06-26-2003 07:00 AM - edited 02-20-2020 10:49 PM
I have a curious, theoretical question re PIX VPN implementation, specifically regarding crypto acl entries. I'm using the following qoute as the foundation of my question:
"Note If you modify an access list that is currently referenced by one or more crypto map entries, the run-time security association database will need to be re initialized using the crypto map interface command. See the crypto ipsec command page for information on the crypto map interface command."
So, if i have pre-existing:
access-list 102 permit ip a.a.a.a 255.255.255.0 b.b.b.b 255.255.255.0 (host)
access-list 102 permit ip b.b.b.b 255.255.255.0 a.a.a.a 255.255.255.0 (remote)
and let's say that b.b.b.b is a remote hub where additional WAN nodes point directly to and i want to add those nodes' networks to the "interesting" traffic patterns so that a.a.a.a can reach them via the VPN (and vice versa). So, i want to add:
access-list 102 permit ip a.a.a.a 255.255.255.0 c.c.c.c 255.255.255.0 (host)
access-list 102 permit c.c.c.c 255.255.255.0 a.a.a.a 255.255.255.0 (remote)
My question is, does the qoute from Cisco apply. Meaning, does adding a crypto access-list entry equate to "...modify an access list that is currently referenced by one or more crypto map entries..." ?
I would think yes, because (obviously) the exisiting crypto maps at the host/remote would be using " crypto map newmap 10 match address 102".
Thoughts?
06-26-2003 07:20 PM
Yes it does. At this time in the PIX if you modify an ACL that is currently referenced by any crypto map, you need to unapply/apply that crypto map from the interface for the changes ot take effect. This has the unfortunate side-effect of killing all your existing tunnels.
06-26-2003 08:12 PM
Why?
Can you provide more detailed evidence that, by adding a second (or third, fourth, etc.) crypto access-list, existing tunnels will be killed? Or are you stating that removing/re-adding the crypto map(s) that reference the acl will destroy the tunnel?
Also, why would you need to remove/re-add the crypto map *after* adding the new entry(ies)?
Wouldn't removing the crypto map instantaneously collapse the tunnel, thereby disconnecting the session to the remote firewall (which would still require additional configuration to rebuild the VPN; specifically, re-adding the map)?
Lastly, are you basing your comments on a specific PIX IOS version? I ask b/c your "..at this time..." statement leads me to believe that such behavior will be changed in future revision(s).
Looking forward to your thoughts...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide