c3640 (Hub) <=> C5505 <=> PIX-515 <=> LEASED LINE <=> Internet
I hope thats clear !
Now my issue is this. The current setup does not have a VPN tunnel, therefore traffic from Site A (left/spoke) passes to Site B (right/hub) via the Frame Relay link and internet traffic from Site A goes out via the PIX515-a firewall.
Now what I want to do is create a VPN Tunnel between pix515-a (spoke) and pix515-b (hub) that will act as the primary conduit for data, yes I know this sounds daft, but I want the VPN to carry the traffic between sites with the Frame Relay link acting as a backup conduit.
I can create the VPN tunnel and get traffic to pass, thats not my problem, my problem is getting the Frame Relay circuit to act as the backup circuit. If the PIX could use HSRP then I would be okay, but I am at a loss on this one.
Any suggestions?, my gut feeling is that this just will not work. Any suggestions on how to make it work would also be gratefully accepted.
The issue here is that your routing tables at spoke-A and hub-B have to change to point over the FR link when the VPN tunnel goes down. This implies that you need routing updates to go over the VPN tunnel, and when this goes down, you have a floating static route that points over the FR link.
Unfortunately in the PIX there's no way to send routing updates over the tunnel, nor does it support reverse-route injection like the router and VPN3000 does. This means there's no way to automatically make this happen.
About the best you could do is manually add a static route into each side that points the remote network over the FR link when the VPN is down, and then remove it when the VPN is back up.
This would work with VPN3000's or routers at either end, as they both support either RRI or sending routing updates over the tunnel.
Actually you can send routing updates over your VPN tunnels that are established by the PIX FW as you have 3600 series routers at each site.
Create IPSEC tunnels between Pix firewalls and GRE tunnels over the IPSEC tunnels. At that point impliment a dynamic routing protocol on all routers and weight the FR links at a higher cost than the IPSEC links.
Your 3600's will all have a tunnel interface over ipsec and frame interface both to the same destination.
Also don't forget to enable GRE keepalives on your tunnel interfaces due to the default being a no keep.
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...