Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
463
Views
0
Helpful
1
Replies

PIX VPN Redundancy

ksewnarain
Level 1
Level 1

‎07-24-2002 08:57 AM - edited ‎02-21-2020 11:57 AM

From my HQ PIX I have built a VPN LAN2LAN tunnel to a branch PIX. However, I need to add more redundancy at the branch and will be installing a second internet connection at that site. The problem is that the ISPs there do not support BGP which implies that I will need to manually rebuild a tunnel should the primary ISP link fails. These are the possible solutions we have come up with:

1. Terminate both the VPN tunnels on the branch Internet router (the one with the 2 ISP links). This poses security risks though - if the router is compromised, this leaves my HQ LAN exposed.

2. Terminate the VPN tunnels on another router that then connect this router to the DMZ of the firewall. This router will require 2 LAN interfaces for terminating each tunnel through each ISP and one LAN interface to the DMZ. ACLs can be set up to allow just my HQ as the source IPs as a security measure.

3. Install another fully configured PIX (for the 2nd ISP). Build the tunnel from HQ to each PIX but only turn the 2nd PIX (at the branch) ON when the primary ISP link fails. The primary PIX must also be turned off at this time as they will need to share the same inside IP address. I know, this is a manual process but it beats any intervention from HQ!

Are there any other cost effective but secure solutions to this?

Labels:
0 Helpful
1 Reply 1

ciscomoderator
Community Manager
Community Manager

‎07-31-2002 11:00 AM

Since there has been no response to your post, it appears to be either too complex or too rare an issue for other forum members to assist you, or there is no public information available at this time. If you don't get a suitable response to your post, you may wish to review our resources online at http://www.cisco.com/go/solutions. You may also contact our product information line at 1-800-553-NETS or a Cisco Systems Engineer at your local Cisco office or reseller. To locate your local Cisco representative, visit http://www.cisco.com/warp/public/687/Directory.shtml

If anyone else in the forum has some advice, please reply to this thread.

Thank you for posting.

0 Helpful
Customers Also Viewed These Support Documents