Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
257
Views
0
Helpful
2
Replies

Pix crypto access-list (theoretical) question

jpittman
Level 1
Level 1

‎06-26-2003 07:00 AM - edited ‎02-20-2020 10:49 PM

I have a curious, theoretical question re PIX VPN implementation, specifically regarding crypto acl entries. I'm using the following qoute as the foundation of my question:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a008008993c.html#xtocid8

"Note If you modify an access list that is currently referenced by one or more crypto map entries, the run-time security association database will need to be re initialized using the crypto map interface command. See the crypto ipsec command page for information on the crypto map interface command."

So, if i have pre-existing:

access-list 102 permit ip a.a.a.a 255.255.255.0 b.b.b.b 255.255.255.0 (host)

access-list 102 permit ip b.b.b.b 255.255.255.0 a.a.a.a 255.255.255.0 (remote)

and let's say that b.b.b.b is a remote hub where additional WAN nodes point directly to and i want to add those nodes' networks to the "interesting" traffic patterns so that a.a.a.a can reach them via the VPN (and vice versa). So, i want to add:

access-list 102 permit ip a.a.a.a 255.255.255.0 c.c.c.c 255.255.255.0 (host)

access-list 102 permit c.c.c.c 255.255.255.0 a.a.a.a 255.255.255.0 (remote)

My question is, does the qoute from Cisco apply. Meaning, does adding a crypto access-list entry equate to "...modify an access list that is currently referenced by one or more crypto map entries..." ?

I would think yes, because (obviously) the exisiting crypto maps at the host/remote would be using " crypto map newmap 10 match address 102".

Thoughts?

0 Helpful
2 Replies 2

gfullage
Cisco Employee
Cisco Employee

‎06-26-2003 07:20 PM

Yes it does. At this time in the PIX if you modify an ACL that is currently referenced by any crypto map, you need to unapply/apply that crypto map from the interface for the changes ot take effect. This has the unfortunate side-effect of killing all your existing tunnels.

0 Helpful

jpittman
Level 1
Level 1
In response to gfullage

‎06-26-2003 08:12 PM

Why?

Can you provide more detailed evidence that, by adding a second (or third, fourth, etc.) crypto access-list, existing tunnels will be killed? Or are you stating that removing/re-adding the crypto map(s) that reference the acl will destroy the tunnel?

Also, why would you need to remove/re-add the crypto map *after* adding the new entry(ies)?

Wouldn't removing the crypto map instantaneously collapse the tunnel, thereby disconnecting the session to the remote firewall (which would still require additional configuration to rebuild the VPN; specifically, re-adding the map)?

Lastly, are you basing your comments on a specific PIX IOS version? I ask b/c your "..at this time..." statement leads me to believe that such behavior will be changed in future revision(s).

Looking forward to your thoughts...

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card