PIX 6.3.4 - misc questions on VPN

Discussion in 'Cisco' started by Amaury Ronflard, Aug 14, 2005.

  1. Hi!! Since this team is from very good quality!!! Walter, you'r not
    stranger in this ;-)

    ==> First question

    ha-pix# sh crypto map ?

    At the end of show <command>, use the pipe character '|' followed by:
    begin|include|exclude|grep [-v] <regular_exp>, to filter show output.

    Usage: [ show ] crypto { ca | dynamic-map | ipsec | isakmp | map | sa } ...
    show crypto engine [verify]
    [ show | clear ] crypto interface [counters]
    ha-pix# sh crypto map

    [150k of pure text]

    If I want to get the crypto map attached to the access-list "Oslo_VPN",
    how do I parse it? 150k of text is to much, using | grep is not reliable
    really...

    same proble with

    ha-pix#show crypto sa

    ==> Second question.

    Let say I have 15 remote sites talking ipsec vpn to my paire.

    I need to kill the SA from one of those. So,

    1, isakmp key ******** address 11.11.11.11 netmask 255.255.255.255
    2, isakmp key ******** address 12.12.12.12 netmask 255.255.255.255
    [...]
    3, isakmp key ******** address 13.13.13.13 netmask 255.255.255.255
    4, isakmp key ******** address 14.14.14.14 netmask 255.255.255.255
    5, isakmp key ******** address 15.15.15.15 netmask 255.255.255.255
    n, isakmp key ******** address 16.16.16.16 netmask 255.255.255.255

    ha-pix#clear crypto sa

    will kill any Phase 1 being established. But, this is applied to all of
    those!!! How do I reset a phase 1 for a specific VPN and not for all?

    ==> Third and last question

    pix-ha#debug crypto isakmp

    I need to debug a specific isakmp association, not all of them! How do I
    choose a specific VPN and not all of them?

    Thanks you *VERY* much,

    Amaury
     
    Amaury Ronflard, Aug 14, 2005
    #1
    1. Advertising

  2. In article <ddo7o0$ifv$>,
    Amaury Ronflard <> wrote:

    :If I want to get the crypto map attached to the access-list "Oslo_VPN",
    :how do I parse it? 150k of text is to much, using | grep is not reliable
    :really...

    You've been discussing the PIX 501, which cannot have a DMZ interface.
    You could in theory attach a VPN to the PIX 501 inside interface,
    but that would be quite uncommon. Thus on the 501 there is likely
    to only -be- one crypto map, and you could see it by

    show run | grep crypto map

    If you do happen to have multiple maps and you want to find the
    one that mentions a particular ACL such as Oslo_VPN then you can

    show run | grep match address Oslo\_VPN

    Notice the '\' before the '_' . Alternately, replace each '_' with a '.' :

    show run | grep match address Oslo.VPN


    :==> Second question.

    :Let say I have 15 remote sites talking ipsec vpn to my paire.

    You cannot have all of those simultaneously active on a PIX 501:
    the limit is 10 IKE peers for that 501.


    :I need to kill the SA from one of those. So,

    :ha-pix#clear crypto sa

    :will kill any Phase 1 being established. But, this is applied to all of
    :those!!! How do I reset a phase 1 for a specific VPN and not for all?

    In configuration mode, clear crypto sa peer 13.13.13.13


    :==> Third and last question

    :pix-ha#debug crypto isakmp

    :I need to debug a specific isakmp association, not all of them! How do I
    :choose a specific VPN and not all of them?

    There is no way to do that in PIX 6.3.
    --
    'The short version of what Walter said is "You have asked a question
    which has no useful answer, please reconsider the nature of the
    problem you wish to solve".' -- Tony Mantler
     
    Walter Roberson, Aug 14, 2005
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Ranjit

    misc issues with 1.0

    Ranjit, Nov 16, 2004, in forum: Firefox
    Replies:
    5
    Views:
    416
    Ranjit
    Nov 16, 2004
  2. Mousetater

    Misc questions for new user

    Mousetater, May 3, 2005, in forum: Firefox
    Replies:
    3
    Views:
    460
  3. GVB
    Replies:
    1
    Views:
    2,875
    Martin Bilgrav
    Feb 6, 2004
  4. .
    Replies:
    0
    Views:
    766
  5. Svenn
    Replies:
    3
    Views:
    755
    Svenn
    Mar 13, 2006
Loading...

Share This Page