Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Mutilple VPN on PIX 501

Can I add an additional VPN to an existing 501 connection at a remote site?

I have a location connected to the main site with a VPN tunnel from a PIX 501 the main site PIX 515e.

I want to change the destination of the 501 to a VPN concentrator at the main site, but I don't want any down time.

I have the tunnel set up on the concentrator, I was wondering if I could set up a second active tunnel in the PIX501 at the remote site and just change the routes at the main site when I am ready to route through the concentrator.

Can I do this?


Re: Mutilple VPN on PIX 501

You could add the concentrator as another peer in your crypto map and then kill the link to the 515e. This will be a stateless failover and there would be a disruption to active traffic streams but I think that would be the best you could do in that situation. Of course, once you have made the switch I would remove the peer statement in the crypto map that points to the 515.


-pls rate post.. tks

New Member

Re: Mutilple VPN on PIX 501

What about setting the second tunnel with a higher priority?

I could have everything set up before hand couldnt I?

New Member

Re: Mutilple VPN on PIX 501

My suggestion would be.

Create a seperate independent tunnel to Concentrator.

For testing this tuneel, do the following:-

1) Take a test machine which is not defined on the "Intersting traffic" access-list of the first tunnel (PIX-PIX tunnel)

2) while defining "interesting traffic" access-list for this tunnel (PIX-Concentrator) make it something like this

access-list 101 permit ip host "TEST MACHINE" "Remote Site IP) "Remote Site MASK"

3) Finish off the other statements. then test the tunnel for the test machine.

4) If the new tunnel is working just modify the access-list for PIX-concentrator to add all the machines and networks. And then Remove all these IPs from the first tunnel.

Thus you would get a tunnel tested to work And the switch will be hardly noticable. And the best part is you will still have the old tunnel as backup (u just have to reintrodice the old ACL to back to old config)

Hope that helps

CreatePlease login to create content