?
Solved

multiple pix vpn's

Posted on 2004-08-21
10
Medium Priority
?
330 Views
Last Modified: 2010-04-11
So.. In order to have multiple tunnels I normally just set up a crypto map mapname ... all the necessary statements.. and for each tunnel on the map, I add a 10, 20, 30 or whatever...

The problem is that whenever I add a new tunnel, in the process of doing so, the firewall locks out (i'm going in through ssh).. the only way I can remedy this problem is by shutting down all the tunnels, adding the full tunnel, and then going ahead with it.

Why is this happening? it seems retarded that I would have to shut everything down this way...

My question is.. could it be because I need to put my crypto map mapname 20 match address access-list ... first?

the last time this happened was when I was adding an the first statement for the additional tunnel.. crypto map mapname 20 ipsec-isakmp... is it just negotiating everything as a tunnel and that's what is f'ing it up?

Can I just change the order of my commands? do I have to create a brand new crypto map every time.. or what do I do to eliminate downtime?

thanks.

 
0
Comment
Question by:sasecool
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
10 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 11859880
The easy way is to first remove the map from the interface, then make  your changes, then re-apply the map..

pix(config)#no crypto map CRYMAP interface outside

Add new crypto map entries:

  access-list outside_cryptomap_40 permit ip 192.168.123.0 255.255.255.0 192.168.22.0 255.255.255.0

  crypto map CRYMAP 40 ipsec-isakmp
  crypto map CRYMAP 40 match address outside_cryptomap_40
  crypto map CRYMAP 40 set peer A.B.C.D
  crypto map CRYMAP 40 set transform-set ESP-3DES-SHA

Re-apply the map:

crypto map CRYMAP interface outside

0
 

Expert Comment

by:pmctingr
ID: 11859974
Also before you reapply the new crypto map to the interface enter these commands:

  clear crypto isakmp sa
  clear crypto ipsec sa

0
 

Author Comment

by:sasecool
ID: 11862434
but that still will kill the vpn tunnel. that is precisely what I have been doing
0
Understanding Web Applications

Without even knowing it, most of us are using web applications on a daily basis. Gmail and Yahoo email, Twitter, Facebook, and eBay are used by most of us daily—and they are web applications. We often confuse these web applications tools for websites.  So, what is the difference?

 
LVL 79

Accepted Solution

by:
lrmoore earned 1000 total points
ID: 11863674
>but that still will kill the vpn tunnel.
Yes, you can't help that if you are ssh in. Try using https and using the multi-line command line function.
0
 
LVL 4

Assisted Solution

by:periferral
periferral earned 1000 total points
ID: 11875138
Yep. It is a problem with the PIX. Inorder to apply a new cryptomap onto your headend PIX, you will need to do a no crypto map blah and reapply which will bring down the tunnel.
You will need Pix Device Manager which is freely available on the Cisco Site. Through PDM (https) you will be able to add multiple lines of command simulateneosly. This way you can apply a new map without bringing down an exisiting tunnel. Dont do a clear ipsec sa or clear isa sa  because this will bring down the tunnel as well.
PIX also supports xml configuration using http and you should be able to add new crypto maps using this feature since this too takes in multiples lines of configuration at once.

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12705752
periferral did not add anything that was not already suggested, nor was his/her comment related in any way to the original question.
0
 
LVL 4

Expert Comment

by:periferral
ID: 12708595
lrmoore, your answers were accurate but unclear. You suggested https and multi-line but didnt suggest how. I don't see how my answer does not relate to the question.
Anyway, I will leave it to sasecool to decide on points. I will respect his decision.
0

Featured Post

Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
As managed cloud service providers, we often get asked to intervene when cloud deployments go awry. Attracted by apparent ease-of-use, flexibility and low computing costs, companies quickly adopt leading public cloud platforms such as Amazon Web Ser…
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Suggested Courses

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question