Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
381
Views
0
Helpful
4
Replies

VPN and Routing

u.naranjo
Level 1
Level 1

‎02-06-2004 02:56 PM - edited ‎02-21-2020 01:01 PM

Hi,

I have a scenario where I would need to set up failover using a 1720 router connecting to two different ISP'S and a Pix 501 behind it.How would the failover work, specially the configs that need to go on the pix so it knows how to get to the destination when one line goes down?

At the main office I'll have a 515 ending all the remote VPN tunnels.

Has anybody configured something similar? I'm doing some research to find the solution but any suggestions would be really appreciated.

remotes: pix>rtr>isp1 and isp2

Main site: pix>rtr>isp1 and isp2

Thanks very much...

Labels:
0 Helpful
4 Replies 4

gfullage
Cisco Employee
Cisco Employee

‎02-07-2004 07:42 PM

If the two ISP circuits terminate on the router, and you then have an ethernet port from there to the PIX's outside interface, then you don't need to do anything special on the PIX at all. Just set the PIX's default route to be the routers ethernet interface, and everything should work fine, provided the router is set up correctly to be able to route out to both ISP's.

I'm sure you're not going to be receiving a full Internet routing table on the 1720's from both ISP's, so I'd probably suggest setting a default route on the 1720 to point to one specific ISP, and then setting a floating-static default route pointing out the other one. That way all traffic will go via one ISP, and if that goes down it'll go via the other.

0 Helpful

u.naranjo
Level 1
Level 1
In response to gfullage

‎02-08-2004 04:45 PM

Thanks for the insight; I think I was making more complicated than what it is.

Regards,

0 Helpful

vcjones
Level 5
Level 5
In response to u.naranjo

‎02-09-2004 01:41 PM

For redundancy to provide higher availability, three things must be present:

1 - The ability to detect a failure

2 - The ability to select an alternate path

3 - The availability of the alternate path when it is actually needed.

The challenge in typical low cost (cable modem & DSL) redundant ISP setups is #1. There is no way to detect the loss of an ISP, whether due to link, PIX, ISP or other failure. Low cost providers generally are not willing to do BGP with you, and the Ethernet interface on the cable/DSL modem stays up regardless of the state of the ISP link.

What you appear to be seeking is "ping directed routing" where ping or some other non-routing mechanism is used to detect when an ISP is no longer useable. All traffic can then be directed to flow to the remaining ISP. This is a feature which has been mentioned as being in the Cisco pipeline, but as of yet does not appear to be available. SOHO boxes from a few other vendors, do have the capability. Take at look at the Symantec 200R (previously known as the Nexland Pro800 turbo) to get an idea of what can be done.

Note that this technique really only works for inside users browsing the net. As a mechanism for inbound services, it is only appropriate for email (using multiple MX records, one per ISP path).

Good luck and have fun!

Vincent C Jones

www.networkingunlimited.com

0 Helpful

chuachenhui
Level 1
Level 1
In response to vcjones

‎05-30-2004 06:48 PM

Hi Vincent. What if i am using 2 1721 router to establish VPN? and one of the site having 2 connection(ADSL as primary and lease line as backup). Will the SAA work just like other "dual-WAN failover box" and allow VPN connection to have redundency as well?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents