Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
357
Views
4
Helpful
5
Replies

Pix/Router failover

exigent
Level 1
Level 1

‎02-12-2004 08:13 PM - edited ‎03-02-2019 01:34 PM

Is this scenario possible?:

Customer has point to point from A to B using 1720s at both sites. Connection is HDLC. Both sites have independant Internet connections.

Customer has a pix firewall at A connected to an ISP and 2600 series router. Pix firewall connects to B using site to site VPN as a method of fault tolerance.

Customer would like to put a 1751 with 3 Ethernet interfaces - one for internal (that would become the default gateway for A's LAN), one to the pix, and one to the point to point router. Ultimate goal is if the point to point goes down traffic is routed over site to site VPN.

Labels:
0 Helpful
5 Replies 5

vmoopeung
Level 5
Level 5

‎02-18-2004 11:39 AM

It's possible to do so but , It is going to increase one more hop in between . Best solution is to used a 4-port 10/100 Fast Ethernet PCI expansion card in the PIX it self . 515E pixfirewall has two expansion slots.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_data_sheet09186a0080091b15.html

exigent
Level 1
Level 1
In response to vmoopeung

‎02-18-2004 05:25 PM

Thanks. For now we have decided to stay where we are with the single 1720 and the pix.

0 Helpful

vcjones
Level 5
Level 5

‎02-18-2004 02:52 PM

If the LAN has enough bandwidth to spare, you can do the job with what is already in place!

Just set the 1720 as the default route for all local users, and let the 1720 send Internet traffic back over the LAN to the PIX (one armed routing) and over the point-to-point link for destinations on the remote LAN. Don't forget to turn off ICMP redirects on the 1720 Ethernet interface. A routing protocol can detect the loss of the point-to-point link and a floating static route can be used to forward traffic to the VPN on the PIX. (Configure the VPN on the PIX to only VPN traffic to the remote LAN).

Primary "gotcha" is if the VPN MTU is less than 1500 bytes. This may require hardcoding the MTU on users systems to a value small enough to survive the VPN.

Good luck and have fun!

Vincent C Jones

www.networkingunlimited.com

0 Helpful

exigent
Level 1
Level 1
In response to vcjones

‎02-18-2004 05:24 PM

Vincent,

Thank you for the input. Do you feel that turning off ICMP redirects (do you know the exact command?) will improve the resilience?

0 Helpful

vcjones
Level 5
Level 5
In response to exigent

‎02-19-2004 08:01 AM

The specific command is "no ip icmp redirect." Look up what ICMP redirects do in your favorite TCP/IP text book and you'll see that it is not a question of improving resilience, but rather a question of having functional resilience.

WARNING: If you don't fully understand how your redundant solution works, the chances of it working the way you want it to are pretty slim. Consider hiring a competent consultant to help you avoid unnecessary downtime as you learn from experience :-) There is a lot more to improving availability than just adding a second link... If you want to lose sleep mulling over the many ways your network can fail, curl up with a copy of my book. And recognize after 600 someodd pages, you've only scratched the surface!

Good luck and have fun!

Vincent C Jones

www.networkingunlimited.com

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents