Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN IPsec & ISDN backup scenario

Hi folks,

I have question regarding deployment of VPN network.

We have to provide backup over ISDN network, so we must use OSPF (EIGRP is also possible) routing protocol which will be running among branch offices, regional and central headquarters. When Internet connectivity goes down, must be established backup connection over the ISDN network. We will use also GRE encapsulation, which must be used if you want to put OSPF (multicast) traffic in IPsec tunnel.

This are facts and we know them quite well.

But we have some additional questions :)

I think the easiest solution would be to use PIXes, but unfortunatelly they

don't support routing protocols like OSPF. So we think that we should use PIXes for connectivity to the internet (PPPoE) and for terminating VPN tunnels and for statefull firewalling. The PIX would also be doing NAT/PAT and behind the PIX on the local network (RFC1918 IP addressing) we would put router with ethernet / ISDN wic for backup. Router should be doing GRE and OSPF routing between locations. Also traffic on ISDN backup line must be crypted.

Would it be better to put router in front of PIX? So router would be doing GRE, OSPF, IPsec, NAT/PAT (unfortunatelly I have only 1 public IP address per location) and PIX would be doing just statefull firewaling ?

Which solution is better?

Best regards

New Member

Re: VPN IPsec & ISDN backup scenario

Most of the designs that I have come accross use the PIX-Router pair with the router placed infont of the PIX, inbetween the PIX and the internet. The strength of this design is that this gives you a two tired perimeter where the router forms the first line of defence. One would need to compromise/work around the perimeter router long before he/she ever has a chance to try anything on the PIX. This is certainly more secure. However, since you need to establish a GRE tunnel to move your routing traffic across, this is not a design that you can count on... unless ofcourse, and as the best option, you go in for two additional routers. Hope you find a way out... and maybe then you could share it with us.