Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
453
Views
0
Helpful
1
Replies

VPN Failover on a different Interface on the Same PIX

mchitnavis
Level 1
Level 1

‎06-02-2004 11:52 PM

HI,

We have two interfaces configured for two different ISP's and One internal Interface on PIX 515E. Requirement is to have one VPN failing over both the ISP's. Other end devices are Cisco IOS.

ISP#1 primary Function is to carry only VPN traffic.

ISP#2 Primary Function is to carry only Browsing traffic.

I have configured two different crypto maps for different ISP's. Peer address for Crpto Map 1 and Crypto Map with are different.

However ISP#1 fails we change the Crypto Map XXXX interface ISP#2.

ISKMP ENABLE ISP#2

However the tunnel does not come up on the second Interaface, gets stuck at MM_NO_STATE.

Access-list Numbers are also Different, however refering to same NO-Nat Access-list since the Destination Hosts addresses are same for the CRYPTO MAPS.

Is there way to load balance VPN's and create resilience on VPN.

Labels:
0 Helpful
1 Reply 1

ehirsel
Level 6
Level 6

‎06-03-2004 05:16 AM

I am under the impression that with the pix, you cannot suddenly route existing session traffic onto a different interface, due to how the ASA process works. If however that is not true, then check to insure that the remote end is configured to know about both pix interfaces and that either one is the tunnel endpoint to the target network, otherwise it won't connect if one isp connection is down on your side.

However if the ASA works like I think, then I believe that the best way to code vpn resilance with the pix in your case is as follows:

1. Use only one pix outside interface, say E0, and place both of the isp connections off that interface.

2. Configure ospf or rip v2 between both isp routers and the pix to allow for dynamic rerouting of traffic in case one isp connection fails.

3. Adjust the ospf link metrics and route advertisments so that both ISP routers advertise not only a default route, but routes to the remote vpn sites. On one router, isp #1, set the metric to a higher cost for the vpn sites, and set the metric to a lower cost for the default route - as compared to isp #2.

4. The pix can be configured to propogate the internal networks (that are already translated) to the routers, or it can just accept the advertisements and not send any out, and instead just code static routes on both ISP routers pointing to the pix outside interface as the gateway into your network.

5. At the remote sites, just configure the vpn peer to be the pix firewall only outside interface. If they only have one provider connection, that is seperate from the head-end connections, then they probably can work as is. If there are two connections at each remote site, then they will need to be configured similar to the head end.

I hope this helps.

0 Helpful
Customers Also Viewed These Support Documents