Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > PIX 6.3.4 - misc questions on VPN

Reply
Thread Tools

PIX 6.3.4 - misc questions on VPN

 
 
Amaury Ronflard
Guest
Posts: n/a
 
      08-14-2005
Hi!! Since this team is from very good quality!!! Walter, you'r not
stranger in this

==> First question

ha-pix# sh crypto map ?

At the end of show <command>, use the pipe character '|' followed by:
begin|include|exclude|grep [-v] <regular_exp>, to filter show output.

Usage: [ show ] crypto { ca | dynamic-map | ipsec | isakmp | map | sa } ...
show crypto engine [verify]
[ show | clear ] crypto interface [counters]
ha-pix# sh crypto map

[150k of pure text]

If I want to get the crypto map attached to the access-list "Oslo_VPN",
how do I parse it? 150k of text is to much, using | grep is not reliable
really...

same proble with

ha-pix#show crypto sa

==> Second question.

Let say I have 15 remote sites talking ipsec vpn to my paire.

I need to kill the SA from one of those. So,

1, isakmp key ******** address 11.11.11.11 netmask 255.255.255.255
2, isakmp key ******** address 12.12.12.12 netmask 255.255.255.255
[...]
3, isakmp key ******** address 13.13.13.13 netmask 255.255.255.255
4, isakmp key ******** address 14.14.14.14 netmask 255.255.255.255
5, isakmp key ******** address 15.15.15.15 netmask 255.255.255.255
n, isakmp key ******** address 16.16.16.16 netmask 255.255.255.255

ha-pix#clear crypto sa

will kill any Phase 1 being established. But, this is applied to all of
those!!! How do I reset a phase 1 for a specific VPN and not for all?

==> Third and last question

pix-ha#debug crypto isakmp

I need to debug a specific isakmp association, not all of them! How do I
choose a specific VPN and not all of them?

Thanks you *VERY* much,

Amaury
 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      08-14-2005
In article <ddo7o0$ifv$(E-Mail Removed)>,
Amaury Ronflard <(E-Mail Removed)> wrote:

:If I want to get the crypto map attached to the access-list "Oslo_VPN",
:how do I parse it? 150k of text is to much, using | grep is not reliable
:really...

You've been discussing the PIX 501, which cannot have a DMZ interface.
You could in theory attach a VPN to the PIX 501 inside interface,
but that would be quite uncommon. Thus on the 501 there is likely
to only -be- one crypto map, and you could see it by

show run | grep crypto map

If you do happen to have multiple maps and you want to find the
one that mentions a particular ACL such as Oslo_VPN then you can

show run | grep match address Oslo\_VPN

Notice the '\' before the '_' . Alternately, replace each '_' with a '.' :

show run | grep match address Oslo.VPN


:==> Second question.

:Let say I have 15 remote sites talking ipsec vpn to my paire.

You cannot have all of those simultaneously active on a PIX 501:
the limit is 10 IKE peers for that 501.


:I need to kill the SA from one of those. So,

:ha-pix#clear crypto sa

:will kill any Phase 1 being established. But, this is applied to all of
:those!!! How do I reset a phase 1 for a specific VPN and not for all?

In configuration mode, clear crypto sa peer 13.13.13.13


:==> Third and last question

ix-ha#debug crypto isakmp

:I need to debug a specific isakmp association, not all of them! How do I
:choose a specific VPN and not all of them?

There is no way to do that in PIX 6.3.
--
'The short version of what Walter said is "You have asked a question
which has no useful answer, please reconsider the nature of the
problem you wish to solve".' -- Tony Mantler
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
VPN PIX-_static PIX ; PIX-dynamic_PIX ; VPN Client Svenn Cisco 3 03-13-2006 09:25 AM
Misc questions for new user Mousetater Firefox 3 05-04-2005 03:01 PM
comp.os.ms-windows.networking.misc,misc.invest.mutual-funds,comp.lang.python,comp.os.magic-cap,comp.sources.games.bugs . Python 0 06-19-2004 08:23 AM
comp.sys.mac.games.misc,comp.sys.ibm.pc.hardware.misc,comp.mail.pegasus-mail.ms-windows,comp.databases.paradox,comp.dcom.sys.cisco . Cisco 0 06-19-2004 07:48 AM
PIX to PIX VPN and VPN Client to PIX Config Example? GVB Cisco 1 02-06-2004 07:44 PM



Advertisments