"Note If you modify an access list that is currently referenced by one or more crypto map entries, the run-time security association database will need to be re initialized using the crypto map interface command. See the crypto ipsec command page for information on the crypto map interface command."
So, if i have pre-existing:
access-list 102 permit ip a.a.a.a 255.255.255.0 b.b.b.b 255.255.255.0 (host)
access-list 102 permit ip b.b.b.b 255.255.255.0 a.a.a.a 255.255.255.0 (remote)
and let's say that b.b.b.b is a remote hub where additional WAN nodes point directly to and i want to add those nodes' networks to the "interesting" traffic patterns so that a.a.a.a can reach them via the VPN (and vice versa). So, i want to add:
access-list 102 permit ip a.a.a.a 255.255.255.0 c.c.c.c 255.255.255.0 (host)
My question is, does the qoute from Cisco apply. Meaning, does adding a crypto access-list entry equate to "...modify an access list that is currently referenced by one or more crypto map entries..." ?
I would think yes, because (obviously) the exisiting crypto maps at the host/remote would be using " crypto map newmap 10 match address 102".
Yes it does. At this time in the PIX if you modify an ACL that is currently referenced by any crypto map, you need to unapply/apply that crypto map from the interface for the changes ot take effect. This has the unfortunate side-effect of killing all your existing tunnels.
Can you provide more detailed evidence that, by adding a second (or third, fourth, etc.) crypto access-list, existing tunnels will be killed? Or are you stating that removing/re-adding the crypto map(s) that reference the acl will destroy the tunnel?
Also, why would you need to remove/re-add the crypto map *after* adding the new entry(ies)?
Wouldn't removing the crypto map instantaneously collapse the tunnel, thereby disconnecting the session to the remote firewall (which would still require additional configuration to rebuild the VPN; specifically, re-adding the map)?
Lastly, are you basing your comments on a specific PIX IOS version? I ask b/c your "..at this time..." statement leads me to believe that such behavior will be changed in future revision(s).
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :