I have a 7206 router with an ISA VPN card in it. I want to use a static route to point traffic at a particular VPN.
The interface that all of the VPNs terminate on is fa0/0, it has the outside IP that the remote PIX501s negotiate isakmp etc with.
I'm trying to troubleshoot an issue, but would like to clarify one thing before I move on.
If I just point the static route at the interface, will the router pick the correct VPN to put the traffic onto? How does it know? Does it go through all the IPSEC SAs and determine which one to put the traffic into?
The route pointing to the interface works only when the interface has a /30 mask then the interface has one ip then it leaves only one IP free for the gateway as the network support only 2 hosts.
If you have a router to other interface that is not the fa 0/0 with a lower cost it will go there first if it's down it will go through the fa0/0 and if you have the properly configured crypto acl it will criptograph it and send. the problem with this is when one side "think" the interface is down, and the other side thinks it's up so you will need some routing protocol on it of manual changing when the link goes down
I have rewritten my original post, to make it a bit more clear and created a graphic. :
I have a situation where I need to implement a backup solution over an internet VPN. The site has a T1 coming into a 7206 on my internal LAN (Router 1). Please see the atttached graphic. When this T1 fails, the remote site router sends it's traffic to a PIX501 to initiate a VPN over the internet to a different 7206 on my internal network (Router 2). The 7206 that that the VPN terminates on has the VPN ISA card and uses a dynamic crypto map to act as a concentration point for many other VPNs.
The internal network runs EIGRP as well as my remote router.
I believe I have this solution setup correctly, but am not 100% certain and would like some reassurance. On the remote site router, when the primary T1 fails, the EIGRP routes will fall out, and a floating static default will kick in:
ip route 0.0.0.0 0.0.0.0 10.250.38.2 250
Causing all traffic to be sent to the PIX and across the VPN tunnel (PIX is configured to encrypt any traffic it sees).
On Router 2 on my internal network, I have put in an floating static saying:
ip route 10.250.38.0 255.255.255.0 fa0/0 250
To get to this subnet, send it out fa0/0. Fa0/0 is the external interface where all the crypto sas etc are done. So, when the T1 into Router 1 goes down, EIGRP will flush out the routes to 10.250.38.0, and Router 2 will put in and redistribute the above route to my internal network.
Are you responsible for risk management, compliance management and auditing of a network?
If so, we’d like to speak with you to learn your current processes of enforcing compliance and managing risk to help us develop services that will ...
Once you've expanded Cisco Secure Endpoint connector deployment to about 50% of your licensed count (check out this article that shows you how to do that), it's time to put those connectors to action i.e. convert them to Protect from Audit mode for vari...
Hello! I’m Betsy, UX Researcher, on the Cisco+ Secure Connect Now team. Nice to meet you all .We have a short survey to learn about your Zero Trust Network Access (ZTNA) journey. Whether you have, plan to, or have not implemented a ...
A set of interface access rules can cause the Cisco Adaptive Security Appliance to permit or deny a designated host to access another particular host with a specific network application (service). When there is only one client, one host and one se...
How To: Cisco ISE Captive Portals with Aruba Wireless
Authors: Adam Hollifield, Brad Johnson
IntroductionPrerequisitesMinimum RequirementsComponents UsedConfigurationAruba Wireless ControllerWLAN CreationAuthentication ConfigurationRole & Policy Confi...