From my HQ PIX I have built a VPN LAN2LAN tunnel to a branch PIX. However, I need to add more redundancy at the branch and will be installing a second internet connection at that site. The problem is that the ISPs there do not support BGP which implies that I will need to manually rebuild a tunnel should the primary ISP link fails. These are the possible solutions we have come up with:
1. Terminate both the VPN tunnels on the branch Internet router (the one with the 2 ISP links). This poses security risks though - if the router is compromised, this leaves my HQ LAN exposed.
2. Terminate the VPN tunnels on another router that then connect this router to the DMZ of the firewall. This router will require 2 LAN interfaces for terminating each tunnel through each ISP and one LAN interface to the DMZ. ACLs can be set up to allow just my HQ as the source IPs as a security measure.
3. Install another fully configured PIX (for the 2nd ISP). Build the tunnel from HQ to each PIX but only turn the 2nd PIX (at the branch) ON when the primary ISP link fails. The primary PIX must also be turned off at this time as they will need to share the same inside IP address. I know, this is a manual process but it beats any intervention from HQ!
Are there any other cost effective but secure solutions to this?
Since there has been no response to your post, it appears to be either too complex or too rare an issue for other forum members to assist you, or there is no public information available at this time. If you don't get a suitable response to your post, you may wish to review our resources online at http://www.cisco.com/go/solutions. You may also contact our product information line at 1-800-553-NETS or a Cisco Systems Engineer at your local Cisco office or reseller. To locate your local Cisco representative, visit http://www.cisco.com/warp/public/687/Directory.shtml
If anyone else in the forum has some advice, please reply to this thread.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...