We have a remote site that is changing their subnet. They have an access list doing a NONAT across the VPN tunnel.
Will anything break if we just leave all the crypto maps, and the access lists the same, simply change the IP addresses that are defined from 192.168.x.x to 10.x.x.x, , reapply the config on the remote pix which will break the VPN tunnel, then apply a new config on the PIX we have here? Will the config work OK, after both ends have their subnets changed and then we just send interesting traffic across to bring the tunnel back up? I am pretty sure that it is set up with pre shared keys. what problems will we run into? How can we debug if we have a problem? We have no one on site that can help. Can we do a reload 30 like you can on a router on PIX 6.3? That way if it fails the router will reboot later if we don't do a write.
Changing the access-lists on both sides would result in re-establishing the tunnel. Therefore, if you login remotely and do the configuration you would lose connectivity.
I suggest configure a parrallel environement. That is don't remove anything from the crypto or NONAT ACLs. Just add new lines to match the new IP Addressing. Once you add them clear the tunnel and let it establish again. After you are sure that everything is working remove the old subnet from the ACL.
Schedueled reload on PIX is not supported in version 6.x. It is supported in ver 7.0
PIX can have only one crypto map with different instance numbers. So if you modify an instance it would break the VPN tunnel for this instance for few seconds. However, what I suggested is just adding the new IP Addresses ACL Lines to the crypto ACL and NONAT. After you perform some testing and make sure things are working on the new subnet remove the old lines.
The only other question related to this, is doing this on a router to router VPN, apparently the new subnet has not been added to the interface of the router. Is there a problem adding a second IP address to the VLAN interface on the router? The existing IP address is in the current tunnel, can I add a second IP address to the existing VLAN interface, then add the new IP addresses to the NONAT and the access list without breaking the existing VPN? Thanks for your help, so far very helpful.
Adding the second subnet to the router won't break the VPN Tunnel. Even if you modify the NONAT ACL this won't break the tunnel. The tunnel will break once you modify the crypto ACL because it will match the new subnet and will re-establish another tunnel matching the new encryption domain.
Therefore, first modify the ACLs on the remote device and when you modify the crypto ACL on the remote device your VPN Session will break. Once it breaks go your local router and do the modification and the tunnel should initiate correctly.
Hope this helps and let me know if you have other questions,
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :