how to disable (not delete) a VPN tunnel

phireph0x · ‎09-17-2007

Is there a way to disable a site-to-site VPN tunnel on an ASA 5510? I know I can delete the tunnel policies and rules, but I want to keep them in place and simply disable the tunnel temporarily.

Thanks,

Nick

bamnocadmin · ‎09-17-2007

Hello,

I would remove NAT statement for interesting traffic nat /(inside) 0 access-list NoNAT/.

I do not think there is an option to disable VPN.

Thanks.

Jon Marshall · ‎09-17-2007

Hi Nick

The way i used to do it was simply to remove or change the pre-shared key, assuming you are using pre-shared keys.

If not just edit the crypto map access-list.

HTH

Jon

mfreijser · ‎09-18-2007

I always place the keyword 'inactive' behind the crypto map access-list. This way no traffic is matched for the tunnel, so no tunnel is created! You can just remove the keyword inactive bij replacing the access-rule with the original rule.

Here's an example:

access-list vpntunnel extended permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.255.255.0 inactive

Please rate if the post is usefull!

Regards,

Michael

rajaabir525 · ‎11-25-2023

i personally used two ways to do that.

1: i followed mfreijser mentioned above solution.

place the keyword 'inactive' behind the crypto map access-list.

Here's an example:

access-list vpntunnel extended permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.255.255.0 inactive

2: but it still keeping up Phase1 of tunnel. so i remove peer IP and save into notepad somewhere safe, and later when you want to make this tunnel up again you can use it.

Here's example:

no crypto map youmap 100 set peer 200.111.155.138