Pix to Pix: Initiate VPN on one side only...

Discussion in 'Cisco' started by BG, Nov 17, 2003.

  1. BG

    BG Guest

    I have established VPN connection from one Pix 506 to several Pix 501 for
    server admin purposes. However, I do not want it to be possible to
    initiate/establish the tunnels from the 501s, ie. it should not be possible
    for the users out there to establish tunnels...

    How do I do this? Preferably, is there a neat way to fix this in the PDM
    (3.0(1)?



    BG
     
    BG, Nov 17, 2003
    #1
    1. Advertisements

  2. :I have established VPN connection from one Pix 506 to several Pix 501 for
    :server admin purposes. However, I do not want it to be possible to
    :initiate/establish the tunnels from the 501s, ie. it should not be possible
    :for the users out there to establish tunnels...

    :How do I do this? Preferably, is there a neat way to fix this in the PDM
    :(3.0(1)?

    I haven't used PDM very much at all, so I don't know how it would be
    done at that level.

    The strategy to use is to create standard 'crypto map' on the 506,
    but on the 501's, instead use 'crypto dynamic-map'. You can't
    initiate a connection outwards via a dynamic map because it doesn't
    know the peer to connect to.

    At the CLI level, setting up a dynamic map is not much different
    than setting up a standard map.
     
    Walter Roberson, Nov 17, 2003
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.