Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
275
Views
0
Helpful
1
Replies

Rearranging of Firewall on a LAN for Automatic traffic switching.

bericaleb
Level 1
Level 1

‎01-21-2008 07:57 PM - edited ‎03-11-2019 04:51 AM

I have a problem of trying to get automatic switching of traffic onto a VPN tunnel if the Primary LL/Sat link fails.

The current scenario is like this:

The firewall is connected to a layer 2 LAN switch, the WAN router that host the Leased Line/Sat link is also connected to the same LAN switch as the Firewall.

In cases where the LL/Sat fails, the traffic is manually forced to use the VPN tunnel by unplugging the cable that connects the Telecom DTU to the router serial interface. The traffic is not switching automatically to the VPN tunnel.

I need to make this happen automatically, and to avoid the mannual way of forcing the traffic to the VPN tunnel.

I have attached a drawing of how I want to reconnect the devices. Please confirm if this type of design is recommended or not. I also would like some help on how to configure automatic switching of the traffic if one fails.

Labels:
22120-internet connectivity.vsd
0 Helpful
1 Reply 1

jbayuka
Level 5
Level 5

‎01-25-2008 10:51 AM

A problem with static routes is that no inherent mechanism exists to determine if the route is up or down. The route remains in the routing table even if the next hop gateway becomes unavailable. Static routes are removed from the routing table only if the associated interface on the security appliance goes down. In order to solve this problem, a static route tracking feature is used to track the availability of a static route and, if that route fails, remove it from the routing table and replace it with a backup route.

This document provides an example of how to use the static route tracking feature on the PIX 500 Series Security Appliance or the ASA 5500 Series Adaptive Security Appliance in order to enable the device to use redundant or backup Internet connections. In this example, static route tracking allows the security appliance to use an inexpensive connection to a secondary Internet service provider (ISP) in the event that the primary leased line becomes unavailable.

In order to achieve this redundancy, the security appliance associates a static route with a monitoring target that you define. The service level agreement (SLA) operation monitors the target with periodic Internet Control Message Protocol (ICMP) echo requests. If an echo reply is not received, the object is considered down, and the associated route is removed from the routing table. A previously configured backup route is used in place of the route that is removed. While the backup route is in use, the SLA monitor operation continues to try to reach the monitoring target. Once the target is available again, the first route is replaced in the routing table, and the backup route is removed.

Refer to ASA/PIX 7.x: Redundant or Backup ISP Links Configuration Example for more information

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card