×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

A challenging scenario...please help

Unanswered Question
Feb 19th, 2004
User Badges:

Hi,


If anybody out there could help me set up the following scenario that would really be appreciated, here it is:


Main site: PIX>>Internet router>>ISP 1 and ISP 2

Remotes: PIX>>Internet router>>ISP 1 and ISP 2

Configs: IPSEC between PIX'S


The idea is to get GRE tunnels and to get redundancy if one of the ISP lines ever come down; also there is an inside router that we could use to build the tunnels or I was wondering if it makes more sense to build the tunnel interfaces on the outside routers how would it work.


Thanks,



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
vcjones Thu, 02/19/2004 - 11:19
User Badges:
  • Silver, 250 points or more

Insufficient information to tell you how to do it, but enough to tell you it can be done (just not which way :-)


Assuming you are running BGP with your ISPs and have global addresses at both ends, the easiest way is to do a single IPsec tunnel from PIX to PIX and let BGP figure out which path to take through the internet. Note, however, that it can take a minute or two for BGP to do its thing for some modes of failure.


If you are not running multihomed with BGP, your best bet is to set up an IPsec tunnel for each ISP (distinguished by the IP addresses at each end) and run a routing protocol across those. This can be done router to router or PIX to PIX, but keep in mind that the PIX does not do fancy routing.


There are two examples of routing over IPsec explained in a white paper on my web site, which you should find interesting reading even if you choose to take a different approach. GRE tunnels work fine, but can reduce your path MTU, which may or may not be a concern for your application.


Good luck and have fun!


Vincent C Jones

www.networkingunlimited.com

u.naranjo Thu, 02/19/2004 - 13:10
User Badges:

Thanks for your reply.

I'm not using BGP at all and I'm getting public ip's from both isp's as well, also I'm only using 1 Firewall which is connected to the router that has the two connections to the internet and I also have an inside router which could be used to build the tunnels.


Hope this clarifies what I want..



Thanks,



Actions

This Discussion