Cisco Support
English
Feedback Help
Cisco Support Community
Register
cancel
turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
rasoftware
rasoftware
Community Member
‎03-08-2006 04:38 AM
‎03-08-2006 04:38 AM

Redundany WAN with PIX

I have PIX behind a router which was two public interfaces. PIX uses router as next hop and has a private address on the outside. The router has two wan interface, configured for redudancy.

Web browsing etc works great.

Problem is IPSEC behind the router isnt great. I have NAT-T enable and static NAT for 4500 etc.

Problem is PIX can be configured for multiple peers (ie backup WAN) but its very unreliable. I have added keep alives etc but its not really robust enough to deploy to customers.

Does anyone know a better way to provide WAN redundancy with a PIX?

0 Helpful
Reply
2 REPLIES
aacole
aacole Silver
Silver
‎03-09-2006 12:17 PM
‎03-09-2006 12:17 PM

Re: Redundany WAN with PIX

You say your router is configured for redundancy with 2 WAN links, are these equal cost default routes, routes with different costs or a primary and standby type configuration?

If the links appear as equal cost paths then your IPSec traffic may be arriving out of order, which will give performance problems, that's one thought I had on reading this post. Or even arriving with differnet source addresses due to the NAT on the external router.

If you break one WAN link does your IPSec performance improve?

In a situation like this I'd prefer to use public addresses on the PIX to router link, remove the NAT from the external router and use routing (policy routing to push the IPSec down one link to prevent packet re-ordering problems.

0 Helpful
Reply
rasoftware
rasoftware
Community Member
‎03-09-2006 04:14 PM
‎03-09-2006 04:14 PM

Re: Redundany WAN with PIX

Configuration is two WAN links. Arrangment is primary and backup. All traffic flow through primary. I use IP SLA to declare a route down and the other floating static kicks in via the backup. Both outside appear as two differnent IPs. This works great with www etc.

PIX sits behind the router with router as next hop and PIX is unaware of which route it takes.

I have configured remote PIX peers with both addresses. Under normal load PIX remote peers access the NAT'd pix via static port maps on UDP 4500 and 500. I also have static NAT on the backup interface. When the link fails over www traffic works great but IPSEC doesnt fail over very reliable. I see it building NAT translations on the router for the link thats down.

Normally PIX works ok behind NAT router, but it really doesnt work well with the failover interface, despite remote peers having this as an alternative endpoint.

Any ideas?

0 Helpful
Reply
Latest Documents
Snort IPS on ISR, ISRv and CSR - Step-By-Step Configuration
Created by Kureli Sankar on 04-19-2018 11:25 AM
0
0
0
0
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin... view more
Upgrade Chassis Manager (FXOS)
Created by Jeet Kumar on 02-23-2018 02:51 AM
2
15
2
15
    Login to the FXOS chassis manager. Direct your browser to https://hostname/, and log-in using the user-name and password.     Go to Help > About and check the current version:    Check the current version availa... view more
ASA 5506-X with ipv6 no access to internet
Created by Klaxel on 02-08-2018 01:25 AM
3
5
3
5
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6. In Syslog I also se... view more
All Documents
110
Views
0
Helpful
2
Replies
CreatePlease to create content
Discussion
Blog
Document
Video
Popular Blogs
AnyConnect Certificate Based Authentication.
Created by Marvin Ruiz on 08-27-2012 05:20 PM
36
75
36
75
BLOG (No Title)
Created by athukral on 06-14-2011 04:23 AM
15
35
15
35
Wireless Hacking
Created by Anim Saxena on 01-24-2013 07:56 AM
2
25
2
25
All Blogs