.
Resolution
To configure a dynamic map on PIX 7.x, perform these steps:
- Define the transform set to be used during IPSec security association (SA) negotiation. Specify Data Encryption Standard (DES), Triple DES (3DES) or Advanced Encryption Standard (AES) as the encryption algorithm:
crypto ipsec transform-set trmset1 esp-aes-256 esp-sha-hmac
- Create a dynamic crypto map entry and add it to a static crypto map:
crypto dynamic-map map2 10 set transform-set trmset1
crypto map map1 10 ipsec-isakmp dynamic map2
- Bind the crypto map to the outside interface:
crypto map map1 interface outside
For additional information on dynamic maps, refer toPIX-to-PIX (Version 7.x and Later) Dynamic-to-Static IPsec with NAT and VPN Client Configuration Example.