Solved

multiple pix vpn's

Posted on 2004-08-21
10
324 Views
Last Modified: 2010-04-11
So.. In order to have multiple tunnels I normally just set up a crypto map mapname ... all the necessary statements.. and for each tunnel on the map, I add a 10, 20, 30 or whatever...

The problem is that whenever I add a new tunnel, in the process of doing so, the firewall locks out (i'm going in through ssh).. the only way I can remedy this problem is by shutting down all the tunnels, adding the full tunnel, and then going ahead with it.

Why is this happening? it seems retarded that I would have to shut everything down this way...

My question is.. could it be because I need to put my crypto map mapname 20 match address access-list ... first?

the last time this happened was when I was adding an the first statement for the additional tunnel.. crypto map mapname 20 ipsec-isakmp... is it just negotiating everything as a tunnel and that's what is f'ing it up?

Can I just change the order of my commands? do I have to create a brand new crypto map every time.. or what do I do to eliminate downtime?

thanks.

 
0
Comment
Question by:sasecool
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
10 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 11859880
The easy way is to first remove the map from the interface, then make  your changes, then re-apply the map..

pix(config)#no crypto map CRYMAP interface outside

Add new crypto map entries:

  access-list outside_cryptomap_40 permit ip 192.168.123.0 255.255.255.0 192.168.22.0 255.255.255.0

  crypto map CRYMAP 40 ipsec-isakmp
  crypto map CRYMAP 40 match address outside_cryptomap_40
  crypto map CRYMAP 40 set peer A.B.C.D
  crypto map CRYMAP 40 set transform-set ESP-3DES-SHA

Re-apply the map:

crypto map CRYMAP interface outside

0
 

Expert Comment

by:pmctingr
ID: 11859974
Also before you reapply the new crypto map to the interface enter these commands:

  clear crypto isakmp sa
  clear crypto ipsec sa

0
 

Author Comment

by:sasecool
ID: 11862434
but that still will kill the vpn tunnel. that is precisely what I have been doing
0
Report: Liquid Web beats Amazon, Rackspace & More

A study by performance analyst firm Cloud Spectator finds that Liquid Web beats rivals Amazon, Rackspace and DigitalOcean when it comes to website and cloud application performance.

 
LVL 79

Accepted Solution

by:
lrmoore earned 250 total points
ID: 11863674
>but that still will kill the vpn tunnel.
Yes, you can't help that if you are ssh in. Try using https and using the multi-line command line function.
0
 
LVL 4

Assisted Solution

by:periferral
periferral earned 250 total points
ID: 11875138
Yep. It is a problem with the PIX. Inorder to apply a new cryptomap onto your headend PIX, you will need to do a no crypto map blah and reapply which will bring down the tunnel.
You will need Pix Device Manager which is freely available on the Cisco Site. Through PDM (https) you will be able to add multiple lines of command simulateneosly. This way you can apply a new map without bringing down an exisiting tunnel. Dont do a clear ipsec sa or clear isa sa  because this will bring down the tunnel as well.
PIX also supports xml configuration using http and you should be able to add new crypto maps using this feature since this too takes in multiples lines of configuration at once.

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12705752
periferral did not add anything that was not already suggested, nor was his/her comment related in any way to the original question.
0
 
LVL 4

Expert Comment

by:periferral
ID: 12708595
lrmoore, your answers were accurate but unclear. You suggested https and multi-line but didnt suggest how. I don't see how my answer does not relate to the question.
Anyway, I will leave it to sasecool to decide on points. I will respect his decision.
0

Featured Post

Report: Liquid Web beats Amazon, Rackspace & More

A study by performance analyst firm Cloud Spectator finds that Liquid Web beats rivals Amazon, Rackspace and DigitalOcean when it comes to website and cloud application performance.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Short answer to this question: there is no effective WiFi manager in iOS devices as seen in Windows WiFi or Macbook OSx WiFi management, but this article will try and provide some amicable solutions to better suite your needs.
For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

732 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question