Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Failing Over PIX VPN to Different Data Centres

Hi,

I have inherited 90 sites with PIX 501 6.4(4) which connect to a central data centre site with preshare key and ip.

We are looking to implement another site and provide a failover VPN service.

In the event of a disaster we would want the 501 to start using the new sites VPN concentrator.

I have had a look at the config guide and it does not look like we could use DNS for the peering.

Is there some I could get the 501 to use the second VPN Service if the main datacentre is taken out.

Regards

John

1 ACCEPTED SOLUTION

Accepted Solutions
Green

Re: Failing Over PIX VPN to Different Data Centres

This will work. It will use the second peer if first is unavailable. I think this is mentioned in the config guide somewhere but I'll have to look for it. Please rate if it helps.

crypto map newmap 10 set peer 1.1.1.1

crypto map newmap 10 set peer 2.2.2.2

isakmp key ******** address 1.1.1.1 netmask 255.255.255.255

isakmp key ******** address 2.2.2.2 netmask 255.255.255.255

2 REPLIES
Green

Re: Failing Over PIX VPN to Different Data Centres

This will work. It will use the second peer if first is unavailable. I think this is mentioned in the config guide somewhere but I'll have to look for it. Please rate if it helps.

crypto map newmap 10 set peer 1.1.1.1

crypto map newmap 10 set peer 2.2.2.2

isakmp key ******** address 1.1.1.1 netmask 255.255.255.255

isakmp key ******** address 2.2.2.2 netmask 255.255.255.255

New Member

Re: Failing Over PIX VPN to Different Data Centres

thanks, it amazing that I can see what is staring at me. Found it in the config guide now.

crypto map set peer

Use the crypto map set peer command to specify an IPSec peer in a crypto map entry. Use the no

crypto map set peer command to remove an IPSec peer from a crypto map entry.

This command is required for all static crypto maps. If you are defining a dynamic crypto map (with the

crypto dynamic-map command), this command is not required, and in most cases is not used because,

in general, the peer is unknown.

For ipsec-isakmp crypto map entries, you can specify multiple peers by repeating this command. The

peer that packets are actually sent to is determined by the last peer that the PIX Firewall received either

traffic or a negotiation request from for a given data flow. If the attempt fails with the first peer, IKE tries

the next peer on the crypto map list

Thanks

John

98
Views
0
Helpful
2
Replies
CreatePlease to create content