Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX VPN Redundancy

From my HQ PIX I have built a VPN LAN2LAN tunnel to a branch PIX. However, I need to add more redundancy at the branch and will be installing a second internet connection at that site. The problem is that the ISPs there do not support BGP which implies that I will need to manually rebuild a tunnel should the primary ISP link fails. These are the possible solutions we have come up with:

1. Terminate both the VPN tunnels on the branch Internet router (the one with the 2 ISP links). This poses security risks though - if the router is compromised, this leaves my HQ LAN exposed.

2. Terminate the VPN tunnels on another router that then connect this router to the DMZ of the firewall. This router will require 2 LAN interfaces for terminating each tunnel through each ISP and one LAN interface to the DMZ. ACLs can be set up to allow just my HQ as the source IPs as a security measure.

3. Install another fully configured PIX (for the 2nd ISP). Build the tunnel from HQ to each PIX but only turn the 2nd PIX (at the branch) ON when the primary ISP link fails. The primary PIX must also be turned off at this time as they will need to share the same inside IP address. I know, this is a manual process but it beats any intervention from HQ!

Are there any other cost effective but secure solutions to this?


Re: PIX VPN Redundancy

Since there has been no response to your post, it appears to be either too complex or too rare an issue for other forum members to assist you, or there is no public information available at this time. If you don't get a suitable response to your post, you may wish to review our resources online at You may also contact our product information line at 1-800-553-NETS or a Cisco Systems Engineer at your local Cisco office or reseller. To locate your local Cisco representative, visit

If anyone else in the forum has some advice, please reply to this thread.

Thank you for posting.