I have some IOS routers that have two interfaces connected to two different ISPs. One interface is a T1 and has a static IP. The other is ADSL, dynamic IP. The idea is that these routers use the T1 interface to connect to HQ via a static/permanent IOS-to-PIX tunnel. The other interface is used as a backup and will be brought up only if the T1 fails. In order to do this I setup the PIX as below.
My problem is that the IOS router comes in on a different IP but the ACL that defines the subnet is still the same whether it connects via the static or dynamic link. After many hours of troubleshooting I found that because there is a matching subnet ACL in a static crypto map sequence the dynamic tunnel will not work. I see the PIX trying to send packets on the static sequence even though the peer and transform do not match.
This seems like some bug. Is there a way around it? I am running 6.2.2 on the PIX.
crypto dynamic-map dynmap 1 set transform-set vpnset-backup
The interesting traffic as defined by the access-list will remain the same regardless of which link is being used. The ACL's will specify the IP's behind the devices. These IP's will get natted to a global address depending on the global pool associated with the interface in use. The key here is to ensure that NAT is configured properly.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...