Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
219
Views
0
Helpful
2
Replies

A challenging scenario...please help

u.naranjo
Level 1
Level 1

‎02-19-2004 10:59 AM - edited ‎03-02-2019 01:43 PM

Hi,

If anybody out there could help me set up the following scenario that would really be appreciated, here it is:

Main site: PIX>>Internet router>>ISP 1 and ISP 2

Remotes: PIX>>Internet router>>ISP 1 and ISP 2

Configs: IPSEC between PIX'S

The idea is to get GRE tunnels and to get redundancy if one of the ISP lines ever come down; also there is an inside router that we could use to build the tunnels or I was wondering if it makes more sense to build the tunnel interfaces on the outside routers how would it work.

Thanks,

Labels:
0 Helpful
2 Replies 2

vcjones
Level 5
Level 5

‎02-19-2004 11:19 AM

Insufficient information to tell you how to do it, but enough to tell you it can be done (just not which way :-)

Assuming you are running BGP with your ISPs and have global addresses at both ends, the easiest way is to do a single IPsec tunnel from PIX to PIX and let BGP figure out which path to take through the internet. Note, however, that it can take a minute or two for BGP to do its thing for some modes of failure.

If you are not running multihomed with BGP, your best bet is to set up an IPsec tunnel for each ISP (distinguished by the IP addresses at each end) and run a routing protocol across those. This can be done router to router or PIX to PIX, but keep in mind that the PIX does not do fancy routing.

There are two examples of routing over IPsec explained in a white paper on my web site, which you should find interesting reading even if you choose to take a different approach. GRE tunnels work fine, but can reduce your path MTU, which may or may not be a concern for your application.

Good luck and have fun!

Vincent C Jones

www.networkingunlimited.com

0 Helpful

u.naranjo
Level 1
Level 1
In response to vcjones

‎02-19-2004 01:10 PM

Thanks for your reply.

I'm not using BGP at all and I'm getting public ip's from both isp's as well, also I'm only using 1 Firewall which is connected to the router that has the two connections to the internet and I also have an inside router which could be used to build the tunnels.

Hope this clarifies what I want..

Thanks,

0 Helpful
Customers Also Viewed These Support Documents