Re: Removing Access List

jesal · ‎11-25-2002

I would like to remove the following entries from a 1710 Router.

crypto isakmp key ***** address 205.206.*.*

!

crypto map cfmap 20 ipsec-isakmp

set peer 205.206.*.*

set transform-set ts1

match address 102

!

access-list 102 remark Crypto traffic to 1710

access-list 102 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

!

I will cut and paste the 3 statements below from a notepad. What I don't know is, if I can enter the commands the way it is or put the access list on top followed by the cryptos. Does it matter?

no crypto isakmp key sharedsecret address 205.206.*.*

no crypto map cfmap 20 ipsec-isakmp

no access-list 102

Thanks for your help.

Jesal

gfullage · ‎11-25-2002

Not really sure it matters, you'll be able to get rid of the ACL at any point. Make sure you've removed the crypto map from the interface before you do any of this, otherwise you may lock yourself out of the router. Also, the middle line should be removed just with:

> no crypto map cfmap 20

Don't put the "ipsec-isakmp" on the end of it, it'll complain IIRC.

jesal · ‎11-25-2002

Thanks for the reply. Just want to make sure what you're saying. I have 3 crypto maps right now and want to remove 1. If I do a "no crypto map cfmap" on e0. Will I lose connection to the router and for 2 other sites too? FYI, I have to do this remotely.

Is this the way to do it?

conf t

int e0

no crypto map cfmap

Ctrl z

no crypto isakmp key sharedsecret address 205.206.*.*

no crypto map cfmap

no access-list 102

!

Thanks so much for your help.

*current config*

crypto map cfmap local-address Ethernet0

crypto map cfmap 10 ipsec-isakmp

set peer 216.123.*.*

set transform-set ts1

match address 100

crypto map cfmap 20 ipsec-isakmp

set peer 205.206.*.*

set transform-set ts1

match address 102

crypto map cfmap 40 ipsec-isakmp

set peer 64.56.*.*

set transform-set ts1

match address 104

!

interface Ethernet0

description Internet connection

ip address 142.165.*.* 255.255.255.0

ip access-group 120 in

ip nat outside

no ip route-cache

no ip mroute-cache

half-duplex

no cdp enable

crypto map cfmap

!

gfullage · ‎11-25-2002

OK, in that case, make sure you remove the crypto map instance BEFORE you remove the ACL.

Do the following:

no crypto map cfmap 20

no access-list 102

no crypto isakmp key........

The safest way to do this is to remove the crypto map off the interface first, but yes, that will bring down the other two tunnels. You always run the risk of locking yourself out of the router if you play with crypto stuff and ACL's with the map still applied to the interface and you do things in the wrong order. (I won't tell you how many times I've done it, and I like to think I know what I'm doing :-) )

jesal · ‎11-26-2002

OK, since I'm doing this remotely, I can't do much after removing the crypto map off the interface. So I'll have to find other ways without losing connection. I don't want to tell the person at the remote site to restart the router for the third time. He's already pissed. :((

Is it possible or recommended to do this:

erase start

copy tftp start (this will be a brand new config)

copy start run

Thanks for your input.