Showing results for 
Search instead for 
Did you mean: 

Static Routing over VPN

I have a 7206 router with an ISA VPN card in it. I want to use a static route to point traffic at a particular VPN.

The interface that all of the VPNs terminate on is fa0/0, it has the outside IP that the remote PIX501s negotiate isakmp etc with.

I'm trying to troubleshoot an issue, but would like to clarify one thing before I move on.

If I just point the static route at the interface, will the router pick the correct VPN to put the traffic onto? How does it know? Does it go through all the IPSEC SAs and determine which one to put the traffic into?


Internal network > 7206 (VPN>>) > internet > (<<VPN)pix501 >


I want to put in a static saying that if the primary routes to this subnet disappear, use this static (VPN is being used as a backup in this case).

Would the following route work? This route will be redistributed to the rest of my internal network.

ip route fa0/0 200


The route pointing to the interface works only when the interface has a /30 mask then the interface has one ip then it leaves only one IP free for the gateway as the network support only 2 hosts.

If you have a router to other interface that is not the fa 0/0 with a lower cost it will go there first if it's down it will go through the fa0/0 and if you have the properly configured crypto acl it will criptograph it and send. the problem with this is when one side "think" the interface is down, and the other side thinks it's up so you will need some routing protocol on it of manual changing when the link goes down


I have rewritten my original post, to make it a bit more clear and created a graphic. :

Hi all,

I have a situation where I need to implement a backup solution over an internet VPN. The site has a T1 coming into a 7206 on my internal LAN (Router 1). Please see the atttached graphic. When this T1 fails, the remote site router sends it's traffic to a PIX501 to initiate a VPN over the internet to a different 7206 on my internal network (Router 2). The 7206 that that the VPN terminates on has the VPN ISA card and uses a dynamic crypto map to act as a concentration point for many other VPNs.

The internal network runs EIGRP as well as my remote router.

I believe I have this solution setup correctly, but am not 100% certain and would like some reassurance. On the remote site router, when the primary T1 fails, the EIGRP routes will fall out, and a floating static default will kick in:

ip route 250

Causing all traffic to be sent to the PIX and across the VPN tunnel (PIX is configured to encrypt any traffic it sees).

On Router 2 on my internal network, I have put in an floating static saying:

ip route fa0/0 250

To get to this subnet, send it out fa0/0. Fa0/0 is the external interface where all the crypto sas etc are done. So, when the T1 into Router 1 goes down, EIGRP will flush out the routes to, and Router 2 will put in and redistribute the above route to my internal network.

Does this look like it should work?

Did you find a solution for this scenario? I have a very similar setup, and I would like to find a decent way to backup my frame network.

Recognize Your Peers
Content for Community-Ad