I’m planing on spinning up our DR solution tomorrow and need for disable the site to site VPN on and ASA 5525 Firewall. I’ve been doing a little reading and I’ve read that you can stop the VPN working by disabling the NAT rule associated with the interesting traffic. I’m just wondering for there is a correct ‘Cisco by the book’ way of disabling it? Reason for asking is I’m relative new to Cisco ASA’s.
Go into the connection profile under the “Site to Site VPN tab” and uncheck IKEv1 and IKEv2 for that specific connection. Save/apply. Then go to monitoring tab and VPN, then click “logout” on that site to site VPN.
Re-check the boxes whenever you’d like to turn it back on.
You can disable a site to site vpn on the page where the vpns are listed. I’m used to a 5545 so ASDM could be different I suppose.
Easiest way, in my opinion, is to just remove the crypto map in question from the interface. Less invasive and you don’t need to worry about messing up phase 1 / 2 attributes if you need to turn it back up.
Just a quick thank you to everyone contributing to this post, I actually removed the NAT rules and unticked 1/2 from the crypto map for the individual connection, both worked like a dream
this.
or you can disable ipsec on an interface.
I was trying to think of how to disable a tunnel this week and didn’t think of this. Great idea!