Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations IamaSherpa on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Cisco 3620, PIX515, VPN and Routing.

Status
Not open for further replies.
pjwhitby

pjwhitby

MIS
Mar 21, 2002
5
GB
I have this scenario to fix :


<=> frame relay link => c3640 <===============>
c3620 switch
<=> pix515-a f/w <=> internet <=> pix515-b f/w <===>
<==VPN Tunnel==>

I hope thats clear !

Now my issue is this. The current setup does not have a VPN tunnel, therefore traffic from Site A (left) passes to Site B (right) via the Frame Relay link and internet traffic from Site A goes out via the PIX515-a firewall.

Now what I want to do is create a VPN Tunnel between pix515-a and pix515-b that will act as the primary conduit for data, yes I know this sounds daft, but I want the VPN to carry the traffic between sites with the Frame Relay link acting as a backup conduit.

I can create the VPN tunnel and get traffic to pass, thats not my problem, my problem is getting the Frame Relay circuit to act as the backup circuit. If the PIX could use HSRP then I would be okay, but I am at a loss on this one.

Any suggestions?, my gut feeling is that this just will not work. Any suggestions on how to make it work would also be gratefully accepted.

pjwhitby
cne/ccda/ccnp/mcse

 
Sort by date Sort by votes
Have you been able to determine if tschouten's link is relevant? I have been scouring Cisco's site because I'm trying to do essentially the same thing and the whole Dialer Watch thing seems to only be for ISDN. You and I both have Frame Relay that we want to use as the backup route so I don't see how Dialer Watch fits in.

Please let me know via this thread if you find a solution, I'll do the same for you.

RoundAbout
 
Upvote 0 Downvote
RoundAbout

These are the only pre-requisites for Dialer Watch

The router is dial backup capable. This means the router has a DCE, TA, or NT1 device attached that supports V.25bis.
The router is configured for DDR. This includes traditional commands such as dialer map and dialer in-band commands, and so on.
Dialer Watch is only supported for IP at this time.

____________________________________________________________

DDR(Dial on Demand Routing) is used in Frame-Relay as well as ISDN.

 
Upvote 0 Downvote
>DDR(Dial on Demand Routing) is used in Frame-Relay as well as ISDN.

hmmm. News to me!

Thanks, some of this documentation can be pretty cryptic.

RoundAbout
 
Upvote 0 Downvote
Thanks tschouten,

I am in the UK, so I didn't get your reply before I left the office last night. I have just printed off the technote you referenced and I will post my findings today. Thanks


Roundabout, will do. I will keep you posted, and vice versa I hope. Thanks


Heres hopin ;-)


 
Upvote 0 Downvote
pjwhitby,

Do you have your PIXs attached to separate interfaces on your routers? From your diagram it looks like your PIXs are on the same subnet as the routers but NOT directly connected. Is this so?

My setup looks like this:

Hub<=>2620<=>PIX<==Internet==>PIX<=>2620<=>hub
Hub<=>2620<=======Frame Relay======>2620<=>hub

For the FR I'm using &quot;IP Unnumbered&quot;. I have an ethernet Network Module (NM-1E) supplying my second ethernet interface and it is on a different subnet than the internal interface of the router.

Right now I'm playing with &quot;floating static routes&quot; but I'm not sure if it's going to work. The DDR thing that tschouten is talking about appears to only work if the INTERFACE GOES DOWN. Or did I miss something? I admit I didn't read it all :( If the VPN on my PIXs goes down the ethernet interface on the router is uneffected and remains UP.

Talk at ya' later.

RoundAbout
 
Upvote 0 Downvote
My setup is

C5505-HQ switch connects to the PIX-515a-HQ
C5505-HQ switch connects to the C3640-HQ
PIX-515a-HQ connects to the Internet via leased line.

C3640-HQ <=ethernet=> C5505-HQ <=ethernet=> PIX-515a-HQ <=leasedline=> Internet

C3640-HQ connects to C3620-Sub via a frame relay circuit.

C3640-HQ <=frame-relay=> C3620-Sub

C3620-Sub connects to a C2924-Sub switch.
PIX-515b-Sub connects to the same C2924-Sub switch.
PIX-515b-Spoke then connects to the internet via an ADSL router.

C3620-Sub <=ethernet=> C2924-Sub <=ethernet=> PIX-515b-Sub <=ADSL=> Internet

PIX-515a-Hub connects to PIX-515b-Spoke via a IPSec tunnel.

PIX-515a-Hub <=IPSec/VPN Tunnel=> PIX-515b-Sub

I am getting no joy with the Dialer Watch profiles at the moment, but I have a few things to try yet.

Keep it going RoundAbout [thumbsup2]




 
Upvote 0 Downvote
One of my big problems is that I only have a static IP on ONE of my PIXs. The other gets a dynamic IP and uses PPPoE.

Because of the dynamic IP on one side I can only initiate the tunnel from THAT side. I was hoping that when the IP changes, if the OTHER side needed to connect that it could gain access through the FR line (and then possibly bring up the VPN). Dare to dream!

I'm also looking into using OSPF as my Dyanamic Routing Protocol but with PPPoE and dynamic IPs OSPF is apparently kinda' hinky.

Good Luck! Carry on...

RoundAbout
 
Upvote 0 Downvote
Sorry I haven't given you all a very discriptive set of information. With the Dialer Watch commands you can set the Frame-Relay to watch a certain ip address or an interface. When it sees this interface is no longer working it brings the frame-relay interface up, double checks the other interface to make sure it didn't come back up while it was bringing the frame-relay up, if the other is still down it starts to use the frame-relay. Granted, I have never done this with vpn tunnels but the command has always worked for me with everything else.

I'm trying to create the same thing in a lab for you guys to see if I can get it to work correctly. IF I can figure something out I will post it.

 
Upvote 0 Downvote
Ok this is what I've gotten to work so far.

First you have to configure the interface to perform DDR, you cannot use a profile if you are using frame-relay for the encapsulation, if you are using ppp, HDLC you can use a profile.

I enabled dialer watch-group 1 on my backup interface. I then created dialer watch-list 1 ip 172.16.1.1 to watch the remote pix box. I then created a delay for the interface to shut down the interface when the orignal becomes active dialer watch-disable 10.

I also had a floating default-gateway to the other frame-relay link, using EIGRP for a routing protocol (note I modified the bandwidth description for faster convergance). I disconnected the link to 172.16.1.1 the DDR came up and seemed to work fine. Right now I am looking to see if I can use VPDN to create a new tunnel when the frame-relay line comes up. My next step is to use ppp as the encapsulation (currently using frame-relay ietf) and create profiles.

If you want to look at VPDN configurations try this cisco site:
Sorry for the loose based instructions here but I am still trying to get things working, and didn't want you to think I gave up...may take a while.
 
Upvote 0 Downvote
tschouten,

Thanks for all the help! Do you work for Cisco? By the time this is all done I'm going to owe you a beer or three!

Just to be completely clear on MY needs for this setup: I don't necessarily NEED the Frame Relay (backup route) to go DOWN when not in use. It just needs to be there when the VPN goes down and/or the dynamic IP that I have on one end of the VPN changes. Ideally data requests from the static IP side of the VPN would return data that triggered the VPN to re-establish itself. I do have keepalive enabled on the dynamic IP side of the VPN but just in case that doesn't work, 'interesting' traffic should do the trick...

Thanks again for all of your help!

RoundAbout
 
Upvote 0 Downvote
The disable command is optional, having a hell of a time with VPDN. (Mostly due to getting calls from users and what not complaining about something, and asking for help). No I do not work for cisco, if I did I would have to be a hell of a lot smarter. I'm just a dumb guy working to get his CCIE. I've slowly built my own lab and have self studied for about errr 3 years now.
 
Upvote 0 Downvote
Still, a beer is in order...

I *HATE* it when users bother me for trivial little things like when their systems are smoking and such! <wink>

I'm travelling tomorrow, I'll check in on Thursday!

Thanks again!

RoundAbout
 
Upvote 0 Downvote
Some small explenation of commands and why:

Router(config)# interface serial 0
!!configure your interface!!

Router(config-if)# dialer in-band or DTR
This task is required for asynchronous or synchronous serial interfaces but not for ISDN interfaces. Note An interface configured with the dialer in-band command can both place and receive calls. A serial interface configured for DTR dialing can place calls only; it cannot accept them


Here is an example ( in this example 172.18.170.22 255.255.255.0 was an Ethernet interface)


Router A
interface serial 0
ip address 172.18.170.19 255.255.255.0
dialer dtr
dialer-group 1
dialer watch-group 1
!
access-list 101 deny igrp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
access-list 101 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
!
dialer-list 1 list 101
dialer watch-list 1 ip 172.18.170.22 255.255.255.0

Router B
interface serial 0
ip address 172.18.170.20 255.255.255.0
dialer in-band
dialer string 9876543
pulse-time 1
!
access-list 101 deny igrp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
access-list 101 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
!
dialer-list 1 list 101



Another Example
Frame-Relay Static Mapping DDR

interface Serial0
ip address 10.1.1.1 255.255.255.0
encapsulation frame-relay
frame-relay map ip 10.1.1.2 100 broadcast
dialer in-band
dialer string 4155551212
dialer-group 1
dialer watch-group 1
!
access-list 101 deny igrp any host 255.255.255.255
access-list 101 permit ip any any
!
dialer-list 1 protocol ip list 101
dialer watch-list 1 ip 172.18.170.22 255.255.255.0



(This should work for you, let me know if it doesn’t)
 
Upvote 0 Downvote
I guess to make this work I need to use IGRP? Any hints on configuring IGRP? At the moment I'm using static routes ONLY.

Thanks again!

RoundAbout
 
Upvote 0 Downvote
I cannot get this to work, still trying though, but its uphill all the way.

 
Upvote 0 Downvote
Uhhhmm, are your frame-relay connections point to point or point to multi-point? You should be able to use any routing protocol I just happend to be using that at the time. I couldn't get it to create a vpn tunnel when it came up though failed every attempt. Another thought would be using a floating static route like ip route 172.16.4.0 255.255.255.0 172.16.3.2 200

When all routes to 172.16.4.0 fail use route 172.16.3.2 (which would be the ip address of the neighbor frame-relay address). Not sure why I didn't think of trying that method first but that may work for what you need.
 
Upvote 0 Downvote
MY Frame Relay connection is Point-to-Point and I'm using &quot;ip unnumbered&quot; on the interface as well.

Are you trying to setup a VPN tunnel on the FR? For me that is definitely not a requirement. Aren't leased lines generally private? What are the chances of it being sniffed, etc.?

RoundAbout
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

pbxcomm
  • Locked
  • Question
CISCO VG450
Replies
1
Views
332
bdk76
bdk76
Skip Rango
  • Locked
  • Question
how to backup cisco sg500-52p switch
Replies
1
Views
318
madwok
madwok
Jared R
  • Locked
  • Question
Cisco UC320W Paging Help
Replies
0
Views
300
Jared R
Jared R
Hayden09
  • Locked
  • Question
Cisco Sg-300 Flapping?
Replies
0
Views
310
Hayden09
Hayden09
JMarine0811
  • Locked
  • Question
CISCO VG450 Factory reset
Replies
1
Views
391
whykap
whykap

Part and Inventory Search

Sponsor

Back
Top