Solved

multiple pix vpn's

Posted on 2004-08-21
10
287 Views
Last Modified: 2010-04-11
So.. In order to have multiple tunnels I normally just set up a crypto map mapname ... all the necessary statements.. and for each tunnel on the map, I add a 10, 20, 30 or whatever...

The problem is that whenever I add a new tunnel, in the process of doing so, the firewall locks out (i'm going in through ssh).. the only way I can remedy this problem is by shutting down all the tunnels, adding the full tunnel, and then going ahead with it.

Why is this happening? it seems retarded that I would have to shut everything down this way...

My question is.. could it be because I need to put my crypto map mapname 20 match address access-list ... first?

the last time this happened was when I was adding an the first statement for the additional tunnel.. crypto map mapname 20 ipsec-isakmp... is it just negotiating everything as a tunnel and that's what is f'ing it up?

Can I just change the order of my commands? do I have to create a brand new crypto map every time.. or what do I do to eliminate downtime?

thanks.

 
0
Comment
Question by:sasecool
10 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 11859880
The easy way is to first remove the map from the interface, then make  your changes, then re-apply the map..

pix(config)#no crypto map CRYMAP interface outside

Add new crypto map entries:

  access-list outside_cryptomap_40 permit ip 192.168.123.0 255.255.255.0 192.168.22.0 255.255.255.0

  crypto map CRYMAP 40 ipsec-isakmp
  crypto map CRYMAP 40 match address outside_cryptomap_40
  crypto map CRYMAP 40 set peer A.B.C.D
  crypto map CRYMAP 40 set transform-set ESP-3DES-SHA

Re-apply the map:

crypto map CRYMAP interface outside

0
 

Expert Comment

by:pmctingr
ID: 11859974
Also before you reapply the new crypto map to the interface enter these commands:

  clear crypto isakmp sa
  clear crypto ipsec sa

0
 

Author Comment

by:sasecool
ID: 11862434
but that still will kill the vpn tunnel. that is precisely what I have been doing
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 79

Accepted Solution

by:
lrmoore earned 250 total points
ID: 11863674
>but that still will kill the vpn tunnel.
Yes, you can't help that if you are ssh in. Try using https and using the multi-line command line function.
0
 
LVL 4

Assisted Solution

by:periferral
periferral earned 250 total points
ID: 11875138
Yep. It is a problem with the PIX. Inorder to apply a new cryptomap onto your headend PIX, you will need to do a no crypto map blah and reapply which will bring down the tunnel.
You will need Pix Device Manager which is freely available on the Cisco Site. Through PDM (https) you will be able to add multiple lines of command simulateneosly. This way you can apply a new map without bringing down an exisiting tunnel. Dont do a clear ipsec sa or clear isa sa  because this will bring down the tunnel as well.
PIX also supports xml configuration using http and you should be able to add new crypto maps using this feature since this too takes in multiples lines of configuration at once.

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12705752
periferral did not add anything that was not already suggested, nor was his/her comment related in any way to the original question.
0
 
LVL 4

Expert Comment

by:periferral
ID: 12708595
lrmoore, your answers were accurate but unclear. You suggested https and multi-line but didnt suggest how. I don't see how my answer does not relate to the question.
Anyway, I will leave it to sasecool to decide on points. I will respect his decision.
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now