Solved: Re: Editing crypto ACL's remotely

serotonin888 · ‎12-13-2006

Hi,

I have a some 837's that have a IPsec VPN back to HQ.

I need to add an additional network to the crypto ACL on the 837. Unfortunately the previous administrator had left a deny at the end of the ACL. So i really need to replace it. I only have remote connectivity with router.

On a test router i tried removing the access-list (no ip access-list ext vpndst) and then lost all access to the router (to both the inside and outside address). Only a relaod would work.

What is the best way to change the Crypto ACL remotely?

dominic.caron · ‎12-13-2006

Hi

If this is a name ACL, just edit it...

sh access-list vpndst (take the deny any any line number)

ip access-list ext vpndst

no # (#=number of the line of the deny)

You could also put your command in a text file and copy them in the flash. After do a copy flash run, this will merge the config.

View solution in original post

sourabhagarwal · ‎12-13-2006

I agree if you are working with ACL remotely, you might lose connectivity to the remote side.

try out this in lab envionment first and if it succeds you can go ahead and do it in your live setup.

you can create a new ACL and replicate all permit/deny statements which are in the existing ACL and also add new permit additional network in it.

just remember that there is a implicit deny statement at the end of ACL.

once new ACL is created, you can apply it to the interface and remove old ACL from it.

I guess that should work, maybe with a short outage. you can try in your lab before implementing it.

hoep it helps ... rate if it does ...

dominic.caron · ‎12-13-2006

Hi

If this is a name ACL, just edit it...

sh access-list vpndst (take the deny any any line number)

ip access-list ext vpndst

no # (#=number of the line of the deny)

You could also put your command in a text file and copy them in the flash. After do a copy flash run, this will merge the config.

ajagadee · ‎12-13-2006

Andrew,

The reason you got locked out of the router is, when you have a crypto map applied to an interface for a Lan to Lan tunnel, there is also a Match Address configured with refers an Access-List to identify what traffic to encrypt. When you remove this access-list, the router starts encrypting all traffic since there is a match address configured on the router but not access-list entries. So, in your case, even the telnet traffic was part of the tunnel now. Obviously, since there was no access-list entries when you did a " no access-list xxx, your VPN Tunnel would have been down as well.

Please refer the below outputs, you will see that there is "Incomplete" command as soon as I remove the ACL that is tied to the match address.

Example:

crypto map CISCO 10 ipsec-isakmp

set peer 10.1.2.1

set transform-set cisco

match address 100

access-list 100 permit ip host 10.10.10.10 host 20.20.20.20

2651(config)#no access-list 100

crypto map CISCO 10 ipsec-isakmp

! Incomplete

set peer 10.1.2.1

set transform-set cisco

match address 100

Since, there is a match address and no access-list, all traffic from this router will be encrypted.

What you need to do is:

1. Remove the crypto map off the interface.

2. Make changes to the access-list statements

3. Put the Access-list entries back

4. Do a "show run" and check that there is a "match address" configured under the crypto configuration and also check that this matches the Access-list Entries that you configured.

5. Then reapply the crypto map back to the interface.

This way you will not lose connection to the router.

Regards,

Arul

** Please rate all helpful posts **

ajagadee · ‎05-01-2023

Glad you found the information useful, alvinmanait413