12-20-2018 07:39 AM
Hello All,
I am looking to find solution on disabling a particular IPSEC tunnel without removing the crypto or L2L tunnel configuration.
I have multiple IPSEC tunnels, out of which I want to disable one during the activity period.
Main concerns around this is not to loose the Pre-Shared key configuration on the firewall while disabling the tunnel.
12-20-2018 07:52 AM
Hi there,
Remove the relevant entries from the crypto map statement.
Keep in mind that since the Asa use policy routing the VPN traffic that was previously heading out and being redirected by the crypto map will now continue on its journey, so you may want to add an outbound ACL to your OUTSIDE interface to stop this particular INSIDE traffic from leaking.
Cheers,
Seb.
12-20-2018 08:53 AM - edited 12-20-2018 08:57 AM
Removing the acl from the crypto map entry would be the simplest and the best way with the least amount of configurations.By removing the acl from the crypto map the asa will no longer encrypt that subnet/host to the peer ip.You may also have to adjust nat if you plan to send your traffic over another tunnel.However if you have an FTD you can go into access policies or site to site vpn and just click disable and the config will stay but not be applied.
Anouther way would be to block your peer ip address port 4500 and 500 inbound and outbound.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide