https://community.cisco.com/t5/network-security/pix-525-6-3-command-line-changes/m-p/798016#M1008087 <HTML><HEAD></HEAD><BODY><P>Hi Rich </P><P></P><P>1) You can delete and insert individual lines on pix v 6.3 so no need to remove the entire list. </P><P></P><P>2) You can set the new peer within the crypto map without having to reenter entire map. Be aware that if you set another peer it will keep the original one unless you do a </P><P>"no set peer xxxxxx" on the original peer. </P><P></P><P>3) Yes you can add entries to object-groups. It should not affect existing connections. </P><P></P><P></P><P>HTH </P><P></P><P>Jon</P></BODY></HTML> Thu, 05 Apr 2007 16:27:10 GMT Jon Marshall 2007-04-05T16:27:10Z https://community.cisco.com/t5/network-security/pix-525-6-3-command-line-changes/m-p/798015#M1008085 <P>A few questions:</P><P></P><P>When changing access-lists on a PIX from command line, can you change one line in the list, or do you have to remove the entire existing list and re-enter the changed list?</P><P></P><P>On a crypto map, say the peer changes and you need to make that change, can you change one line in the crypto map, or does the entire map need to be re-entered with this change?</P><P></P><P>Also same question for object group?</P><P>Can you add one line?</P><P></P><P>And will this affect any existing connections if it were a port objexct group?</P><P></P><P>Thanks</P> Mon, 11 Mar 2019 09:56:42 GMT https://community.cisco.com/t5/network-security/pix-525-6-3-command-line-changes/m-p/798015#M1008085 richmorrow624 2019-03-11T09:56:42Z https://community.cisco.com/t5/network-security/pix-525-6-3-command-line-changes/m-p/798016#M1008087 <HTML><HEAD></HEAD><BODY><P>Hi Rich </P><P></P><P>1) You can delete and insert individual lines on pix v 6.3 so no need to remove the entire list. </P><P></P><P>2) You can set the new peer within the crypto map without having to reenter entire map. Be aware that if you set another peer it will keep the original one unless you do a </P><P>"no set peer xxxxxx" on the original peer. </P><P></P><P>3) Yes you can add entries to object-groups. It should not affect existing connections. </P><P></P><P></P><P>HTH </P><P></P><P>Jon</P></BODY></HTML> Thu, 05 Apr 2007 16:27:10 GMT https://community.cisco.com/t5/network-security/pix-525-6-3-command-line-changes/m-p/798016#M1008087 Jon Marshall 2007-04-05T16:27:10Z https://community.cisco.com/t5/network-security/pix-525-6-3-command-line-changes/m-p/798017#M1008090 <HTML><HEAD></HEAD><BODY><P>after you change ipsec peers, be sure to do a "clear crypto ipsec sa" and for kicks, "clear isakmp sa"</P></BODY></HTML> Thu, 05 Apr 2007 16:37:21 GMT https://community.cisco.com/t5/network-security/pix-525-6-3-command-line-changes/m-p/798017#M1008090 srue 2007-04-05T16:37:21Z https://community.cisco.com/t5/network-security/pix-525-6-3-command-line-changes/m-p/798018#M1008091 <HTML><HEAD></HEAD><BODY><P>Thanks jon,</P><P></P><P>If I wanted to change the list shown below, to add an additional host, it will allow me to add a line to the access-list NO_NAT?</P><P></P><P>Or remove a single line?</P><P></P><P></P><P>access-list NO_NAT permit ip host 10.1.1.1 host 12.13.14.215</P><P>access-list NO_NAT permit ip host 10.1.1.2 host 12.13.14.215</P><P>access-list NO_NAT permit ip host 10.1.1.3 host 12.13.14.215</P></BODY></HTML> Thu, 05 Apr 2007 17:31:33 GMT https://community.cisco.com/t5/network-security/pix-525-6-3-command-line-changes/m-p/798018#M1008091 richmorrow624 2007-04-05T17:31:33Z https://community.cisco.com/t5/network-security/pix-525-6-3-command-line-changes/m-p/798019#M1008093 <HTML><HEAD></HEAD><BODY><P>Rich </P><P></P><P>You should be able to remove or add line(s) to the access-list eg </P><P></P><P>access-list NO_NAT permit ip host 10.1.1.4 host 12.13.14.215 </P><P></P><P>will add to existing access-list NO_NAT </P><P></P><P>no access-list NO_NAT permit ip host 10.1.1.3 host 12.13.14.215 </P><P></P><P>will remove that line. </P><P></P><P>HTH and thanks for the rating </P><P></P><P>Jon</P></BODY></HTML> Thu, 05 Apr 2007 18:52:48 GMT https://community.cisco.com/t5/network-security/pix-525-6-3-command-line-changes/m-p/798019#M1008093 Jon Marshall 2007-04-05T18:52:48Z https://community.cisco.com/t5/network-security/pix-525-6-3-command-line-changes/m-p/798020#M1008094 <HTML><HEAD></HEAD><BODY><P>Thanks for the reply, just a couple more questions:</P><P></P><P>I have a PIX525 that currently has 10 VPN tunnels configured.</P><P></P><P>9 are showing a idle and the below is not even showing up.</P><P></P><P>AM I correct in a ssuming that with this config:</P><P></P><P>1. The crypto map looks correct and will match the address allowing remote side traffic from the 10.79.8.0 subnet to access the 10.91.9.0 subnet via VPN tunnel?</P><P></P><P>2. The 10.91.9.1 and 2 addresses are being NATed from the 10.100.100.1 and 10.200.100.1 addresses?</P><P></P><P>Is that correct?</P><P></P></BODY></HTML> Thu, 05 Apr 2007 21:14:16 GMT https://community.cisco.com/t5/network-security/pix-525-6-3-command-line-changes/m-p/798020#M1008094 richmorrow624 2007-04-05T21:14:16Z