Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
377
Views
0
Helpful
1
Replies

Dynamic and static crypto map security hole

aliver
Level 1
Level 1

‎10-21-2004 12:21 AM

Hello, everybody!

There is PIX525 with dynamic VPN connections for mobile clients. Dynamic crypto map is used. IP-addresses from local pool, authentication throuth radius server with downloading ACL per user. Work normally.

Task: add peer-to-peer IPSEC tunnel to remote client with all security rules.

I see such hole in security and don't know how it close. If on remote side of peer-to-peer tunnel client use ip-addres from my pool for dynamic VPN, he able to connect to any my inside resources throuth dynamic crypto map, because authentication passed with pre-shared key and ACL for dynamic VPN is include local pool addresses and passed too.

How to fix this hole?

Suggest me, please!

Labels:
0 Helpful
1 Reply 1

ozgur.guler
Level 1
Level 1

‎10-23-2004 11:41 PM

you shoulde remove

sysopt permit connection ipsec

from your configuration if there is any,

and use the outside acl to restrict your pool ips.

HTH

0 Helpful
Customers Also Viewed These Support Documents