Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

VPN as failover to WAN, test

Hello

I had an earlier post on this subject. After that resolution was received the data center added a new wrinkle to my test plan.

The goal of this VPN test is to ping an actual server, across VPN tunnel, without the remoest possibility of causing any outage.

I have a L3 3750 switch behind my firewall and the default gateway is the firewall. I want to create a loopback ip address on this device for VPN tunnel test purposes. I then will source a ping from the loopback to the server Ip address at my remote Data Center. My AVPN links do not pass through the firewall.

Per the data center, they have routing setup that all 192.168.0.0/16/ /10.0.0.0/8 address' will be routed out their AVPN WAN link. The data center states

I need to create a unique ip address to source the pings from so it will go back out their Checkpoint fw and then the tunnel between us.

I think the loopback address could look as follows 100.255.255.1/32

If I ping the server ip addrress from the L3 switch with the loopback address as source, it will go out my AVPN WAN link because that is how routing is setup.

     The question is how can I mask the destination server IP address so that the ping does not take the AVPN path but takes the fw and then the      tunnel?

My thought is a 1-1 nat in the firewall for the destination DC server.

     static (inside,outside) (natted server ip) (current server IP) netmask 255.255.255.255

     I then add this "natted server ip" to the REMOTE NETWORK in the VPN policy.

     the natted ip address would also have to be an ip outside the 192.168.0.0/10.0.0. scopes

     Could this natted server ip be 100.255.254.1

I could then ping the natted server ip address from the loopback source.

One question I have is Would the remote data center have to reverse the nat on their end to allow the ping to reach the correct destination?

Please provide expert guidance for this very important issue.

sMc
1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

Re: VPN as failover to WAN, test

Hi,

You talk about a firewall and L3 switch setup. You also talk about AVPN which I am not sure what it means? Are you just referring to a separate VPN device? A simple network diagram might clear up the setup for many people reading this post.

If I have understood the setup correctly then you have some dedicated connection between your site and the datacenter site. And what you want to add is that there is a route between these networks through a L2L VPN connection also.

Though if that is the case I am still not sure how this L2L VPN would be used between the sites.

If you would truly want to achieve a redundancy between the 2 sites it would be better if you could run a Dynamic routing protocol between each connection and that would tell the L3 device on each end through which link/connection they should reach the other site.

In this setup it would seem to me that you would have to mask the IP addresses of both network to be able to use the VPN at the sametime while the actual dedicated connection is in use.

- Jouni

5 REPLIES
Community Member

VPN as failover to WAN, test

Can anyone provide expert guidance for this very important issue?

sMc
Community Member

VPN as failover to WAN, test

All

POLL:

Is this question too difficult or so easy and I am missing something?

Can someone with VPN expertise at least post some response so I can work toward a solution, please!

sMc
Super Bronze

Re: VPN as failover to WAN, test

Hi,

You talk about a firewall and L3 switch setup. You also talk about AVPN which I am not sure what it means? Are you just referring to a separate VPN device? A simple network diagram might clear up the setup for many people reading this post.

If I have understood the setup correctly then you have some dedicated connection between your site and the datacenter site. And what you want to add is that there is a route between these networks through a L2L VPN connection also.

Though if that is the case I am still not sure how this L2L VPN would be used between the sites.

If you would truly want to achieve a redundancy between the 2 sites it would be better if you could run a Dynamic routing protocol between each connection and that would tell the L3 device on each end through which link/connection they should reach the other site.

In this setup it would seem to me that you would have to mask the IP addresses of both network to be able to use the VPN at the sametime while the actual dedicated connection is in use.

- Jouni

Community Member

VPN as failover to WAN, test

My topology

ALL remote sites come back to Corporate to access the internet. This is how the VPN would work as once the default gateway is lost after BGP disapears, they will default to my firewall. At this point the Production subnets at the data center will be seen in the VPN policy and traffic will cross the tunnel until BGP is restored.

I agree with this statement, i just want to make sure the logic is correct.

"In this setup it would seem to me that you would have to mask the IP addresses of both network to be able to use the VPN at the sametime while the actual dedicated connection is in use."

sMc
Community Member

VPN as failover to WAN, test

Please review and advise on this implementation plan.

I have a L3 3750 switch behind my firewall and the default gateway is  the firewall. I want to create a loopback ip address on this device for  VPN tunnel test purposes. I then will source a ping from the loopback  to the server Ip address at my remote Data Center. My AVPN links do not  pass through the firewall.

Per  the data center, they have routing setup that all 192.168.0.0/16/  /10.0.0.0/8 address' will be routed out their AVPN WAN link. The data  center states

I need to create a unique ip address to source the  pings from so it will go back out their Checkpoint fw and then the  tunnel between us.

I think the loopback address could look as follows 100.255.255.1/32

If  I ping the server ip addrress from the L3 switch with the loopback  address as source, it will go out my AVPN WAN link because that is how  routing is setup.

      The question is how can I mask the destination server IP address so  that the ping does not take the AVPN path but takes the fw and then  the      tunnel?

My thought is a 1-1 nat in the firewall for the destination DC server.

     static (inside,outside) (natted server ip) (current server IP) netmask 255.255.255.255

     I then add this "natted server ip" to the REMOTE NETWORK in the VPN policy.

     the natted ip address would also have to be an ip outside the 192.168.0.0/10.0.0. scopes

     Could this natted server ip be 100.255.254.1

I could then ping the natted server ip address from the loopback source.

One  question I have is Would the remote data center have to reverse the nat  on their end to allow the ping to reach the correct destination?

Please provide expert guidance for this very important issue.

sMc
253
Views
0
Helpful
5
Replies
CreatePlease to create content