Re: PIX 525 and swapping interface definitions
- From: roberson@xxxxxxxxxxxx (Walter Roberson)
- Date: Wed, 02 Apr 2008 18:27:04 GMT
In article <2b0c93f0-2129-44d1-b5be-5722cbacaab1@xxxxxxxxxxxxxxxxxxxxxxxxxxx>,
<Bod43@xxxxxxxxxxxxx> wrote:
Well this is a first - I absolutely never thought that I might
give any form of pix advice to Walter, or anyone else
for that matter.
Maybe it's new but I have been doing a bit of pixing recently
and on 6.3.4 if you do something like
access-list fred line 4 your.acl.spec
It puts it in BEFORE the existing line 4 as shown
in the show access-list command and the acl is
renumbered immediately.
Unfortunately that isn't reliable in this situation. When you do that,
the existing "line 4" is still there and would still reference the
other interface. If the ACL is used in a crypto map or static or nat
statement, then the extra ACL line referencing the old interface
will quite likely mess up the configuration, probably in
very subtle ways (i.e., you will likely end up with operational modes
that do not match the configuration, and then have a heck of a time
trying to figure out why you are having problems!)
If you have an ACL used in a crypto map, and you need to modify that
ACL, then there are only two reliable routes:
a) disable the VPN on that interface (completely, for -all- peers),
clear off the old ACL, build the new ACL, re-issue the crypto map
command that references the ACL, and re-enable the VPN; OR
b) build complete new crypto maps and ACLs with new names,
activate the new crypto map on the interface, and then clear off the
old crypto maps and ACLs. This approach has the advantage of
minimal downtime for the VPNs; the tunnels whose crypto map
access-list entries stay functionally the same sometimes even stay up
without interruption when this approach is used.
In particular, it is NOT reliable to leave the VPNs active but to
change an ACL referenced in a crypto map access-list entry, and
it is NOT reliable to leave the VPNs active but to remove a crypto map
access-list command and then add the replacement crypto map access-list
command (and in PIX 6 you must proceed by removal and then insertion
as it will not allow you to change that line by issuing an updated
version of the line: it will complain that there is already an
existing access-list for that policy.) It is also NOT reliable to
remove a complete crypto map policy with a lower policy number
(higher priority) than another policy (for a different peer) and then
to put the old lower-numbered policy back in place: unless the
access-lists were absolutely mutually exclusive by design, this
approach *will* mess up your VPNs in ugly ways.
This discussion is, of course, all predicated upon the assumption
that you have an access-list or nat or static that references the
interface being renamed. If you do not (i.e., if you only use public
IPs and do not PAT anything through the PIX interface itself and
have not configured your crypto maps so that your remote peers can
respond to pings initiated from the PIX itself) -- if your configuration
is interface clean, then probably all you have to do besides
issueing the new nameif commands and re-issuing the commands to assign
the public IP to the new interface, is to disable the crypto map against
the old interface and apply it against the new interface. But if your
configuration is not interface- clean, such that you might be
considering using access-list line # to edit ACLs in place to
adjust for the new interfaces, then your configuration is probably
complex enough that you risk the PIX gumming up its internal state
if you do not make the change cleanly in the manners I outlined.
.
- References:
- Re: PIX 525 and swapping interface definitions
- From: Walter Roberson
- Re: PIX 525 and swapping interface definitions
- From: Bod43
- Re: PIX 525 and swapping interface definitions
- Prev by Date: Re: Cisco 1800 dot11radio0
- Next by Date: Re: Cisco 1800 dot11radio0
- Previous by thread: Re: PIX 525 and swapping interface definitions
- Next by thread: Cisco PIX 515E multiple VPN question
- Index(es):
Relevant Pages
|
|
