08-15-2021 09:43 PM
Hi,
I am seeking for the best way to decommission of vpn tunnel of the branch closed.
The VPN setup is established using Dynamic crypto map on DC site.
Each branch site is assigned with /24 subnet inside the LAN.
ex> Branch_1(10.10.0.0/24), Branch_2(10.10.1.0/24), Branch_3(10.10.2.0/24), Branch_4(10.10.3.0/24)
Branch subnets are grouped and assigned to the ACL for the VPN interesting traffic on DC site VPN setup.
ex> ip access-list branch-vpn
permit ip 172.16.0.0 0.0.0.255 10.10.0.0 0.0.3.255
I need to decommission vpn tunnels to some closed branches on DC site.
I was thinking of modifying the branch-vpn ACL to do this.( adding earlier deny ip 172.16.0.0 0.0.255 [closed branch subnet] before permit ip 172.16.0.0 0.0.0.255 10.10.0.0 0.0.3.255).
Will it be ok
Or
Is there any better and recommendable way to do this?
08-16-2021 12:21 AM
If you are de-commissioning the branch, why can you not just unconfigure the VPN on the branch router/ASA? The VPN would never attempt to establish.
On the DC router/ASA, you could change the Pre-Shared Key of the Branch that has been de-commissioned.
08-16-2021 12:36 AM
Hi Rob,
This decommission job requires both sides(Branch and DC).
08-16-2021 12:53 AM - edited 08-16-2021 12:56 AM
You said you've got a dynamic crypto map at the DC, in this instance only the spoke (branch) can initiate a tunnel. Never the other way around. So by decommissioning the branch, the hub won't attempt to build a tunnel. If you use unique PSK per branch spoke, then remove this from the hub.
08-16-2021 04:11 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide