Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
339
Views
0
Helpful
2
Replies

Editting interesting traffic of the existing and functioning VPN

bashiru.bayonle
Level 1
Level 1

‎09-27-2016 04:42 AM

Hello House,

Please i need your help on this change that am about to make :

There is already a perfect working site to site VPN in place, Now we want to change the host IP address in the interesting traffic at both ends. My intention is to remove the existing interesting traffic ACL and put another one with same ACL NAME of the rest of the config at both ends. Will the tunnel remain up and stable if i generate traffic from the new host to the other after the change?

Awaiting reply...Thanks

Labels:
0 Helpful
2 Replies 2

Mark Malone
VIP Alumni
VIP Alumni

‎09-27-2016 06:37 AM

Hi

If it was my acl I would first add the new ip range to the allowed acl , then remove the unwanted subnet/host so the acl does not have to be removed, rather than removing acl from the config modify it  

with acls and vpns always have a window set to work in and if your doing it remotely always issue the reload in 15 command incase you lock yourself out (don't forget to disable this when the work is done or router will reload --reload cancel )

if you do it that way it shouldn't drop as your just altering what gets encrypted , removing the acl completely may cause you an issue

0 Helpful

bashiru.bayonle
Level 1
Level 1
In response to Mark Malone

‎09-27-2016 07:41 AM

Thanks Mark for your swift response.

Actually my device is Cisco ASA 5512-x and Version 9.1(2).

I access it remotely, i think i would buy the idea of adding new host to the object network before removing the old host IP address but in my scenario, there is an hitch because the same host IP of the object network is being use to Nat another local IP. see the config below: Not real IP though

object network TEST_PUBLIC_16.241
host 1.1.1.1

access-list INTELLI_NIMM extended permit ip object TEST_PUBLIC_16.241 object NIMM

thats the interesting traffic for the VPN

object network TEST_PRIVATE
nat (TEST,OUTSIDE) static TEST_PUBLIC_16.241

Same IP is used to nat one local IP.

So, if i should add new host to object network TEST_PUBLIC_16.241 before removing host 1.1.1.1 then it will have effect on nat (TEST,OUTSIDE) static TEST_PUBLIC_16.241.

TWO ANSWERS that i am thinking now are:

1.create another network object name for the IP 1.1.1.1 and remove  TEST_PUBLIC_16.241 from NAT and use the new one. Then i can now edit object network TEST_PUBLIC_16.241
host 1.1.1.1 to accommodate new host so as to reflect in the ACL INTELLI_NIMM

2. Design another ACL with same name as INTELLI_NIMM  and create and use different object name that will accommodate the new host IP address 

Pls any advice...I just want to be careful so that the existing tunnel is not having issue so that i can just ride on it.

0 Helpful
Customers Also Viewed These Support Documents