Solved

multiple pix vpn's

Posted on 2004-08-21
10
297 Views
Last Modified: 2010-04-11
So.. In order to have multiple tunnels I normally just set up a crypto map mapname ... all the necessary statements.. and for each tunnel on the map, I add a 10, 20, 30 or whatever...

The problem is that whenever I add a new tunnel, in the process of doing so, the firewall locks out (i'm going in through ssh).. the only way I can remedy this problem is by shutting down all the tunnels, adding the full tunnel, and then going ahead with it.

Why is this happening? it seems retarded that I would have to shut everything down this way...

My question is.. could it be because I need to put my crypto map mapname 20 match address access-list ... first?

the last time this happened was when I was adding an the first statement for the additional tunnel.. crypto map mapname 20 ipsec-isakmp... is it just negotiating everything as a tunnel and that's what is f'ing it up?

Can I just change the order of my commands? do I have to create a brand new crypto map every time.. or what do I do to eliminate downtime?

thanks.

 
0
Comment
Question by:sasecool
10 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 11859880
The easy way is to first remove the map from the interface, then make  your changes, then re-apply the map..

pix(config)#no crypto map CRYMAP interface outside

Add new crypto map entries:

  access-list outside_cryptomap_40 permit ip 192.168.123.0 255.255.255.0 192.168.22.0 255.255.255.0

  crypto map CRYMAP 40 ipsec-isakmp
  crypto map CRYMAP 40 match address outside_cryptomap_40
  crypto map CRYMAP 40 set peer A.B.C.D
  crypto map CRYMAP 40 set transform-set ESP-3DES-SHA

Re-apply the map:

crypto map CRYMAP interface outside

0
 

Expert Comment

by:pmctingr
ID: 11859974
Also before you reapply the new crypto map to the interface enter these commands:

  clear crypto isakmp sa
  clear crypto ipsec sa

0
 

Author Comment

by:sasecool
ID: 11862434
but that still will kill the vpn tunnel. that is precisely what I have been doing
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
LVL 79

Accepted Solution

by:
lrmoore earned 250 total points
ID: 11863674
>but that still will kill the vpn tunnel.
Yes, you can't help that if you are ssh in. Try using https and using the multi-line command line function.
0
 
LVL 4

Assisted Solution

by:periferral
periferral earned 250 total points
ID: 11875138
Yep. It is a problem with the PIX. Inorder to apply a new cryptomap onto your headend PIX, you will need to do a no crypto map blah and reapply which will bring down the tunnel.
You will need Pix Device Manager which is freely available on the Cisco Site. Through PDM (https) you will be able to add multiple lines of command simulateneosly. This way you can apply a new map without bringing down an exisiting tunnel. Dont do a clear ipsec sa or clear isa sa  because this will bring down the tunnel as well.
PIX also supports xml configuration using http and you should be able to add new crypto maps using this feature since this too takes in multiples lines of configuration at once.

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12705752
periferral did not add anything that was not already suggested, nor was his/her comment related in any way to the original question.
0
 
LVL 4

Expert Comment

by:periferral
ID: 12708595
lrmoore, your answers were accurate but unclear. You suggested https and multi-line but didnt suggest how. I don't see how my answer does not relate to the question.
Anyway, I will leave it to sasecool to decide on points. I will respect his decision.
0

Featured Post

New My Cloud Pro Series - organize everything!

With space to keep virtually everything, the My Cloud Pro Series offers your team the network storage to edit, save and share production files from anywhere with an internet connection. Compatible with both Mac and PC, you're able to protect your content regardless of OS.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now