cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
622
Views
5
Helpful
2
Replies
Beginner

How to shut down ASA Site to Site VPN tunnel without removing it

Hello All,

 

I am looking to find solution on disabling a particular IPSEC tunnel without removing the crypto or L2L tunnel configuration.

I have multiple IPSEC tunnels, out of which I want to disable one during the activity period.


Main concerns around this is not to loose the Pre-Shared key configuration on the firewall while disabling the tunnel.

 

Everyone's tags (4)
2 REPLIES 2
Highlighted
VIP Advisor

Re: How to shut down ASA Site to Site VPN tunnel without removing it

Hi there,

Remove the relevant entries from the crypto map statement.

Keep in mind that since the Asa use policy routing the VPN traffic that was previously heading out and being redirected by the crypto map will now continue on its journey, so you may want to add an outbound ACL to your OUTSIDE interface to stop this particular INSIDE traffic from leaking.

 

Cheers,

Seb.

Highlighted
Cisco Employee

Re: How to shut down ASA Site to Site VPN tunnel without removing it

Removing the acl from the crypto map entry would be the simplest and the best way with the least amount of configurations.By removing the acl from the crypto map the asa will no longer encrypt that subnet/host to the peer ip.You may also have to adjust nat if you plan to send your traffic over another tunnel.However if you have an FTD you can go into access policies or site to site vpn and just click disable and the config will stay but not be applied.

 

Anouther way would be to block your peer ip address port 4500 and 500 inbound and outbound.