cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
429
Views
0
Helpful
3
Replies

2611 VPN to VPN 7200 series

macosx
Level 1
Level 1

A simple question that hope not too complicate answer.

Setting:

Branch offices the use various ISP VPN into HQ VPN 7200 inside tunnel is private IP address space 192.168.X.X

There is a branch office the use 2611 VPN tunnel to our HQ VPN 7200. The branch moved to differently location that would be on total differently ISP that have new IP address.

My question is what part of configuration that I should change in order to make this VPN tunnel into our 7200. The configuration is made before my time there is no document to refering back on the configuration. The change I willmade only with the least change and impact on our netwrok.

Any pointer or Simple configuration that would greatly appreciated.

Kevin Chen

3 Replies 3

gfullage
Cisco Employee
Cisco Employee

Usually making changes to crypto maps means taking the crypto map off the interface first, otherwise you can lock yourself out of the router and stop all traffic going through it. With the change you want to make, you *should* be able to do it without affecting all your other tunnels, but I woiuld recommend two things:

- Make these changes after hours during a scheduled outage time just in case

- Make these changes from the inside network of the 7200, not from the outside where the crypto map is applied.

Let's say the 2600's current IP address is 1.1.1.1, and its new address with the new ISP will be 2.2.2.2. On the 7200 you'll have config commands similar to these:

> crypto isakmp key address 1.1.1.1 mask 255.255.255.255

> crypto map 10 ipsec-isakmp

>    set peer 1.1.1.1

>    match address

>    set transform-set

You need to do the following in this exact order:

> crypto isakmp key address 2.2.2.2 mask 255.255.255.255

> crypto map 10 ipsec-isakmp

>    set peer 2.2.2.2

>    no set peer 1.1.1.1

After that you should be good to go. Just make sure that the is the same in the new command as in the old.

Also, the number 10 in the "crypto map" commands I've shown may or may not be 10, just use whatever number is being used for the current old IP address of 1.1.1.1 when you enter in the new commands.

What if the Lan intreface private IP addrees space need to change from 192.168.40.0 to 45.0 space. Any considersation that I need to concern, such as access list, etc.

Any sample configuration that ON Cisco web site that I can use as reference.

Thanks again

Then you have to change the access-list on both ends that references the 192.168.40.0 network. This will quite possibly affect your network connectivity, so best to do this from the inside network of both routers during a short outage period.