I'm trying to come up with a seamless way to transition from an active WAN connected router to an IPSec tunnel. Our sites are connected to the WAN using various Cisco routers, and ASA 5505s as their firewall. Since first hop redundancy protocols like HSRP won't work with just the current equipment, I started digging around with the ideal of using proxy arp or tracking that might enable/disable an interface on the firewall, but neither has lead me anywhere. Does anyone have any ideas how this might be accomplished without adding any hardware?
How do I resolve the issue of the client's first hop gateway? They point to the router as their default gateway, so my issue is if it goes down, either power or hardware failure, client's continue to use it as their gateway. If it stays up and just loses its WAN interface, I'm ok. I have a shorter mask static route pointing to the firewall to move traffic in that event.
I can't use hsrp/vrrp between a router and a firewall. Yes, using a dynamic routing protocol would work to communicate alternate paths between devices, but again, if the client's default gateway goes down, let's say 10.1.1.1, how are those clients going to know to look at the firewall, 10.1.1.2 as an alternate path?
Well that is the issue isn't it, how far do you take redundancy. So in response to your question, you install another router. You have 1 router connected to the WAN, the other router is directly connected to the ASA. You run a dynamic routing protocol over the WAN and between the routers and in a GRE tunnel over a IPC VPN thru the ASA. You then use HSRP/VRRP between the routers.......if you have a failure you will have 1 backup path.
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...