I have 2 questions to ask, the first is if I use PIX with redundancy feature, Do the two PIX have the same IP on all of the interfaces? The second is, if I use two PIX without redundancy feature (two PIXs have their own IP) in the centeral site for VPN redundancy, Can I just use two "set peer" command to point to the two PIX in remote site PIX under the "crypto map " command? Thank You!
when you have two pixs in a failover configuration, the active pix will always have the same ip address. This address is different from the ip address of the standby unit.
To make ik more clear:
say you have the following situation:
Primary pix - IP address A - Mac Addres B - mode=active
Second pix - IP address C - Mac Addres D - mode=standby
assume something goes wrong with the primary device, then after the failover has occured, you will have this situation:
Primary pix - IP address C - Mac Addres D - mode=standby
Second pix - IP address A - Mac Addres B - mode=active
About the VPN redundancy:
I copied some text from a certain cisco webpage and it mentions that you can use the 'set peer' command to create some kind redundancy. Here it is:
Use the crypto mapset peer command to specify an IPSec peer in a crypto map entry. Use the no crypto mapset peer command to remove an IPSec peer from a crypto map entry.
This command is required for all static crypto maps. If you are defining a dynamic crypto map (with the crypto dynamic-map command), this command is not required, and in most cases is not used because, in general, the peer is unknown.
For ipsec-isakmp crypto map entries, you can specify multiple peers by repeating this command. The peer that packets are actually sent to is determined by the last peer that the PIX Firewall received either traffic or a negotiation request from for a given data flow. If the attempt fails with the first peer, IKE tries the next peer on the crypto map list.
For ipsec-manual crypto entries, you can specify only one peer per crypto map. If you want to change the peer, you must first delete the old peer and then specify the new peer.
The following example shows a crypto map configuration when IKE will be used to establish the security associations. In this example, a security association could be set up to either the peer at 10.0.0.1 or the peer at 10.0.0.2.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :