I've set up a site to site VPN with a Cisco ASA 5505 and 5520).

What I would like to know (I can't find a straight forward answer on google), can I modify the encryption map without breaking the connection, if I do it remotely?

ex. If I am at our main site, using a telnet connection to the remote site, can I add entries to the encryption ACL and just reload? Its a long drive and I'd like to do this remotely.

My other question is: (If I remember correctly)

A deny statement in that same encryption map will still forward the packet, just without encrypting it.

Any help here would be nice. If not I'll keep on googling.

Thanks folks!!

Yes, you can add entries to an in use crypto ACL without problem and you don't need to reload like you mention... start a continuous ping and add the entries on both sides and you'll see the traffic start flowing after you get the ACLs in place (assuming the rest of your VPN setup is correct.)

Also, don't use telnet, everything should be over SSH these days, there is no reason not to use it but there are good reasons for not using unencrypted management protocols.

Am I the only one laughing at the irony of a guy with a username DiffyHellman, mispelled no less, using telnet to manage his devices?

/nerd-humor

As a general rule when making changes which may cause connectivity break, issue a "reload in 10" or however many minutes you want the router to reload in, and make your changes. If successful, issue "reload cancel" command.

In this scenario, if you were to lock yourself out, the router would reboot to it's start-up config shortly, and you can start over.

Of course, it all depends on how critical this device is and if a reload off-hours is something acceptable.