I have a problem of controlling traffic over a VPN tunnel in a site to site topology.
When i check 'sh conn' i can see traffic between IP hosts in the VPN community but if i type in 'clear xlate' it does not close the connections, and the flow of traffic continue, i also implied access rules in the access list and they did not take effect, again 'clear xlate' did not work, only after 'reload' the access-list took effect... can anyone tell me how to clear connection over the VPN?
A couple of issues here that I see and I think you have sort of answered your own questions. The 'cl xlate' command does just that - it clears the translations built on the PIX. In your case, you want to clear the connections rather than the translations. If a connection is allowed or already built, the xlate will be built again as well. Try issuing a 'clear local-host' instead. This clears all conns and xlates.
As for the new ACE statements not taking effect. The PIX only checks the ACL when the connection is being established. Once the conn is up, the ACL check is bypassed. If you create a new ACE to an ACL that you want to take effect, you will need to tear down all existing conns in order for that ACE to be checked for new traffic. Again, a 'clear local-host' would do the trick here. The reason we do this is to keep the packets moving as quickly as possible. Checking an ACL on every packet would cause severe performance problems.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :