Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
520
Views
0
Helpful
7
Replies

Backup scheme using VPN and WAN

WILLIAM STEGMAN
Level 4
Level 4

‎11-29-2011 06:30 AM

I'm trying to come up with a seamless way to transition from an active WAN connected router to an IPSec tunnel.  Our sites are connected to the WAN using various Cisco routers, and ASA 5505s as their firewall.  Since first hop redundancy protocols like HSRP won't work with just the current equipment, I started digging around with the ideal of using proxy arp or tracking that might enable/disable an interface on the firewall, but neither has lead me anywhere. Does anyone have any ideas how this might be accomplished without adding any hardware?

thank you

Bill

Labels:
0 Helpful
7 Replies 7

andrew.prince
Level 10
Level 10

‎11-29-2011 10:11 AM

Run a dynamic routing protocol and or DMVPN

Sent from Cisco Technical Support iPad App

0 Helpful

WILLIAM STEGMAN
Level 4
Level 4
In response to andrew.prince

‎11-29-2011 10:17 AM

How do I resolve the issue of the client's first hop gateway?  They point to the router as their default gateway, so my issue is if it goes down, either power or hardware failure, client's continue to use it as their gateway.  If it stays up and just loses its WAN interface, I'm ok.  I have a shorter mask static route pointing to the firewall to move traffic in that event. 

0 Helpful

andrew.prince
Level 10
Level 10
In response to WILLIAM STEGMAN

‎11-29-2011 10:25 AM

there are many solutions, ip sla with route injection, hsrp/vrrp , a firewall participation in dynamic routing protocol, dynamic routing protocol with sensitive timers.....the list goes on.

It all depends on your overall topology and equipment types.

Sent from Cisco Technical Support iPad App

0 Helpful

WILLIAM STEGMAN
Level 4
Level 4
In response to andrew.prince

‎11-29-2011 10:30 AM

I can't use hsrp/vrrp between a router and a firewall.  Yes, using a dynamic routing protocol would work to communicate alternate paths between devices, but again, if the client's default gateway goes down, let's say 10.1.1.1, how are those clients going to know to look at the firewall, 10.1.1.2 as an alternate path?

0 Helpful

andrew.prince
Level 10
Level 10
In response to WILLIAM STEGMAN

‎11-29-2011 12:14 PM

Have the default gateway as the firewall, and have ip routes pointing to the router.

Sent from Cisco Technical Support iPad App

0 Helpful

WILLIAM STEGMAN
Level 4
Level 4
In response to andrew.prince

‎11-29-2011 12:25 PM

what happens if the firewall goes down?  Not just its link to the Internet, but the firewall entirely.

0 Helpful

andrew.prince
Level 10
Level 10
In response to WILLIAM STEGMAN

‎11-29-2011 12:47 PM

Well that is the issue isn't it, how far do you take redundancy.  So in response to your question, you install another router.  You have 1 router connected to the WAN, the other router is directly connected to the ASA.  You run a dynamic routing protocol over the WAN and between the routers and in a GRE tunnel over a IPC VPN thru the ASA.  You then use HSRP/VRRP between the routers.......if you have a failure you will have 1 backup path.

Normal redundacy is N+1

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents