Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4198
Views
5
Helpful
2
Replies

How to shut down ASA Site to Site VPN tunnel without removing it

RahulShindeMM
Level 1
Level 1

‎12-20-2018 07:39 AM

Hello All,

 

I am looking to find solution on disabling a particular IPSEC tunnel without removing the crypto or L2L tunnel configuration.

I have multiple IPSEC tunnels, out of which I want to disable one during the activity period.


Main concerns around this is not to loose the Pre-Shared key configuration on the firewall while disabling the tunnel.

 

Labels:
0 Helpful
2 Replies 2

Seb Rupik
VIP Alumni
VIP Alumni

‎12-20-2018 07:52 AM

Hi there,

Remove the relevant entries from the crypto map statement.

Keep in mind that since the Asa use policy routing the VPN traffic that was previously heading out and being redirected by the crypto map will now continue on its journey, so you may want to add an outbound ACL to your OUTSIDE interface to stop this particular INSIDE traffic from leaking.

 

Cheers,

Seb.

Roy Harrington
Cisco Employee
Cisco Employee

‎12-20-2018 08:53 AM - edited ‎12-20-2018 08:57 AM

Removing the acl from the crypto map entry would be the simplest and the best way with the least amount of configurations.By removing the acl from the crypto map the asa will no longer encrypt that subnet/host to the peer ip.You may also have to adjust nat if you plan to send your traffic over another tunnel.However if you have an FTD you can go into access policies or site to site vpn and just click disable and the config will stay but not be applied.

 

Anouther way would be to block your peer ip address port 4500 and 500 inbound and outbound.

0 Helpful
Customers Also Viewed These Support Documents