11-29-2011 06:30 AM
I'm trying to come up with a seamless way to transition from an active WAN connected router to an IPSec tunnel. Our sites are connected to the WAN using various Cisco routers, and ASA 5505s as their firewall. Since first hop redundancy protocols like HSRP won't work with just the current equipment, I started digging around with the ideal of using proxy arp or tracking that might enable/disable an interface on the firewall, but neither has lead me anywhere. Does anyone have any ideas how this might be accomplished without adding any hardware?
thank you
Bill
11-29-2011 10:11 AM
Run a dynamic routing protocol and or DMVPN
Sent from Cisco Technical Support iPad App
11-29-2011 10:17 AM
How do I resolve the issue of the client's first hop gateway? They point to the router as their default gateway, so my issue is if it goes down, either power or hardware failure, client's continue to use it as their gateway. If it stays up and just loses its WAN interface, I'm ok. I have a shorter mask static route pointing to the firewall to move traffic in that event.
11-29-2011 10:25 AM
there are many solutions, ip sla with route injection, hsrp/vrrp , a firewall participation in dynamic routing protocol, dynamic routing protocol with sensitive timers.....the list goes on.
It all depends on your overall topology and equipment types.
Sent from Cisco Technical Support iPad App
11-29-2011 10:30 AM
I can't use hsrp/vrrp between a router and a firewall. Yes, using a dynamic routing protocol would work to communicate alternate paths between devices, but again, if the client's default gateway goes down, let's say 10.1.1.1, how are those clients going to know to look at the firewall, 10.1.1.2 as an alternate path?
11-29-2011 12:14 PM
Have the default gateway as the firewall, and have ip routes pointing to the router.
Sent from Cisco Technical Support iPad App
11-29-2011 12:25 PM
what happens if the firewall goes down? Not just its link to the Internet, but the firewall entirely.
11-29-2011 12:47 PM
Well that is the issue isn't it, how far do you take redundancy. So in response to your question, you install another router. You have 1 router connected to the WAN, the other router is directly connected to the ASA. You run a dynamic routing protocol over the WAN and between the routers and in a GRE tunnel over a IPC VPN thru the ASA. You then use HSRP/VRRP between the routers.......if you have a failure you will have 1 backup path.
Normal redundacy is N+1
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide