Modifying ACLs in PIX to PIX IPSec tunnel

Unanswered Question

I am in the HQ network and have a remote site with a PIX to PIX tunnel. HQ network is 192.168.1.0, 192.168.100.0, and 192.168.200.0.


My remote site is 192.168.90.0. I have the following ACLs in the remote site:

access-list 101 permit ip 192.168.90.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list 101 permit ip 192.168.90.0 255.255.255.0 192.168.100.0 255.255.255.0

access-list 101 permit ip 192.168.90.0 255.255.255.0 192.168.200.0 255.255.255.0

access-list nonat permit ip 192.168.90.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list nonat permit ip 192.168.90.0 255.255.255.0 192.168.100.0 255.255.255.0

access-list nonat permit ip 192.168.90.0 255.255.255.0 192.168.200.0 255.255.255.0


In the HQ network, I have:

access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.90.0 255.255.255.0

access-list 101 permit ip 192.168.100.0 255.255.255.0 192.168.90.0 255.255.255.0

access-list 101 permit ip 192.168.200.0 255.255.255.0 192.168.90.0 255.255.255.0

access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.90.0 255.255.255.0

access-list nonat permit ip 192.168.100.0 255.255.255.0 192.168.90.0 255.255.255.0

access-list nonat permit ip 192.168.200.0 255.255.255.0 192.168.90.0 255.255.255.0


My question is this: If I added new VLANs to the remote site, let's say network 192.168.54.0 and wanted to have this network communicate with the 3 HQ networks, can I just add these lines:

access-list 101 permit ip 192.168.54.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list 101 permit ip 192.168.54.0 255.255.255.0 192.168.100.0 255.255.255.0

access-list 101 permit ip 192.168.54.0 255.255.255.0 192.168.200.0 255.255.255.0

access-list nonat permit ip 192.168.54.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list nonat permit ip 192.168.54.0 255.255.255.0 192.168.100.0 255.255.255.0

access-list nonat permit ip 192.168.54.0 255.255.255.0 192.168.200.0 255.255.255.0


And will I bring down the tunnel or do I have to reinitiate the tunnel by bringing all the tunnels down first? I don't want to affect other tunnels from other remote sites.


And I do know that I have to add the following to the HQ PIX:

access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.54.0 255.255.255.0

access-list 101 permit ip 192.168.100.0 255.255.255.0 192.168.54.0 255.255.255.0

access-list 101 permit ip 192.168.200.0 255.255.255.0 192.168.54.0 255.255.255.0

access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.54.0 255.255.255.0

access-list nonat permit ip 192.168.100.0 255.255.255.0 192.168.54.0 255.255.255.0

access-list nonat permit ip 192.168.200.0 255.255.255.0 192.168.54.0 255.255.255.0


I want to add the lines, but do not want to bring down any tunnels while I do it. Thanks ya'll.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
acomiskey Thu, 06/28/2007 - 07:57
User Badges:
  • Green, 3000 points or more

Adding the lines should not bring down the tunnels.

srue Thu, 06/28/2007 - 08:17
User Badges:
  • Blue, 1500 points or more

while adding the lines won't bring the tunnels down, they won't take effect until you clear the tunnels (i think):

clear cry ipsec sa

clear isa sa

srue Thu, 06/28/2007 - 09:04
User Badges:
  • Blue, 1500 points or more

you can clear individual peers:

firewall# clear crypto ipsec sa peer ?


Hostname or A.B.C.D IPsec SA peer address or hostname

Actions

This Discussion