Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
342
Views
0
Helpful
3
Replies

C3620, PIX-515, IPSec, and EIGRP

PJWHITBY
Level 1
Level 1

‎08-18-2003 07:09 AM - edited ‎03-02-2019 09:40 AM

I have this scenario to fix :

c3620 (Spoke) <=> Frame Relay Circuit <=> c3640 (Hub)

c3620 (Spoke) <=> C2924 Switch <=> PIX-515 <=> ADSL Circuit <=> Internet

c3640 (Hub) <=> C5505 <=> PIX-515 <=> LEASED LINE <=> Internet

I hope thats clear !

Now my issue is this. The current setup does not have a VPN tunnel, therefore traffic from Site A (left/spoke) passes to Site B (right/hub) via the Frame Relay link and internet traffic from Site A goes out via the PIX515-a firewall.

Now what I want to do is create a VPN Tunnel between pix515-a (spoke) and pix515-b (hub) that will act as the primary conduit for data, yes I know this sounds daft, but I want the VPN to carry the traffic between sites with the Frame Relay link acting as a backup conduit.

I can create the VPN tunnel and get traffic to pass, thats not my problem, my problem is getting the Frame Relay circuit to act as the backup circuit. If the PIX could use HSRP then I would be okay, but I am at a loss on this one.

Any suggestions?, my gut feeling is that this just will not work. Any suggestions on how to make it work would also be gratefully accepted.

pjwhitby

cne/ccda/ccnp/mcse

Labels:
0 Helpful
3 Replies 3

thisisshanky
Level 11
Level 11

‎08-18-2003 08:26 AM

See if you can enable RRI on the pix. RRI stands for reverse route injection. THis feature is available on the VPN conc, but am not sure if its there on the pix.

Enable RRI (reverse route injection) on the pix, when you create the tunnel. This will create a static route for every remote network that the tunnel takes traffic to, and this route is automatically distributed into a dynamic routing protocol such as RIP. Now this route will be received by the 3640 and you can add a backup route via the frame ( a static route) with a higher administrative distance than the current routing protocol in use. This static route will kick in only when the RRI route gets removed (which happens when your internet connection goes down).

Hope that helps!

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus
0 Helpful

PJWHITBY
Level 1
Level 1
In response to thisisshanky

‎08-20-2003 06:53 AM

Thanks for the answer. Unfortunately RRI is not supported on the PIX, only on routers and VPN Concentrators.

Thanks anyway,

Paul

0 Helpful

thisisshanky
Level 11
Level 11
In response to PJWHITBY

‎08-20-2003 07:35 AM

Paul,

Yeah, you cannot enable RRI yet on the PIX. Hopefully some time soon they bring this feature to the PIX.

Run a routing protocol through the tunnel. Make sure you unicast the packets to the neighbor. (neighbor command). You should open up the required protocol/port numbers for the routing protocol on the pix.

configure a static route on the routers to use the frame as backup route (floating static - configure a higher admin distance).

I havent tried this yet, but you could definitely give it a try.

Protocols such as EIGRP would expect the neighbor to be on same subnet, so you might have to end up running RIP on the tunnel and use neighbor command uner RIP, to unicast the updates.

Or else you could create a Tunnel interface on eithe routers and run a routing protocol such as EIGRP on the tunnel interface. You should also permit the tunnel traffic to go through the VPN.

Hope this helps.

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus
0 Helpful
Customers Also Viewed These Support Documents