Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Failover VPN and Internet

I have a complicated issue that requires configuration.

I have to provide a failover solution where I have both a T1 and DSL Internet connection and need to provide fully automatic failover from the T1 to the DSL for both Internet and VPN traffic.

I have a PIX 515 firewall and another 3rd party firewall (if necessary) connected to a 1720 (T1) router and a router (either 1760 or 2611) DSL router.

I plan on using the 3rd party firewall for the outbound Internet (running NAT) and the PIX 515 for all VPN connections. In this case I will assign be using our public IP address pool for the network connecting the routers and firewalls (external interfaces) when the T1 is in use both the 3rd party firewall and PIX 515 will be performing NAT and routing out the T1 (simple) but when the T1 goes down I plan on using HSRP with a dynamic IP to failover to the DSL router but only for the Internet connections. The problem I have is that the DSL IP external IP is obviously different than the T1 pool. So I plan on using NAT on the DSL router so the traffic will come back to it when sent out. This will cause a double NAT situation for all Internet connections which should not be a problem.

However the VPN situation is where I run into a problem. I have a bunch of remote sites with PIX 506s running VPNs back to the 515. I planned on setting up static routes to both the T1 and DSL interfaces on them so they will failover but obviously if the DSL router is NATing to the external IP this will cause a probem. So that is why I think I may need a 2611 router which has 2 Ethernet interfaces. That way I can configure one port for NAT and one without using 2 seperate public IPs from the T1 pool. That way the VPN traffic which is routed to the external DSL router will be passed to the PIX 515 and the VPNs will be established but the outbound Internet from the 3rd party firewall will be NATed in the 2611 and go out as from the external DSL public IP.

I also have a question about HSRP and that is if I configure an interface for RSRP and it is the active router will it still response to the traffic of it's non-dynamic IP address or will it only use the dynamic IP?

I just wanted to run this by some of you experts to see if that is the best way to implement the solution. I realize this may be confussing but please assist and ask whatever questions are necessary.



Re: Failover VPN and Internet

configure a standby ip on the 1720 router and then make the PIX point to the Standby ip address on the router.Here are the commands int ethernet0,standby 1 track serial 0 ,standby 1 priority 105 ,standby 1 preempt,standby 1 ip

CreatePlease to create content