myITmicroblog

With many VPN tunnels in your production environment you may be asked to modify some policies. What kind of tasks you can do without impact on the business traffic and what can be performed only during a change window? You can add a new ACE, it doesn’t terminate tunnels:   R4 ( config - ext - nacl )# do sh runn | s access ip access - list extended VPN permit ip host 150.1 . 4.4 20.0 . 0.0 0.0 . 0.255 R4 ( config - ext - nacl )# per R4 ( config - ext - nacl )# permit ip R4 ( config - ext - nacl )# permit ip 150.1 . 4.0 0.0 . 0.255 20.0 . 0.0 0.0 . 0.255 R4 ( config - ext - nacl )# R4 ( config - ext - nacl )# As you see nothing happened, but when you remove any entry, even not related with your SA you can see:   R4 ( config - ext - nacl )# do sh run | s access ip access - list extended VPN permit ip 150.1 . 4.0 0.0 . 0.255 20.0 . 0.0 0.0 . 0.255 permit ip host 150.1 . 4.4 20.0 . 0.0 0.0 . 0.255 R4 ( config - ext - nacl )# R4 ( config - ext - nacl )# no

http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/vpn_site2site.html#wp1042401 You can find one statement under the above link: “Configure ACLs that mirror each other on both sides of the connection.” The answer is: not really. Let’s test it: one peer has following encryption domain:   asa1 # sh run access-list access - list VPN extended permit ip 20.0 . 0.0 255.255 . 255.0 host 150.1 . 4.4 asa1 # one the second one:   R4 ( config - ext - nacl )# R4 ( config - ext - nacl )# do sh runn | s access ip access - list extended VPN permit ip 150.1 . 4.0 0.0 . 0.255 20.0 . 0.0 0.0 . 0.255 R4 ( config - ext - nacl )# As you see the ACL on my ASA is more specific (host 150.1.4.4). Before I initiate traffic let’s check the ipsec sessions:   R4 #sh crypto session Crypto session current status Interface : FastEthernet0 / 0 Session status : DOWN Peer : 10.0 . 0.1 port 500 IPSEC FLOW : permit ip 1