I have a somewhat unique situation at a new customer site that I am looking at deploying. First, the basic topology:
With that said, I need to accomplish two things:
This is all complicated by the fact that the third party network is not managed by me, and thier network team is not very well versed in firewalls (they generally contract yet another third party to perform changes).
So to start, I have simply connected G0/2 on our 2911 to an open port on our 851. G0/2 was given an IP of 10.192.4.2. I can successfully ping between the two devices, but I lose remote connectivity to the 851 from the data center. I presume this is because eigrp is advertising the 10.192.4.0 network across the Metro E, and the response from the 851 is to statically route across the VPN tunnel. The 851 does not support eigrp.
Should I place a static route on the 851 of 10.20.0.0 255.255.0.0 10.192.4.2, followed by adding a higher metric route for the VPN tunnel? This should force the router to use the 2911 as it's gateway to our data center network. I would do the reverse on the 2911, adding a higher metric static route to our core data center to use the 851 router.
For the second requirment, I would presume I need to route traffic for 192.168.48.0/24 and 192.168.10.0/24 through 10.192.4.1, and instruct the 3rd party team to allow traffic from 10.25.0.0 through thier VPN tunnel/ firewall.
This is a messy one, and a lack of eigrp support, and two VPN tunnels involved, on the 851 complicates things for me.
I've created a quick Visio diagramming my topology. Hopefully it helps in understanding. The Solid Green line is the new conenction between the 2911 and 851 at the site. The dashed green line shows the two networks that must be able to communicate between the site and the 3rd party's data center.
Can you post as a jpg as not all of use have a visio.
It's not entirely clear from your description what the source IP networks are that need access to both the DC and the remote site VPN.
On a more general note if you are using statics then an indirect failure link will not remove the static so the backup VPN may not be used. Solutions -
1) use RIP between the 2911 and the 851 (i believe the 851 supports RIP) and redistribute from EIGRP into RIP. You have a default route pointing to the VPN link but advertise the more specific routes into RIP and so if both links are up it will choose the Metro E link. RIP however can be slow to converge.
2) use IP SLA (if supported on your 851) to track the reachability of the DC via the preferred route. If you want to check if IP SLA is supported -
851(config)# ip sla ?
Apologies, i missed your last post.
Can you just clarify in specific terms -
1) a full list of which IP subnets need access to which IP subnets
2) for each of 1) which path you want them to take including any failover path
It may just be me but i am just struggling to see exactly what needs access to what.