04-05-2007 08:24 AM - edited 03-11-2019 02:56 AM
A few questions:
When changing access-lists on a PIX from command line, can you change one line in the list, or do you have to remove the entire existing list and re-enter the changed list?
On a crypto map, say the peer changes and you need to make that change, can you change one line in the crypto map, or does the entire map need to be re-entered with this change?
Also same question for object group?
Can you add one line?
And will this affect any existing connections if it were a port objexct group?
Thanks
04-05-2007 09:27 AM
Hi Rich
1) You can delete and insert individual lines on pix v 6.3 so no need to remove the entire list.
2) You can set the new peer within the crypto map without having to reenter entire map. Be aware that if you set another peer it will keep the original one unless you do a
"no set peer xxxxxx" on the original peer.
3) Yes you can add entries to object-groups. It should not affect existing connections.
HTH
Jon
04-05-2007 09:37 AM
after you change ipsec peers, be sure to do a "clear crypto ipsec sa" and for kicks, "clear isakmp sa"
04-05-2007 10:31 AM
Thanks jon,
If I wanted to change the list shown below, to add an additional host, it will allow me to add a line to the access-list NO_NAT?
Or remove a single line?
access-list NO_NAT permit ip host 10.1.1.1 host 12.13.14.215
access-list NO_NAT permit ip host 10.1.1.2 host 12.13.14.215
access-list NO_NAT permit ip host 10.1.1.3 host 12.13.14.215
04-05-2007 11:52 AM
Rich
You should be able to remove or add line(s) to the access-list eg
access-list NO_NAT permit ip host 10.1.1.4 host 12.13.14.215
will add to existing access-list NO_NAT
no access-list NO_NAT permit ip host 10.1.1.3 host 12.13.14.215
will remove that line.
HTH and thanks for the rating
Jon
04-05-2007 02:14 PM
Thanks for the reply, just a couple more questions:
I have a PIX525 that currently has 10 VPN tunnels configured.
9 are showing a idle and the below is not even showing up.
AM I correct in a ssuming that with this config:
1. The crypto map looks correct and will match the address allowing remote side traffic from the 10.79.8.0 subnet to access the 10.91.9.0 subnet via VPN tunnel?
2. The 10.91.9.1 and 2 addresses are being NATed from the 10.100.100.1 and 10.200.100.1 addresses?
Is that correct?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: