×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

VPN as failover to WAN, test

Answered Question
Sep 30th, 2013
User Badges:

Hello


I had an earlier post on this subject. After that resolution was received the data center added a new wrinkle to my test plan.


The goal of this VPN test is to ping an actual server, across VPN tunnel, without the remoest possibility of causing any outage.


I have a L3 3750 switch behind my firewall and the default gateway is the firewall. I want to create a loopback ip address on this device for VPN tunnel test purposes. I then will source a ping from the loopback to the server Ip address at my remote Data Center. My AVPN links do not pass through the firewall.


Per the data center, they have routing setup that all 192.168.0.0/16/ /10.0.0.0/8 address' will be routed out their AVPN WAN link. The data center states

I need to create a unique ip address to source the pings from so it will go back out their Checkpoint fw and then the tunnel between us.


I think the loopback address could look as follows 100.255.255.1/32


If I ping the server ip addrress from the L3 switch with the loopback address as source, it will go out my AVPN WAN link because that is how routing is setup.


     The question is how can I mask the destination server IP address so that the ping does not take the AVPN path but takes the fw and then the      tunnel?


My thought is a 1-1 nat in the firewall for the destination DC server.

     static (inside,outside) (natted server ip) (current server IP) netmask 255.255.255.255

     I then add this "natted server ip" to the REMOTE NETWORK in the VPN policy.

     the natted ip address would also have to be an ip outside the 192.168.0.0/10.0.0. scopes

     Could this natted server ip be 100.255.254.1


I could then ping the natted server ip address from the loopback source.


One question I have is Would the remote data center have to reverse the nat on their end to allow the ping to reach the correct destination?



Please provide expert guidance for this very important issue.

Correct Answer by Jouni Forss about 3 years 10 months ago

Hi,


You talk about a firewall and L3 switch setup. You also talk about AVPN which I am not sure what it means? Are you just referring to a separate VPN device? A simple network diagram might clear up the setup for many people reading this post.


If I have understood the setup correctly then you have some dedicated connection between your site and the datacenter site. And what you want to add is that there is a route between these networks through a L2L VPN connection also.


Though if that is the case I am still not sure how this L2L VPN would be used between the sites.


If you would truly want to achieve a redundancy between the 2 sites it would be better if you could run a Dynamic routing protocol between each connection and that would tell the L3 device on each end through which link/connection they should reach the other site.


In this setup it would seem to me that you would have to mask the IP addresses of both network to be able to use the VPN at the sametime while the actual dedicated connection is in use.


- Jouni

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Steve Coady Mon, 09/30/2013 - 12:15
User Badges:

Can anyone provide expert guidance for this very important issue?

Steve Coady Tue, 10/01/2013 - 14:08
User Badges:

All


POLL:


Is this question too difficult or so easy and I am missing something?



Can someone with VPN expertise at least post some response so I can work toward a solution, please!

Correct Answer
Jouni Forss Tue, 10/01/2013 - 14:32
User Badges:
  • Super Bronze, 10000 points or more

Hi,


You talk about a firewall and L3 switch setup. You also talk about AVPN which I am not sure what it means? Are you just referring to a separate VPN device? A simple network diagram might clear up the setup for many people reading this post.


If I have understood the setup correctly then you have some dedicated connection between your site and the datacenter site. And what you want to add is that there is a route between these networks through a L2L VPN connection also.


Though if that is the case I am still not sure how this L2L VPN would be used between the sites.


If you would truly want to achieve a redundancy between the 2 sites it would be better if you could run a Dynamic routing protocol between each connection and that would tell the L3 device on each end through which link/connection they should reach the other site.


In this setup it would seem to me that you would have to mask the IP addresses of both network to be able to use the VPN at the sametime while the actual dedicated connection is in use.


- Jouni

Steve Coady Wed, 10/02/2013 - 07:11
User Badges:

My topology



ALL remote sites come back to Corporate to access the internet. This is how the VPN would work as once the default gateway is lost after BGP disapears, they will default to my firewall. At this point the Production subnets at the data center will be seen in the VPN policy and traffic will cross the tunnel until BGP is restored.


I agree with this statement, i just want to make sure the logic is correct.


"In this setup it would seem to me that you would have to mask the IP addresses of both network to be able to use the VPN at the sametime while the actual dedicated connection is in use."

Steve Coady Wed, 10/02/2013 - 12:47
User Badges:

Please review and advise on this implementation plan.


I have a L3 3750 switch behind my firewall and the default gateway is  the firewall. I want to create a loopback ip address on this device for  VPN tunnel test purposes. I then will source a ping from the loopback  to the server Ip address at my remote Data Center. My AVPN links do not  pass through the firewall.


Per  the data center, they have routing setup that all 192.168.0.0/16/  /10.0.0.0/8 address' will be routed out their AVPN WAN link. The data  center states

I need to create a unique ip address to source the  pings from so it will go back out their Checkpoint fw and then the  tunnel between us.


I think the loopback address could look as follows 100.255.255.1/32


If  I ping the server ip addrress from the L3 switch with the loopback  address as source, it will go out my AVPN WAN link because that is how  routing is setup.


      The question is how can I mask the destination server IP address so  that the ping does not take the AVPN path but takes the fw and then  the      tunnel?


My thought is a 1-1 nat in the firewall for the destination DC server.

     static (inside,outside) (natted server ip) (current server IP) netmask 255.255.255.255

     I then add this "natted server ip" to the REMOTE NETWORK in the VPN policy.

     the natted ip address would also have to be an ip outside the 192.168.0.0/10.0.0. scopes

     Could this natted server ip be 100.255.254.1


I could then ping the natted server ip address from the loopback source.


One  question I have is Would the remote data center have to reverse the nat  on their end to allow the ping to reach the correct destination?


Please provide expert guidance for this very important issue.

Actions

This Discussion