We have about a dozen offices around the globe, all on Cisco euipment, with each location having one or more 2600/3600 routers and 515/520 pix firewalls.
All sites are linked using leased lines, normally of slow speeds - 64-512 kbps. Before the VPN, this was our only WAN network.
Recently we have set up a VPN using a fully meshed topology between the pix firewalls. The typical setup is one 3640 router on our internal network, on which the private wan links are terminated, and is the default gateway for the hosts. Then the pix, and a 2600 router outside the firwewall as the internet edge router. We find that the VPN is a much better option than the leased lines, and would like to keep it as the primary method for interconnecting our offices.
However we will still keep the private wan network. We would like to have the private wan as the backup for the VPN in case there is a problem with the internet link at any location. This is the hard part, and we have no idea how to do this.
At the momment we are using only static routes, i figure that we may have to run some routing protocol such as ospf, but what to run and where, is what i am confused about.
If somebody has any ideas about this, please post. Thanks.
Floating static routes for the wan network are fine, but the problem is that the VPN tunnels terminate on the Pix, and the pix doesnt route or run any routing protocols.
Suppose for instance the serial link on my internet gateway router outside the firewall goes down, how will the routers inside the firewall know that it is down? As far as they are concerned, the inside interface of the firewall will be reachable, and so the link will be up. The same would apply if there is a problem with the ISP backbone or peering and the destination pix is unreachable - though the connectivity is down the internal routers wont know about it.
I think floating static routes would work right now only under the reverse situation, that is, if we wanted to use the VPN as a backup for our private network.
Any ideas on how to run a routing protocol across the pix/vpn?
I'm not sure if you can tunnel a routing protocol through a PIX, I'm aware that it doesn't support any routing protocols.
A customer of ours had a PIX firewall between our router and their router, which whom we had to communicate. This was a private network, no VPN involved. We ran eBGP Multihop between our router and their router through the PIX, since BGP is the only routing protocol that doesn't need directly connected neighbors.
I'm not sure if this will work for you or not.
We are doing something similar. If you have your routers behind the PIX, you may establish a GRE (Generic Routing Encapsulation) tunnel between the two routers THROUGH the IPSec tunnel. GRE tunnels will forward broadcasts, multicasts, and encapsulate different types of traffic such as appletalk, netbios, or IPX. This tunnel is configured as a tunnel interface on the routers and is up when the tunnel is established and goes down when the tunnel looses connection. When configuring you bind the internal side of the tunnel interface to a physical interface on your router and specify a destination tunnel endpoint address (internal address of router at other end of tunnel). This allows any routing protocol to detect the outage of the interface which is the current route, and switch routes to your leased lines.
Hope this helps.