Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Pix crypto access-list (theoretical) question

I have a curious, theoretical question re PIX VPN implementation, specifically regarding crypto acl entries. I'm using the following qoute as the foundation of my question:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a008008993c.html#xtocid8

"Note If you modify an access list that is currently referenced by one or more crypto map entries, the run-time security association database will need to be re initialized using the crypto map interface command. See the crypto ipsec command page for information on the crypto map interface command."

So, if i have pre-existing:

access-list 102 permit ip a.a.a.a 255.255.255.0 b.b.b.b 255.255.255.0 (host)

access-list 102 permit ip b.b.b.b 255.255.255.0 a.a.a.a 255.255.255.0 (remote)

and let's say that b.b.b.b is a remote hub where additional WAN nodes point directly to and i want to add those nodes' networks to the "interesting" traffic patterns so that a.a.a.a can reach them via the VPN (and vice versa). So, i want to add:

access-list 102 permit ip a.a.a.a 255.255.255.0 c.c.c.c 255.255.255.0 (host)

access-list 102 permit c.c.c.c 255.255.255.0 a.a.a.a 255.255.255.0 (remote)

My question is, does the qoute from Cisco apply. Meaning, does adding a crypto access-list entry equate to "...modify an access list that is currently referenced by one or more crypto map entries..." ?

I would think yes, because (obviously) the exisiting crypto maps at the host/remote would be using " crypto map newmap 10 match address 102".

Thoughts?

2 REPLIES
Cisco Employee

Re: Pix crypto access-list (theoretical) question

Yes it does. At this time in the PIX if you modify an ACL that is currently referenced by any crypto map, you need to unapply/apply that crypto map from the interface for the changes ot take effect. This has the unfortunate side-effect of killing all your existing tunnels.

New Member

Re: Pix crypto access-list (theoretical) question

Why?

Can you provide more detailed evidence that, by adding a second (or third, fourth, etc.) crypto access-list, existing tunnels will be killed? Or are you stating that removing/re-adding the crypto map(s) that reference the acl will destroy the tunnel?

Also, why would you need to remove/re-add the crypto map *after* adding the new entry(ies)?

Wouldn't removing the crypto map instantaneously collapse the tunnel, thereby disconnecting the session to the remote firewall (which would still require additional configuration to rebuild the VPN; specifically, re-adding the map)?

Lastly, are you basing your comments on a specific PIX IOS version? I ask b/c your "..at this time..." statement leads me to believe that such behavior will be changed in future revision(s).

Looking forward to your thoughts...

86
Views
0
Helpful
2
Replies
CreatePlease to create content