Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

How to add a new VPN tunnel on PIX525 without causing a VPN outage?

We have a PIX 525 firewall and we terminate a few VPN tunnels on it. Every time we added a new VPN tunnel, I had to remove crypto map from the outside interface(causing a VPN outage!), configure and apply it back. If I didn't remove crypto map from the interface, the PIX goes nuts when I first enter "crypto map name 1000 ipsec-isakmp" command.

Is there a "safe" way to add a new tunnel without having to remove the crypto map and affecting existing tunnels?




Re: How to add a new VPN tunnel on PIX525 without causing a VPN

The only real issue that I faced was while modifying the access list. That's the only time the outage is likely to occur, ie when the access-list is removed and a modified one re-entered. What we tried is to modify the access-list while still in place. We used the no form of the command as shown below

ip access-list extended 101

no permit ip host


We then moved in the new statements (to the bottom of the list by default). The access-list got modified sucessfully. This was attempted in the lab, and although on the production network we opted for downtime, there is no reason why the same can't be done on the live network. By doing this removing the crypto map is not necessary any more.

CreatePlease to create content