Solved

Deleting Cisco PIX Point to Point VPN

Posted on 2006-06-29
9
309 Views
Last Modified: 2013-11-16
We have just had a relationship with one of our suppliers terminate upbruptly.  We have a an existing point to point vpn with them to one of our data servers.  How can I delete the VPN or at least change the key or something in the config so the connection will fail until I can get an engineer onsite to properly delete the vpn.  We have a PIX 515e and also have several other VPNs to other sites that need to remain active.

I tried to simply preface the existing config for this VPN with "no", as it worked for deleting the software initiated VPNGROUP.
no crypto map mymap 10 ipsec-isakmp
no crypto map mymap 10 match address 102
no crypto map mymap 10 set peer xxx.xxx.119.135   (actual ip was used, x's used here for privacy)
no crypto map mymap 10 set transform-set myset

no isakmp policy 10 authentication pre-share
no isakmp policy 10 encryption 3des
no isakmp policy 10 hash md5
no isakmp policy 10 group 2
no isakmp policy 10 lifetime 86400



Now the config looks like this:

crypto map mymap 10 ipsec-isakmp
! Incomplete

isakmp policy 10 authentication rsa-sig
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400

I''ve done a WRITE MEM, but no change.  The VPN is still up, or at least I can still connect to their server.


There is also a line in the config:
isakmp key ******** address xxx.xxx.119.135 netmask 255.255.255.255 no-xauth no-
config-mode

But I have not yet figured out the correct syntax to attempt to edit/delete this.
0
Comment
Question by:jlexer
  • 4
  • 3
  • 2
9 Comments
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17010838
Just do this;

no crypto map mymap interface outside

Cheers,
Rajesh
0
 

Author Comment

by:jlexer
ID: 17010938
Thanks for the quick response.  I assume that I need to be specific in this command so I do not delete all my other existing VPNs.  Something like:

no crypto map mymap interface outside 10 (for the map alias)
or
no crypto map mymap interface outside xxx.xxx.119.135 (actually supplying the ip)
or
something else entirely?

Thanks again
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17010956
just type in the way I gave in the first one; It should take it;

OR;

just; no crypto map mymap

Cheers,
Rajesh
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17010964
It would be better to understand if you could post the complete config of the pix (ofcourse mask off the addresses and domain information).

Cheers,
Rajesh
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:jlexer
ID: 17012158
Here's the whole config.  Thanks again for looking!

PIX Version 6.2(3)
nameif ethernet0 outside security0
nameif ethernet1 dmz security50
nameif ethernet2 inside security100
enable password --------- encrypted
passwd --------- encrypted
hostname ---------
domain-name domainname.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sip udp 5060
names
access-list 102 permit ip host xxx.xxx.1.49 xxx.xxx.10.0 255.255.255.0
access-list 102 permit ip host xxx.xxx.1.44 xxx.xxx.10.0 255.255.255.0
access-list ACL-OUTSIDE permit tcp any host xxx.xxx.102.4 eq pop3
access-list ACL-OUTSIDE permit tcp any host xxx.xxx.102.4 eq smtp
access-list ACL-OUTSIDE permit tcp any host xxx.xxx.102.5 eq ftp
access-list ACL-OUTSIDE permit tcp xxx.xxx.0.0 255.255.0.0 host xxx.xxx.102.7 eq ww
w
access-list ACL-OUTSIDE permit tcp xxx.xxx.84.0 255.255.255.0 host xxx.xxx.102.7 eq
 www
access-list ACL-OUTSIDE permit tcp any host xxx.xxx.102.13 eq ftp
access-list ACL-OUTSIDE permit tcp host xxx.xxx.17.124 host xxx.xxx.102.7 eq www
access-list ACL-OUTSIDE permit tcp any host xxx.xxx.102.13 eq www
access-list ACL-OUTSIDE permit tcp host xxx.xxx.157.168 host xxx.xxx.102.7 eq www
access-list ACL-OUTSIDE permit tcp xxx.xxx.17.0 255.255.255.0 host xxx.xxx.102.7 eq
 www
access-list ACL-OUTSIDE permit tcp host xxx.xxx.28.79 host xxx.xxx.102.7 eq www
access-list ACL-OUTSIDE permit tcp any host xxx.xxx.102.5 eq www
access-list ACL-OUTSIDE permit tcp host xxx.xxx.17.101 host xxx.xxx.102.7 eq www
access-list ACL-OUTSIDE permit tcp host xxx.xxx.235.86 host xxx.xxx.102.7 eq www
access-list ACL-OUTSIDE permit tcp xxx.xxx.131.0 255.255.255.0 host xxx.xxx.102.7 e
q www
access-list ACL-OUTSIDE permit tcp host xxx.xxx.120.199 host xxx.xxx.102.7 eq www
access-list ACL-OUTSIDE permit tcp host xxx.xxx.35.227 host xxx.xxx.102.7 eq www
access-list ACL-OUTSIDE permit tcp host xxx.xxx.9.10 host xxx.xxx.102.7 eq www
access-list ACL-OUTSIDE permit tcp any host xxx.xxx.102.4 eq www
access-list ACL-OUTSIDE permit tcp host xxx.xxx.119.132 host xxx.xxx.102.8 eq www
access-list ACL-OUTSIDE permit tcp host xxx.xxx.9.11 host xxx.xxx.102.7 eq www
access-list ACL-OUTSIDE permit tcp host xxx.xxx.102.120 host xxx.xxx.102.7 eq www
access-list ACL-OUTSIDE permit tcp host xxx.xxx.225.212 host xxx.xxx.102.8
access-list ACL-OUTSIDE permit tcp host xxx.xxx.225.212 host xxx.xxx.102.8 eq www
access-list ACL-OUTSIDE permit tcp host xxx.xxx.119.132 host xxx.xxx.102.8 eq 135
access-list ACL-OUTSIDE permit udp host xxx.xxx.119.132 host xxx.xxx.102.8 eq 135
access-list ACL-OUTSIDE permit icmp any any echo-reply
access-list ACL-OUTSIDE permit tcp host xxx.xxx.102.119 host xxx.xxx.102.7 eq www
access-list ACL-OUTSIDE permit tcp host xxx.xxx.157.180 host xxx.xxx.102.7 eq www
access-list ACL-OUTSIDE permit tcp any host xxx.xxx.102.13 eq 8080
access-list ACL-OUTSIDE permit tcp any host xxx.xxx.102.13 eq 8081
access-list ACL-OUTSIDE permit tcp xxx.xxx.246.0 255.255.255.0 host xxx.xxx.102.7
eq www
access-list ACL-OUTSIDE permit tcp any host xxx.xxx.102.6 eq www
access-list ACL-OUTSIDE permit tcp any host xxx.xxx.102.6 eq https
access-list ACL-OUTSIDE permit tcp any host xxx.xxx.102.10 eq www
access-list ACL-OUTSIDE permit tcp any host xxx.xxx.102.10 eq https
access-list ACL-DMZ permit ip host xxx.xxx.2.5 host xxx.xxx.2.100
access-list ACL-DMZ permit ip any any
access-list 104 permit ip host xxx.xxx.1.49 xxx.xxx.50.0 255.255.255.0
access-list 104 permit ip host xxx.xxx.1.44 xxx.xxx.50.0 255.255.255.0
access-list 105 permit ip host xxx.xxx.102.9 host xxx.xxx.246.101
access-list 105 permit ip host xxx.xxx.102.9 host xxx.xxx.246.200
access-list 105 permit ip host xxx.xxx.102.9 host xxx.xxx.246.113
access-list 105 permit ip host xxx.xxx.102.9 host xxx.xxx.246.135
access-list 105 permit ip host xxx.xxx.102.9 host xxx.xxx.244.131
access-list inbound permit ip host xxx.xxx.119.132 host xxx.xxx.102.8
access-list inbound permit ip host xxx.xxx.225.212 any
access-list 106 permit ip xxx.xxx.1.0 255.255.255.0 xxx.xxx.0.0 255.255.0.0
access-list 107 permit ip host xxx.xxx.1.34 host xxx.xxx.100.1
access-list 107 permit ip host xxx.xxx.1.34 host xxx.xxx.100.2
access-list 107 permit ip host xxx.xxx.1.34 host xxx.xxx.100.3
access-list 108 permit ip host xxx.xxx.62.36 xxx.xxx.56.0 255.255.252.0
access-list NATVPN permit ip xxx.xxx.1.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list NATVPN permit ip host xxx.xxx.1.44 xxx.xxx.10.0 255.255.255.0
access-list NATVPN permit ip host xxx.xxx.1.49 xxx.xxx.10.0 255.255.255.0
access-list NATVPN permit ip host xxx.xxx.1.44 xxx.xxx.50.0 255.255.255.0
access-list NATVPN permit ip host xxx.xxx.1.49 xxx.xxx.50.0 255.255.255.0
access-list NATVPN permit ip host xxx.xxx.2.3 host xxx.xxx.0.230
access-list NATVPN permit ip host xxx.xxx.102.9 host xxx.xxx.246.132
access-list NATVPN permit ip host xxx.xxx.102.9 host xxx.xxx.246.101
access-list NATVPN permit ip host xxx.xxx.102.9 host xxx.xxx.246.200
access-list NATVPN permit ip host xxx.xxx.102.9 host xxx.xxx.246.113
access-list NATVPN permit ip host xxx.xxx.102.9 host xxx.xxx.246.135
access-list NATVPN permit ip host xxx.xxx.102.9 host xxx.xxx.246.131
access-list NATVPN permit ip host xxx.xxx.1.44 xxx.xxx.0.0 255.255.0.0
access-list NATVPN permit ip host xxx.xxx.1.49 xxx.xxx.0.0 255.255.0.0
access-list NATVPN permit ip host xxx.xxx.1.34 host xxx.xxx.100.1
access-list NATVPN permit ip host xxx.xxx.1.34 host xxx.xxx.100.2
access-list NATVPN permit ip host xxx.xxx.1.34 host xxx.xxx.100.3
access-list NATVPN permit ip host xxx.xxx.1.34 host xxx.xxx.50.205
access-list NATVPN permit ip host xxx.xxx.1.34 host xxx.xxx.25.64
access-list NATVPN permit ip host xxx.xxx.1.34 host xxx.xxx.25.97
pager lines 24
logging on
logging monitor errors
logging buffered debugging
logging trap errors
logging history errors
logging host inside xxx.xxx.1.31
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
mtu outside 1500
mtu dmz 1500
mtu inside 1500
ip address outside xxx.xxx.102.2 255.255.255.224
ip address dmz xxx.xxx.2.1 255.255.255.0
ip address inside xxx.xxx.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPNCLIENTS 10.0.0.1-10.0.0.254
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address dmz 0.0.0.0
failover ip address inside 0.0.0.0
pdm history enable
arp timeout 14400
global (outside) 1 xxx.xxx.102.3 netmask 255.255.255.224
global (dmz) 1 interface
nat (inside) 0 access-list NATVPN
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
alias (inside) xxx.xxx.102.7 xxx.xxx.2.5 255.255.255.255
alias (inside) xxx.xxx.2.7 xxx.xxx.1.250 255.255.255.255
static (dmz,outside) xxx.xxx.102.5 xxx.xxx.2.3 netmask 255.255.255.255 0 0
static (dmz,outside) xxx.xxx.102.7 xxx.xxx.2.5 netmask 255.255.255.255 0 0
static (inside,dmz) xxx.xxx.2.100 xxx.xxx.1.46 netmask 255.255.255.255 0 0
static (inside,dmz) xxx.xxx.2.7 xxx.xxx.1.250 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.102.13 xxx.xxx.1.83 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.102.4 xxx.xxx.1.56 netmask 255.255.255.255 0 0
static (inside,dmz) xxx.xxx.2.101 xxx.xxx.1.84 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.102.9 xxx.xxx.1.41 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.102.8 xxx.xxx.1.47 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.62.36 xxx.xxx.1.36 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.102.6 xxx.xxx.1.51 netmask 255.255.255.255 0 0
static (dmz,outside) xxx.xxx.102.10 xxx.xxx.2.10 netmask 255.255.255.255 0 0
access-group ACL-OUTSIDE in interface outside
access-group ACL-DMZ in interface dmz
route outside 0.0.0.0 0.0.0.0 xxx.xxx.102.1 1
route outside 192.245.246.200 255.255.255.255 xxx.xxx.102.1 1
timeout xlate 24:00:00
timeout conn 12:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 s
ip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
snmp-server contact none
snmp-server community public
no snmp-server enable traps
no floodguard enable
sysopt connection permit-ipsec
sysopt noproxyarp inside
no sysopt route dnat
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto ipsec transform-set myset1 esp-3des esp-sha-hmac
crypto dynamic-map dynmap 30 set transform-set myset
crypto map mymap 10 ipsec-isakmp
! Incomplete
crypto map mymap 40 ipsec-isakmp
crypto map mymap 40 match address 104
crypto map mymap 40 set peer xxx.xxx.157.226
crypto map mymap 40 set transform-set myset
crypto map mymap 50 ipsec-isakmp
crypto map mymap 50 match address 105
crypto map mymap 50 set pfs group2
crypto map mymap 50 set peer xxx.xxx.89.131
crypto map mymap 50 set transform-set myset1
crypto map mymap 60 ipsec-isakmp
crypto map mymap 60 match address 106
crypto map mymap 60 set peer xxx.xxx.3.2
crypto map mymap 60 set transform-set myset
crypto map mymap 70 ipsec-isakmp
crypto map mymap 70 match address 107
crypto map mymap 70 set pfs group2
crypto map mymap 70 set peer xxx.xxx.102.80
crypto map mymap 70 set transform-set myset1
crypto map mymap 70 set security-association lifetime seconds 3600 kilobytes 460
8000
crypto map mymap 80 ipsec-isakmp dynamic dynmap
crypto map mymap 90 ipsec-isakmp
crypto map mymap 90 match address 108
crypto map mymap 90 set peer xxx.xxx.62.30
crypto map mymap 90 set transform-set myset1
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address xxx.xxx.157.226 netmask 255.255.255.255 no-xauth no-
config-mode
isakmp key ******** address xxx.xxx.89.131 netmask 255.255.255.255 no-xauth no-con
fig-mode
isakmp key ******** address xxx.xxx.119.135 netmask 255.255.255.255 no-xauth no-
config-mode
isakmp key ******** address xxx.xxx.102.80 netmask 255.255.255.255 no-xauth no-c
onfig-mode
isakmp key ******** address xxx.xxx.62.30 netmask 255.255.255.255 no-xauth no-con
fig-mode
isakmp key ******** address xxx.xxx.3.2 netmask 255.255.255.255 no-xauth no-confi
g-mode
isakmp identity address
isakmp policy 10 authentication rsa-sig
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 28800
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash sha
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption des
isakmp policy 40 hash sha
isakmp policy 40 group 1
isakmp policy 40 lifetime 86400
vpngroup vpn3000 address-pool VPNCLIENTS
vpngroup vpn3000 wins-server xxx.xxx.1.130
vpngroup vpn3000 default-domain DOMAIN1
vpngroup vpn3000 idle-time 1800
vpngroup vpn3000 password ********
vpngroup azure address-pool VPNCLIENTS
vpngroup azure idle-time 1800
vpngroup azure password ********
vpngroup quadrant idle-time 1800
vpngroup iti_client address-pool VPNCLIENTS
vpngroup iti_client wins-server xxx.xxx.1.130
vpngroup iti_client default-domain DOMAIN1
vpngroup iti_client idle-time 1800
vpngroup iti_client password ********
telnet xxx.xxx.1.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
terminal width 80
Cryptochecksum:f2c4f9298999f08b646q5aa55033fc53
: end
0
 
LVL 11

Expert Comment

by:prueconsulting
ID: 17012846
doing a no crypto map mymap will remove all your VPN's..So you would not want to take this route.

If you simply want to drop the other connection remove the entries as you have and then power cycle the PIX.

Or
no crypto map mymap interface outside
followed by
crypto map mymap interface outside

This will drop your existing VPN connections for a second or 2 until they re-establish.


Or the other way is to simply wait until the SA times based on lifetime 86400 . With the old configuration gone it will be unable to re-key and tear the tunnel down.


It all depends on how quick you want to terminate the connection
 
 
0
 

Author Comment

by:jlexer
ID: 17013223
I recycled the power to the PIX; No change.  I can still ping their server.

I entered:
no crypto map mymap interface outside
followed by
crypto map mymap interface outside
...Also, no change, I can still PING their server.

In the above config the for the VPN we are attempting to drop are access-list entries:
access-list 102 permit ip host xxx.xxx.1.49 xxx.xxx.10.0 255.255.255.0
access-list 102 permit ip host xxx.xxx.1.44 xxx.xxx.10.0 255.255.255.0

I did a "no access-list 102" and these entries have dropped from the config.  Does this mean even though the VPN is still up at least they do not have any access to any of our servers?

Since it appears that we need to drop the entire config and reload it to remove the VPN. Is there something we could at least change about this line:

isakmp key ******** address xxx.xxx.119.135 netmask 255.255.255.255 no-xauth no-
config-mode

I assume that this is the setup of the preshared key.  Can we simply change this entry with out replacing the entire config?  If so, was is the correct syntax to edit this line?  I would assume if we just change the key, the vpn should fail.
0
 
LVL 11

Accepted Solution

by:
prueconsulting earned 500 total points
ID: 17013310
Yes this would remove the key for that host and cause it to fail the keying.

a "no crypto map mymap 10 ipsec-isakmp" would remove it from the crypto map as well to clean it up


Really odd thing here is how does it create a tunnel with out a known peer address in the crytpomap

Unless they are hitting your dynamic VPN connection and matching that and building the tunnel.
0
 

Author Comment

by:jlexer
ID: 17013473
The command "no crypto map mymap 10 ipsec-isakmp" gave me an error.  However, I tried a few combinations and "no crypto map mymap 10" did work and I'm no longer getting the "! Incomplete" message that I had been receiving before.

The ping'ing issue seems to be separate.  That is, the address that I was pinging turned out to be a public ip, so I should be getting a response.  Therefore, I don't know at what point in this process the VPN actually went down.  Based on the results I have encoutered I believe the best way to do this going forward would be to issue commands for

no access-list <map#>
and
no crypto map mymap <map#>

I believe this would have been enough to drop the VPN.

Thanks again for all your help and FAST replies.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now