Cisco 515E tunnel cleanup help

terribleworld1 · ‎04-18-2016

We have a Cisco PIX 515E (not sure what OS or PDM version it has) We removed some unwanted tunnels from the GUI. But when we look at the command line, we still see some commands that we could remove. Look at this code. Tunnel IP addresses have been randomized for security. I have listed questions below Question: I see that 3 crypto map commands above, with priorities 5, 190, 210 But in the isakmp policy section I see 10, 30, 35, 90, 110, 130, 150, 190. So should we delete 10, 30, 35, 90, 110, 130, 150 ???? Why is there no isakmp policy for 5 and 210 ??

terribleworld1 · ‎04-18-2016

Sorry I was not able to create this case, I had to remove the code.

Trying to paste the commands

access-list BRANCH1 remark BRANCH1_TUNNEL

access-list BRANCH1 permit ip 172.1.1.0 255.255.255.0 192.100.0.0 255.255.255.0

access-list BRANCH2 remark BRANCH2_TUNNEL1

access-list BRANCH2 permit ip 172.1.1.0 255.255.255.0 10.1.10.0 255.255.255.0

access-list BRANCH2 remark BRANCH2_TUNNEL2

access-list BRANCH2 permit ip 192.168.255.0 255.255.255.0 10.1.10.0 255.255.255.0

access-list CLIENT1 remark CLIENT_TUNNEL

access-list CLIENT1 permit ip 172.1.1.0 255.255.255.0 10.40.0.0 255.255.0.0

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto map outside_map 5 ipsec-isakmp

crypto map outside_map 5 match address BRANCH1

crypto map outside_map 5 set peer 1.1.4.3

crypto map outside_map 5 set transform-set ESP-3DES-SHA

crypto map outside_map 190 ipsec-isakmp

crypto map outside_map 190 match address BRANCH2

crypto map outside_map 190 set peer 7.1.2.2

crypto map outside_map 190 set transform-set ESP-3DES-MD5

crypto map outside_map 190 set security-association lifetime seconds 3600 kilobytes 536870912

crypto map outside_map 210 ipsec-isakmp

crypto map outside_map 210 match address CLIENT1

crypto map outside_map 210 set peer 2.1.1.2

crypto map outside_map 210 set transform-set ESP-AES-256-SHA

crypto map outside_map 210 set security-association lifetime seconds 5400 kilobytes 4608000

crypto map outside_map interface outside

isakmp enable outside

isakmp key presharedpass1 address 1.1.4.3 netmask 255.255.255.255 no-xauth

isakmp key presharedpass2 address 7.1.2.2 netmask 255.255.255.255 no-xauth no-config-mode

isakmp key presharedpass3 address 2.1.1.2 netmask 255.255.255.255 no-xauth no-config-mode

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

isakmp policy 30 authentication pre-share

isakmp policy 30 encryption 3des

isakmp policy 30 hash md5

isakmp policy 30 group 2

isakmp policy 30 lifetime 86400

isakmp policy 35 authentication rsa-sig

isakmp policy 35 encryption des

isakmp policy 35 hash sha

isakmp policy 35 group 1

isakmp policy 35 lifetime 86400

isakmp policy 90 authentication pre-share

isakmp policy 90 encryption des

isakmp policy 90 hash md5

isakmp policy 90 group 2

isakmp policy 90 lifetime 86400

isakmp policy 110 authentication pre-share

isakmp policy 110 encryption 3des

isakmp policy 110 hash sha

isakmp policy 110 group 1

isakmp policy 110 lifetime 86400

isakmp policy 130 authentication pre-share

isakmp policy 130 encryption 3des

isakmp policy 130 hash md5

isakmp policy 130 group 1

isakmp policy 130 lifetime 86400

isakmp policy 150 authentication pre-share

isakmp policy 150 encryption aes-256

isakmp policy 150 hash sha

isakmp policy 150 group 5

isakmp policy 150 lifetime 28800

isakmp policy 190 authentication pre-share

isakmp policy 190 encryption 3des

isakmp policy 190 hash sha

isakmp policy 190 group 5

isakmp policy 190 lifetime 7800