Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations biv343 on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Is this possible?

Status
Not open for further replies.
hunterdw

hunterdw

Technical User
Oct 25, 2002
345
US
Ponder the following situation:

Central location EDM (edmond) - 192.168.1.0/24, 172.16.10.0/24, 172.16.11.0/24, 172.16.20.0/24, 172.16.21.0/24

Remote location STW (stillwater) - 192.168.4.0/24

Remote location TUL (tulsa) - 192.168.3.0/24

Currently, Central is connected to Stillwater with a Cisco 1710 at both ends. IPSec running between. Both of these connections are through Qwest ISP.

Also currently, Central is connected to Tulsa with a Cisco 1710 (same 1710 as above) at Central and 1760 in Tulsa. IPSec running between. Both of these connections are through Qwest ISP.

I want to create some failover / redundancy in our network. Each location also has a Cox ISP location. So, at the central location I have this wonderful little PIX 515e which also does IPSec tunnels.

At each remote location I have an IPCop content filter which goes through the Cox ISP. IPCop can do IPSec.

I want my redundant links to be from the PIX (central) to each IPCop box.

Is this possible? I've been struggling the last week with this stupid setup. As best as I can tell, I can get the tunnels up and running but cannot get any traffic going between them. "themut" has given me wonderful information (thank you) but I can't get it figured out.

I know that the PIX 515e is not a router, but can it act as a router similar to the 1710?

--DW
 
Sort by date Sort by votes
Yes you can, I've implemented a similar backup system for one of my customers.

The way to do this is to use GRE tunnels between the routers, and encrypt the tunnel traffic. Then you run a dynamic routing protocol across the GRE tunnels. Each tunnel forms a point to point circuit that represents the topology you want to implement, with your backup tunnels going out via the PIX.

So EIGRP (in my case) form a neighbour relationship with the remote site across each tunnel circuit. Using the delay metric its an easy task to determine which is the primary and which is the secondary link.

When the primary fails, EIGRP looses its neighbour relationship and the routing protocol converges on the alternate path.

Ok, so why use such a complex sounding setup, its because IPSec wont pass multicasts so EIGRP neighbours dont see each other. And as Internet based failures are hidden from the routers, the routers cannot reconverge on a new path because they may not see the failure.




 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Tommy_T
  • Locked
  • Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
596
nnaarrnn
nnaarrnn
GeorgeAlba
  • Locked
  • Question
What do you think about this proxy
Replies
0
Views
219
GeorgeAlba
GeorgeAlba
MottoK
  • Locked
  • Question
Cisco ISE blank GUI
Replies
0
Views
539
MottoK
MottoK
Spork52
  • Locked
  • Question
Is this secure? Serving content from two servers with SSL
Replies
3
Views
182
ChrisHirst
ChrisHirst
RodneyMcSnow
  • Locked
  • Question
Windows 8.1 PRO has to open connections when NETSTAT is used.
Replies
0
Views
116
RodneyMcSnow
RodneyMcSnow

Part and Inventory Search

Sponsor

Back
Top