Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Redundant VPN tunnels, GLBP and NAT

Hi group

I am testing the following configuration

http://www.geocities.com/cristi_piatnitchi/diagram2.jpg

The idea is to achive VPN path redundancy. My problem is that because I

am using two ISPs I have to do NAT (static NAT) for the VPN endpoints

(PIX 7.0).

As you can imagine the tests should include 4 scenarios (4 possible

combinations for the internet connections). My problem is that I am not

sure if thsi config works. Two questions:

-in the scenario when only the wireless links are UP I have NAT on both

sides.

Which peers shoud I include in the config ? (whis are active ?)

-now assume that all 4 lines are active. GLBP will associate the

firewall with the wireless router (site A). The firewall sends out the

IKE1 packets but the remote end is associated with the router

coresponding to the wired line (site B). Consequently this firewall

(Site B) will reply using the wired line. The combination results in an

asymetric routing. Would this impact the IKE handshaking ?

Please see below the configs for the two firewalls:

hostname Pix1 ver. 7.0

!

interface Ethernet0

nameif outside

security-level 0

ip address 20.10.0.4 255.255.255.240

!

interface Ethernet1

speed 100

nameif inside

security-level 100

ip address10.10.10.1.1 255.255.255.0

!

!

access-list AB extended permit ip 10.10.10.0 255.255.255.0 10.10.20.0

255.255.255.0

access-list nonat extended permit ip 10.10.10.0 255.255.255.0 10.10.20.0

255.255.255.0

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 20.10.0.1

!

crypto ipsec transform-set ABset esp-aes-256 esp-sha-hmac

crypto map ABmap 100 match address AB

crypto map ABmap 100 set connection-type originate-only

crypto mapABmap 100 set peer 20.20.0.4 30.20.0.4

crypto map ABmap 100 set transform-set ABset

crypto map ABmap interface outside

isakmp enable outside

isakmp policy 100 authentication pre-share

isakmp policy 100 encryption aes

isakmp policy 100 hash sha

isakmp policy 100 group 5

isakmp policy 100 lifetime 120

isakmp nat-traversal 20

tunnel-group 20.20.0.4 type ipsec-l2l

tunnel-group 20.20.0.4 ipsec-attributes

pre-shared-key *

tunnel-group 30.20.0.4 type ipsec-l2l

tunnel-group 30.20.0.4 ipsec-attributes

pre-shared-key *

: end

=============================================================================

hostname Pix2 ver. 7.0

!

interface Ethernet0

nameif outside

security-level 0

ip address 20.20.0.4 255.255.255.240

!

interface Ethernet1

speed 100

nameif inside

security-level 100

ip address10.10.20.1.1 255.255.255.0

!

!

access-list AB extended permit ip 10.10.20.0 255.255.255.0 10.10.10.0

255.255.255.0

access-list nonat extended permit ip 10.10.20.0 255.255.255.0 10.10.10.0

255.255.255.0

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 20.20.0.1

!

crypto ipsec transform-set ABset esp-aes-256 esp-sha-hmac

crypto map ABmap 100 match address AB

crypto map ABmap 100 set connection-type answer-only

crypto mapABmap 100 set peer 20.10.0.4

crypto map ABmap 100 set transform-set ABset

crypto map ABmap 150 match address AB

crypto map ABmap 150 set connection-type answer-only

crypto mapABmap 150 set peer 30.10.0.4

crypto map ABmap 150 set transform-set ABset

crypto map ABmap interface outside

isakmp enable outside

isakmp policy 100 authentication pre-share

isakmp policy 100 encryption aes

isakmp policy 100 hash sha

isakmp policy 100 group 5

isakmp policy 100 lifetime 120

isakmp nat-traversal 20

tunnel-group 20.10.0.4 type ipsec-l2l

tunnel-group 20.10.0.4 ipsec-attributes

pre-shared-key *

tunnel-group 30.10.0.4 type ipsec-l2l

tunnel-group 30.10.0.4 ipsec-attributes

pre-shared-key *

: end

thank you

Cristian

1 REPLY
Silver

Re: Redundant VPN tunnels, GLBP and NAT

Reverse Route Injection (RRI) is a feature designed to simplify network design for Virtual Private Networks (VPNs) in which there is a requirement for redundancy or load balancing. RRI works with both dynamic and static crypto maps.

In the dynamic case, as remote peers establish IPSec security associations (SAs) with an RRI-enabled router, a static route is created for each subnet or host protected by that remote peer. For static crypto maps, a static route is created for each destination of an extended access list rule. When RRI is used on a static crypto map with an access control list (ACL), routes will always exist, even without the negotiation of IPsec SAs.

http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a00804dfa7d.html

352
Views
0
Helpful
1
Replies
CreatePlease to create content