RE: Static + Dynamic crypto map on the same interface

Sadiq,

Ryan's reference to comparing it to an ACL is exactly how it works. FYI
this is the same on IOS devices.

Regards,
 
Tyson Scott - CCIE #13513 R&S and Security
Technical Instructor - IPexpert, Inc.

Telephone: +1.810.326.1444
Cell: +1.248.504.7309
Fax: +1.810.454.0130
Mailto: tscott_at_ipexpert.com
 

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of Ryan
West
Sent: Wednesday, April 29, 2009 5:22 PM
To: Sadiq Yakasai; Cisco certification; Cisco certification
Subject: RE: Static + Dynamic crypto map on the same interface

If you're referring to a an any source match dynamic crypto map, typically
used for RA VPN, then yes. This has been like that since PIX days. Think
about like a top down ACL, it gets to the any and just stops looking there.
I typically configured all my crypto maps with the dynmap at 65535 to avoid
that issue.

-ryan

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
Sadiq Yakasai
Sent: Wednesday, April 29, 2009 5:16 PM
To: Cisco certification; Cisco certification
Subject: Static + Dynamic crypto map on the same interface

Hi Guys,

After troubleshooting this mutha f**ker for 4 days, i am only coming to this
realization.

When I have a Dynamic as well as a Static crypto map configuration on the
same interface (Outside) of an ASA, the Dynamic entry needs to have a higher
entry number (lower priotity) than the Static for the L2L (Static) VPN to
work! Whenever I put the Dynamic entry first, the L2L VPN just doesnt work.

The remote (Dynamic, EZVPN) config works regardless of the order though.
Anyone seen this behaviour or is this related to the version of code I am
running. This is 8.0. Or is this really "known" information which I have
missed somehow.

Excuse my languge pls, need to vent it out somewhere :-)

Thanks as usual guys,
Sadiq

-- 
CCIE #19963
Blogs and organic groups at http://www.ccie.net