Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
282
Views
0
Helpful
1
Replies

Add a new network to an existing VPN Tunnel on a PIX 515?

alclotto
Level 1
Level 1

‎06-25-2003 04:58 PM - edited ‎02-21-2020 12:38 PM

Can you add "new networks" to an existing VPN Tunnel that has already been established?

We have a vendor who we currently allow into a development DMZ off our PIX 515.

They currently have access into this DMZ thru a VPN tunnel. They are currently coming in from a 10.1.X.X network and a 192.168.0.X network accessing our 172.16.X.X (DMZ interface on PIX).

THis currently is working and we are not having any issues.

Here is a "brief" config:

PIX Version 6.2(2)

access-list 100 permit ip 172.16.0.0 255.255.0.0 10.1.0.0 255.255.255.0

access-list 100 permit ip 172.16.0.0 255.255.0.0 192.168.0.0 255.255.255.0

access-list 101 permit ip 172.16.0.0 255.255.0.0 10.1.0.0 255.255.255.0

access-list 101 permit ip 172.16.0.0 255.255.0.0 192.168.0.0 255.255.255.0

access-list acl_dmz permit tcp 172.16.0.0 255.255.0.0 10.1.0.0 255.255.255.0 eq telnet

access-list acl_dmz permit tcp 172.16.0.0 255.255.0.0 192.168.0.0 255.255.255.0 eq telnet

access-group acl_dmz in interface dmz_interface

access-group acl_inside in interface inside

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set VENDOR_VPN esp-des esp-md5-hmac

crypto map VENDOR_MAP 10 ipsec-isakmp

crypto map VENDOR_MAP 10 match address 101

crypto map VENDOR_MAP 10 set peer 208.XXX.XXX.XXX.XXX

crypto map VENDOR_MAP 10 set transform-set VENDOR_VPN

crypto map VENDOR_MAP interface outside

isakmp enable outside

isakmp key +++++++++++ address 208.XXX.XXX.XXX netmask 255.255.255.255

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 1

isakmp policy 10 lifetime 14400

My Question is we have a requirement to allow those same networks into another internal network 172.17.X.X thru the same VPN Tunnel but only when it is required. We don't want to have to setup another VPN Config for this - would like to be able to add the new access-list rule to the existing access-list 101 & 100. We would then like to disable the rule after it is not required without "killing" the tunnel.

Add the new rule:

access-list 100 permit ip 172.17.0.0 255.255.0.0 10.1.0.0 255.255.255.0

access-list 101 permit ip 172.17.0.0 255.255.0.0 10.1.0.0 255.255.255.0

I realize there are other rules/access-list missing int he above example, but just trying to be brief.

Will this have any adverse affects on the established SA's or the tunnel when I issue the following command to disable the tem connection:

no access-list 100 permit ip 172.17.0.0 255.255.0.0 10.1.0.0 255.255.255.0

no access-list 101 permit ip 172.17.0.0 255.255.0.0 10.1.0.0 255.255.255.0

Thanks in advance

Peter Cumming

Labels:
0 Helpful
1 Reply 1

jsivulka
Level 5
Level 5

‎07-01-2003 11:23 AM

It is not possible to modify the access list without bringing down the tunnel. You need to remove the crypto map from the interface, modify the acl and then reapply the crypto map to the interface. That will mean scheduling a downtime and a sleepless night! Be sure to take a backup of the current configuration. Best of Luck. Another thing. I'm not sure what access-list 100 is doing in your configuration.

0 Helpful
Customers Also Viewed These Support Documents