I have a couple of remote sites I am connecting to over the Internet.
Now I am trying to add a S2S tunnel betweent he two sides.
My problem is that I have the original tunnel back to my main office as the tunnel with priority 1 and the second tunnel I created has priority 2. The problem is that both ranges are in the same basic network range.
Home office 10.0.0.0/8 (includes all kinds of other locations)
Remote 1 10.1.0.0/16
Remote 2 10.2.0.0/16
The first tunnel to/from Remote 1:
local 10.0.0.0/8 --> 10.1.0.0/16 (and vice versa)
The first tunnel to/from Remote 2:
local 10.0.0.0/8 --> 10.2.0.0/16 (and vice versa)
Tunnel between Remote 1 and 2:local 10.1.0.0/16 and 10.2.0.0/16.
Now because the original tunnel has higher priority and includes the networks of the second priority tunnel the second tunnel never comes up and traffic from remote 1 to remote 2 flows via the main office.
Is there a way to change the priority in retrospect?
Sure, you can change priority by changing the sequence numbers, the lower the number the higher the priority. However, in your case changing the priority would just put the problem on its head, i e all traffic would go towards tthe second tunnel instead. Thus, you'd need to narrow the "from" part of the statement down as well, at least for the one that are given highest priority.
Yes, or add the new one first and delete the old one after that, either way. And yes, the tunnels will go down, and then up again when interesting traffic comes along.
But the way I understood your initial post you'd also need to edit the ACLs in order to achieve what you want, changing priorities is only half the job, if ACLs for both tunnels currently catch the same source scope.
Also, on a side note - if you're going to do wr mem, you'll probably want to have a backup of the startup-config, by doing a "copy start tftp" before you start editing. That way, if things get out of hand, you can easily get the old config up and running without passing a load of commands.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...