Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 336
  • Last Modified:

multiple pix vpn's

So.. In order to have multiple tunnels I normally just set up a crypto map mapname ... all the necessary statements.. and for each tunnel on the map, I add a 10, 20, 30 or whatever...

The problem is that whenever I add a new tunnel, in the process of doing so, the firewall locks out (i'm going in through ssh).. the only way I can remedy this problem is by shutting down all the tunnels, adding the full tunnel, and then going ahead with it.

Why is this happening? it seems retarded that I would have to shut everything down this way...

My question is.. could it be because I need to put my crypto map mapname 20 match address access-list ... first?

the last time this happened was when I was adding an the first statement for the additional tunnel.. crypto map mapname 20 ipsec-isakmp... is it just negotiating everything as a tunnel and that's what is f'ing it up?

Can I just change the order of my commands? do I have to create a brand new crypto map every time.. or what do I do to eliminate downtime?

thanks.

 
0
sasecool
Asked:
sasecool
2 Solutions
 
lrmooreCommented:
The easy way is to first remove the map from the interface, then make  your changes, then re-apply the map..

pix(config)#no crypto map CRYMAP interface outside

Add new crypto map entries:

  access-list outside_cryptomap_40 permit ip 192.168.123.0 255.255.255.0 192.168.22.0 255.255.255.0

  crypto map CRYMAP 40 ipsec-isakmp
  crypto map CRYMAP 40 match address outside_cryptomap_40
  crypto map CRYMAP 40 set peer A.B.C.D
  crypto map CRYMAP 40 set transform-set ESP-3DES-SHA

Re-apply the map:

crypto map CRYMAP interface outside

0
 
pmctingrCommented:
Also before you reapply the new crypto map to the interface enter these commands:

  clear crypto isakmp sa
  clear crypto ipsec sa

0
 
sasecoolAuthor Commented:
but that still will kill the vpn tunnel. that is precisely what I have been doing
0
Become a Leader in Data Analytics

Gain the power to turn raw data into better business decisions and outcomes in your industry. Transform your career future by earning your MS in Data Analytics. WGU’s MSDA program curriculum features IT certifications from Oracle and SAS.  

 
lrmooreCommented:
>but that still will kill the vpn tunnel.
Yes, you can't help that if you are ssh in. Try using https and using the multi-line command line function.
0
 
periferralCommented:
Yep. It is a problem with the PIX. Inorder to apply a new cryptomap onto your headend PIX, you will need to do a no crypto map blah and reapply which will bring down the tunnel.
You will need Pix Device Manager which is freely available on the Cisco Site. Through PDM (https) you will be able to add multiple lines of command simulateneosly. This way you can apply a new map without bringing down an exisiting tunnel. Dont do a clear ipsec sa or clear isa sa  because this will bring down the tunnel as well.
PIX also supports xml configuration using http and you should be able to add new crypto maps using this feature since this too takes in multiples lines of configuration at once.

0
 
lrmooreCommented:
periferral did not add anything that was not already suggested, nor was his/her comment related in any way to the original question.
0
 
periferralCommented:
lrmoore, your answers were accurate but unclear. You suggested https and multi-line but didnt suggest how. I don't see how my answer does not relate to the question.
Anyway, I will leave it to sasecool to decide on points. I will respect his decision.
0

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now