06-28-2007 07:43 AM - edited 03-11-2019 03:37 AM
I am in the HQ network and have a remote site with a PIX to PIX tunnel. HQ network is 192.168.1.0, 192.168.100.0, and 192.168.200.0.
My remote site is 192.168.90.0. I have the following ACLs in the remote site:
access-list 101 permit ip 192.168.90.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 101 permit ip 192.168.90.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list 101 permit ip 192.168.90.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list nonat permit ip 192.168.90.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list nonat permit ip 192.168.90.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list nonat permit ip 192.168.90.0 255.255.255.0 192.168.200.0 255.255.255.0
In the HQ network, I have:
access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.90.0 255.255.255.0
access-list 101 permit ip 192.168.100.0 255.255.255.0 192.168.90.0 255.255.255.0
access-list 101 permit ip 192.168.200.0 255.255.255.0 192.168.90.0 255.255.255.0
access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.90.0 255.255.255.0
access-list nonat permit ip 192.168.100.0 255.255.255.0 192.168.90.0 255.255.255.0
access-list nonat permit ip 192.168.200.0 255.255.255.0 192.168.90.0 255.255.255.0
My question is this: If I added new VLANs to the remote site, let's say network 192.168.54.0 and wanted to have this network communicate with the 3 HQ networks, can I just add these lines:
access-list 101 permit ip 192.168.54.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 101 permit ip 192.168.54.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list 101 permit ip 192.168.54.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list nonat permit ip 192.168.54.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list nonat permit ip 192.168.54.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list nonat permit ip 192.168.54.0 255.255.255.0 192.168.200.0 255.255.255.0
And will I bring down the tunnel or do I have to reinitiate the tunnel by bringing all the tunnels down first? I don't want to affect other tunnels from other remote sites.
And I do know that I have to add the following to the HQ PIX:
access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.54.0 255.255.255.0
access-list 101 permit ip 192.168.100.0 255.255.255.0 192.168.54.0 255.255.255.0
access-list 101 permit ip 192.168.200.0 255.255.255.0 192.168.54.0 255.255.255.0
access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.54.0 255.255.255.0
access-list nonat permit ip 192.168.100.0 255.255.255.0 192.168.54.0 255.255.255.0
access-list nonat permit ip 192.168.200.0 255.255.255.0 192.168.54.0 255.255.255.0
I want to add the lines, but do not want to bring down any tunnels while I do it. Thanks ya'll.
06-28-2007 07:57 AM
Adding the lines should not bring down the tunnels.
06-28-2007 08:17 AM
while adding the lines won't bring the tunnels down, they won't take effect until you clear the tunnels (i think):
clear cry ipsec sa
clear isa sa
06-28-2007 08:56 AM
That's kind of what I thought. I guess it doesn't matter when I add the lines, but it will matter when I want the changes to take effect. When I do clear the Cryptos, then the other tunnel will go down, so I will have to do this after hours. Thanks.
06-28-2007 09:04 AM
you can clear individual peers:
firewall# clear crypto ipsec sa peer ?
Hostname or A.B.C.D IPsec SA peer address or hostname
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide