First, off, I'm a generalist sysadmin and can deal with networking fairly well, but also know I'm relatively uneducated in that specific area and accept that I don't fully understand a lot of things.
Which leads to:
I have a 5508x at the main office and datacenter (replication site). The two are connected via site-to-site (have the details on hand if they're necessary). Been humming along for over a year. Now I need to connect another site-to-site for our new (cisco hosted) phone system. That being from the main office to this new endpoint.
I redid the existing vpn so that it conformed to the parameters the phone company sent (prio 10, aes-256-sha, changed the pre-shared key, etc). Owning both, I could easily change that to be in line.
What I'm failing to understand is the dynamics involved in the crypto map.
At the end of the day, I need to have the 'home office' set as the central point, with one vpn going to the datacenter and another connecting to their endpoint. Both of mine use 172 internally, theirs is a 10. I need the data connection to talk to the machines inside my primary 172 subnet. The phones will be on a different subnet under 172, to account for the extra dhcp leases I'll need. Their endpoint is the same, although they have a secondary available.
I've got all the components I need to deal with, but I keep failing to properly apply things such that I can ping what I'm told is a live IP on their network (and I swear, if they screwed up the icmp rules and I was right all along...).
But I know I'm doing something wrong, since when I hit 'show crypto ipsec sa' only the preexisting connection's info appears. I know you can't have two separate connections on one interface, just to skip by that idea. But I was made to understand I can have multiple rule sets under a single crypto map that would allow for this.
I have to be doing something wrong. Maybe I need to use another interface and connect the two? Maybe I understand crypto maps even less than I thought?
If more info is needed, I will provide. But even a useful link would be great at this point.
I have a CCIE friend who will gladly take a consulting fee, but really want to figure this out.
No comments:
Post a Comment