Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
278
Views
0
Helpful
1
Replies

How to add a new VPN tunnel on PIX525 without causing a VPN outage?

dennis.su
Level 1
Level 1

‎03-23-2003 10:06 PM - edited ‎02-21-2020 12:25 PM

We have a PIX 525 firewall and we terminate a few VPN tunnels on it. Every time we added a new VPN tunnel, I had to remove crypto map from the outside interface(causing a VPN outage!), configure and apply it back. If I didn't remove crypto map from the interface, the PIX goes nuts when I first enter "crypto map name 1000 ipsec-isakmp" command.

Is there a "safe" way to add a new tunnel without having to remove the crypto map and affecting existing tunnels?

Regards,

Dennis

d.su@waikato.ac.nz

Labels:
0 Helpful
1 Reply 1

thomas.chen
Level 6
Level 6

‎03-28-2003 12:54 PM

The only real issue that I faced was while modifying the access list. That's the only time the outage is likely to occur, ie when the access-list is removed and a modified one re-entered. What we tried is to modify the access-list while still in place. We used the no form of the command as shown below

ip access-list extended 101

no permit ip host

host

We then moved in the new statements (to the bottom of the list by default). The access-list got modified sucessfully. This was attempted in the lab, and although on the production network we opted for downtime, there is no reason why the same can't be done on the live network. By doing this removing the crypto map is not necessary any more.

0 Helpful
Customers Also Viewed These Support Documents