I have established VPN connection from one Pix 506 to several Pix 501 for
server admin purposes. However, I do not want it to be possible to
initiate/establish the tunnels from the 501s, ie. it should not be possible
for the users out there to establish tunnels...

How do I do this? Preferably, is there a neat way to fix this in the PDM
(3.0(1)?



BG

In article <3B1ub.7178$mf2.99596@news4.e.nsc.no>,
BG <young_neils@hotmail.com> wrote:
:I have established VPN connection from one Pix 506 to several Pix 501 for
:server admin purposes. However, I do not want it to be possible to
:initiate/establish the tunnels from the 501s, ie. it should not be possible
:for the users out there to establish tunnels...

:How do I do this? Preferably, is there a neat way to fix this in the PDM
:(3.0(1)?

I haven't used PDM very much at all, so I don't know how it would be
done at that level.

The strategy to use is to create standard 'crypto map' on the 506,
but on the 501's, instead use 'crypto dynamic-map'. You can't
initiate a connection outwards via a dynamic map because it doesn't
know the peer to connect to.

At the CLI level, setting up a dynamic map is not much different
than setting up a standard map.
-- 
   Warhol's Law: every Usenet user is entitled to his or her very own
   fifteen minutes of flame                  -- The Squoire