Currently I have two PIX firewalls providing a site to site VPN tunnel. I want to switch to a PIX to VPN Concentrator connection. I recently tried to change a remote PIX to communictation to the VPN Concentrator by simply changing the peer ip address while configuring the VPN concentrator to match the previous PIX firewall site-to-site setup. When I did so the PIX never established comminication with the VPN concentrator. However the prior confiuration on the other "PIX" that I am moving away from was still active. Do I have to remove both ends of the VPN link (or at least clear the xlates maybe) before I can get connection to the VPN connectrator?
If the PIX has a tunnel built, then just changing the peer IP address wont force it to build a new tunnel. You need to clear your tunnels with the following commands:
clear crypto isakmp sa
clear crypto ipsec sa
The next packet that is due to go over the tunnel will then force the PIX to build a new one to the new peer.
Make sure though, when you add a new peer that you remove the old one as well, cause you can have more than one peer in a crypto map, so add the new one, then remove the old one. Sometimes the PIX doesn't read the new config either, so it might be a good idea to reboot it if you're still seeing strange things.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :