Modifying ACLs in PIX to PIX IPSec tunnel

flopez · ‎06-28-2007

I am in the HQ network and have a remote site with a PIX to PIX tunnel. HQ network is 192.168.1.0, 192.168.100.0, and 192.168.200.0.

My remote site is 192.168.90.0. I have the following ACLs in the remote site:

access-list 101 permit ip 192.168.90.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list 101 permit ip 192.168.90.0 255.255.255.0 192.168.100.0 255.255.255.0

access-list 101 permit ip 192.168.90.0 255.255.255.0 192.168.200.0 255.255.255.0

access-list nonat permit ip 192.168.90.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list nonat permit ip 192.168.90.0 255.255.255.0 192.168.100.0 255.255.255.0

access-list nonat permit ip 192.168.90.0 255.255.255.0 192.168.200.0 255.255.255.0

In the HQ network, I have:

access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.90.0 255.255.255.0

access-list 101 permit ip 192.168.100.0 255.255.255.0 192.168.90.0 255.255.255.0

access-list 101 permit ip 192.168.200.0 255.255.255.0 192.168.90.0 255.255.255.0

access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.90.0 255.255.255.0

access-list nonat permit ip 192.168.100.0 255.255.255.0 192.168.90.0 255.255.255.0

access-list nonat permit ip 192.168.200.0 255.255.255.0 192.168.90.0 255.255.255.0

My question is this: If I added new VLANs to the remote site, let's say network 192.168.54.0 and wanted to have this network communicate with the 3 HQ networks, can I just add these lines:

access-list 101 permit ip 192.168.54.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list 101 permit ip 192.168.54.0 255.255.255.0 192.168.100.0 255.255.255.0

access-list 101 permit ip 192.168.54.0 255.255.255.0 192.168.200.0 255.255.255.0

access-list nonat permit ip 192.168.54.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list nonat permit ip 192.168.54.0 255.255.255.0 192.168.100.0 255.255.255.0

access-list nonat permit ip 192.168.54.0 255.255.255.0 192.168.200.0 255.255.255.0

And will I bring down the tunnel or do I have to reinitiate the tunnel by bringing all the tunnels down first? I don't want to affect other tunnels from other remote sites.

And I do know that I have to add the following to the HQ PIX:

access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.54.0 255.255.255.0

access-list 101 permit ip 192.168.100.0 255.255.255.0 192.168.54.0 255.255.255.0

access-list 101 permit ip 192.168.200.0 255.255.255.0 192.168.54.0 255.255.255.0

access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.54.0 255.255.255.0

access-list nonat permit ip 192.168.100.0 255.255.255.0 192.168.54.0 255.255.255.0

access-list nonat permit ip 192.168.200.0 255.255.255.0 192.168.54.0 255.255.255.0

I want to add the lines, but do not want to bring down any tunnels while I do it. Thanks ya'll.

acomiskey · ‎06-28-2007

Adding the lines should not bring down the tunnels.

srue · ‎06-28-2007

while adding the lines won't bring the tunnels down, they won't take effect until you clear the tunnels (i think):

clear cry ipsec sa

clear isa sa

flopez · ‎06-28-2007

That's kind of what I thought. I guess it doesn't matter when I add the lines, but it will matter when I want the changes to take effect. When I do clear the Cryptos, then the other tunnel will go down, so I will have to do this after hours. Thanks.

srue · ‎06-28-2007

you can clear individual peers:

firewall# clear crypto ipsec sa peer ?

Hostname or A.B.C.D IPsec SA peer address or hostname