Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
238
Views
0
Helpful
3
Replies

Mutilple VPN on PIX 501

richmorrow624
Level 1
Level 1

‎07-28-2006 06:58 AM - edited ‎02-21-2020 02:33 PM

Can I add an additional VPN to an existing 501 connection at a remote site?

I have a location connected to the main site with a VPN tunnel from a PIX 501 the main site PIX 515e.

I want to change the destination of the 501 to a VPN concentrator at the main site, but I don't want any down time.

I have the tunnel set up on the concentrator, I was wondering if I could set up a second active tunnel in the PIX501 at the remote site and just change the routes at the main site when I am ready to route through the concentrator.

Can I do this?

Labels:
0 Helpful
3 Replies 3

mmorris11
Level 4
Level 4

‎07-28-2006 09:54 AM

You could add the concentrator as another peer in your crypto map and then kill the link to the 515e. This will be a stateless failover and there would be a disruption to active traffic streams but I think that would be the best you could do in that situation. Of course, once you have made the switch I would remove the peer statement in the crypto map that points to the 515.

HTH

-pls rate post.. tks

0 Helpful

richmorrow624
Level 1
Level 1
In response to mmorris11

‎07-28-2006 12:58 PM

What about setting the second tunnel with a higher priority?

I could have everything set up before hand couldnt I?

0 Helpful

anand1871
Level 1
Level 1

‎07-29-2006 06:26 AM

My suggestion would be.

Create a seperate independent tunnel to Concentrator.

For testing this tuneel, do the following:-

1) Take a test machine which is not defined on the "Intersting traffic" access-list of the first tunnel (PIX-PIX tunnel)

2) while defining "interesting traffic" access-list for this tunnel (PIX-Concentrator) make it something like this

access-list 101 permit ip host "TEST MACHINE" "Remote Site IP) "Remote Site MASK"

3) Finish off the other statements. then test the tunnel for the test machine.

4) If the new tunnel is working just modify the access-list for PIX-concentrator to add all the machines and networks. And then Remove all these IPs from the first tunnel.

Thus you would get a tunnel tested to work And the switch will be hardly noticable. And the best part is you will still have the old tunnel as backup (u just have to reintrodice the old ACL to back to old config)

Hope that helps

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents