Can I add an additional VPN to an existing 501 connection at a remote site?
I have a location connected to the main site with a VPN tunnel from a PIX 501 the main site PIX 515e.
I want to change the destination of the 501 to a VPN concentrator at the main site, but I don't want any down time.
I have the tunnel set up on the concentrator, I was wondering if I could set up a second active tunnel in the PIX501 at the remote site and just change the routes at the main site when I am ready to route through the concentrator.
You could add the concentrator as another peer in your crypto map and then kill the link to the 515e. This will be a stateless failover and there would be a disruption to active traffic streams but I think that would be the best you could do in that situation. Of course, once you have made the switch I would remove the peer statement in the crypto map that points to the 515.
Create a seperate independent tunnel to Concentrator.
For testing this tuneel, do the following:-
1) Take a test machine which is not defined on the "Intersting traffic" access-list of the first tunnel (PIX-PIX tunnel)
2) while defining "interesting traffic" access-list for this tunnel (PIX-Concentrator) make it something like this
access-list 101 permit ip host "TEST MACHINE" "Remote Site IP) "Remote Site MASK"
3) Finish off the other statements. then test the tunnel for the test machine.
4) If the new tunnel is working just modify the access-list for PIX-concentrator to add all the machines and networks. And then Remove all these IPs from the first tunnel.
Thus you would get a tunnel tested to work And the switch will be hardly noticable. And the best part is you will still have the old tunnel as backup (u just have to reintrodice the old ACL to back to old config)
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :