I have a 7206 router with an ISA VPN card in it. I want to use a static route to point traffic at a particular VPN.
The interface that all of the VPNs terminate on is fa0/0, it has the outside IP that the remote PIX501s negotiate isakmp etc with.
I'm trying to troubleshoot an issue, but would like to clarify one thing before I move on.
If I just point the static route at the interface, will the router pick the correct VPN to put the traffic onto? How does it know? Does it go through all the IPSEC SAs and determine which one to put the traffic into?
The route pointing to the interface works only when the interface has a /30 mask then the interface has one ip then it leaves only one IP free for the gateway as the network support only 2 hosts.
If you have a router to other interface that is not the fa 0/0 with a lower cost it will go there first if it's down it will go through the fa0/0 and if you have the properly configured crypto acl it will criptograph it and send. the problem with this is when one side "think" the interface is down, and the other side thinks it's up so you will need some routing protocol on it of manual changing when the link goes down
I have rewritten my original post, to make it a bit more clear and created a graphic. :
I have a situation where I need to implement a backup solution over an internet VPN. The site has a T1 coming into a 7206 on my internal LAN (Router 1). Please see the atttached graphic. When this T1 fails, the remote site router sends it's traffic to a PIX501 to initiate a VPN over the internet to a different 7206 on my internal network (Router 2). The 7206 that that the VPN terminates on has the VPN ISA card and uses a dynamic crypto map to act as a concentration point for many other VPNs.
The internal network runs EIGRP as well as my remote router.
I believe I have this solution setup correctly, but am not 100% certain and would like some reassurance. On the remote site router, when the primary T1 fails, the EIGRP routes will fall out, and a floating static default will kick in:
ip route 0.0.0.0 0.0.0.0 10.250.38.2 250
Causing all traffic to be sent to the PIX and across the VPN tunnel (PIX is configured to encrypt any traffic it sees).
On Router 2 on my internal network, I have put in an floating static saying:
ip route 10.250.38.0 255.255.255.0 fa0/0 250
To get to this subnet, send it out fa0/0. Fa0/0 is the external interface where all the crypto sas etc are done. So, when the T1 into Router 1 goes down, EIGRP will flush out the routes to 10.250.38.0, and Router 2 will put in and redistribute the above route to my internal network.
Radius server configuration for 802.1X
Server radius test1
Address ipv4 10.1.1.1
Server radius test2
Address ipv4 10.1.1.2
aaa group server radius TEST-gr
server name test1
server name test2
Umbrella’s cloud-delivered firewall (CDFW) is a cool features that provides Firewall Services in the Cisco Umbrella Cloud without the need to deploy on-premises firewall devices and visibility and control for internet traffic across all branch offices. To...
SymptomsDownloadable ACL (dACL) does not take effect on the IOS-XE Network Access DevicesDiagnosisCreating redirection ACL on the IOS-XE device failed to redirect the specified traffic for captive portal redirectionSolutionEnable device tracking, Below is...
Multiple Cisco Security Technologies in a single book : ASA Firepower, WSA, Umbrella, ISE and VPN with 100 percent 100 practical scenarios with 70 Labs to cover important topics of the Cisco SCOR Exam. The best part is ISE with interesting scenarios wi...