cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
866
Views
0
Helpful
4
Replies

Floating static route through the Firewall

Gabriel Santini
Level 1
Level 1

Hi to all. Sorry for my poor english.

I have a remote site (A) connected to a access router (B). The remote site(A) has a dedicate leased line to the access router (B) plus an ADSL backup (with a tunne GRE) to my VPN tunnel concentrator (C). All are running eigrp has dinamic protocol

The access router (B) is connected to a outside ethernet por on a Firewall (D). The inside port od the firewall (D) is connected to a core router (E). The Core router (E) is running eigrp.

In this Core router (E) i have a static route to de firewall (D) to reach the remote site (A). The problem is when de teased line between the access router (B) and the remote site (A) goes down, the Core router (E) never lost the static route, because the next hop of this router (in this case is the firewall (D) never goes down. This situation cause that the traffic never pass to the ADSL.

I know that are somthing to solve this problem, but I not remember how this is called.

Can anybody hel me?


Brgds

4 Replies 4

Ganesh Hariharan
VIP Alumni
VIP Alumni

Hi to all. Sorry for my poor english.

I have a remote site (A) connected to a access router (B). The remote site(A) has a dedicate leased line to the access router (B) plus an ADSL backup (with a tunne GRE) to my VPN tunnel concentrator (C). All are running eigrp has dinamic protocol

The access router (B) is connected to a outside ethernet por on a Firewall (D). The inside port od the firewall (D) is connected to a core router (E). The Core router (E) is running eigrp.

In this Core router (E) i have a static route to de firewall (D) to reach the remote site (A). The problem is when de teased line between the access router (B) and the remote site (A) goes down, the Core router (E) never lost the static route, because the next hop of this router (in this case is the firewall (D) never goes down. This situation cause that the traffic never pass to the ADSL.

I know that are somthing to solve this problem, but I not remember how this is called.

Can anybody hel me?


Brgds

Hi,

As per the message i have few queries firewall is connected to both router (B) and VPN concetrator via common switch or just router (B) is only connected to firewall via outside port.

If the first option the you need to configure floating static route in firewall or static route tracking mechanism.

If option 2 the configuration needs to be done in router rather in firewall.

The static route tracking feature provides a method for tracking the availability of a static route and installing a backup route if the primary route should fail. This allows you to, for example, define a default route to an ISP gateway and a backup default route to a secondary ISP in case the primary ISP becomes unavailable.

See the below link hope that clears out your query !!

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/ip.html#wp1090243

Ganesh.H

Hi.

Thank you for the help. I will try to examine the best solution and aplly one of them.

Brgds

Jon Marshall
Hall of Fame
Hall of Fame

g-santini wrote:

Hi to all. Sorry for my poor english.

I have a remote site (A) connected to a access router (B). The remote site(A) has a dedicate leased line to the access router (B) plus an ADSL backup (with a tunne GRE) to my VPN tunnel concentrator (C). All are running eigrp has dinamic protocol

The access router (B) is connected to a outside ethernet por on a Firewall (D). The inside port od the firewall (D) is connected to a core router (E). The Core router (E) is running eigrp.

In this Core router (E) i have a static route to de firewall (D) to reach the remote site (A). The problem is when de teased line between the access router (B) and the remote site (A) goes down, the Core router (E) never lost the static route, because the next hop of this router (in this case is the firewall (D) never goes down. This situation cause that the traffic never pass to the ADSL.

I know that are somthing to solve this problem, but I not remember how this is called.

Can anybody hel me?


Brgds

Gabriel

You need to use Reliable static routing with object tracking. Basically you would set up a ping to site A via the leased line using IP SLA. And if there was no response then you can use a different static route pointing to your ADSL link.

All this is done on the core router. See this link for details -

Reliable static routing

One question though. If you are running EIGRP then why do you have a static route on the core router. Is the firewall Cisco or some other vendor and if it is Cisco is it a pix or ASA and which version of code is it running.

Jon

Hi Jon.

We use static routing to the firewall because we don't want to use any dynamic routing than EIGRP, and the NOKIA FW do not support this dynamic routing protocol.

Thank you for the response. I will examine the recomendation for object tracking

Brgds

Review Cisco Networking for a $25 gift card