02-09-2006 06:41 PM
Hi
Our objective is to have connectivity from two different ISPs for redundancy for inward VPN when remote clients dial-in. it neednot be automatic fallback. we will create two connection entries in the user's client. some users will be asked to connect via ISP one and the remaining through ISP 2. if either of the links fail they will connect through the other ISP.
as usual PIX does not support multiple Gateways. so the pix is allowing the VPN connect only from the interface which has the default gateway. How do we get the pix to give simultaneous VPN connections through the second ISP also.
02-10-2006 12:07 AM
Hello,
You probably will only be able to set it up for known networks to go out the secondary gw.
Example
Primay gateway 1.1.1.1
Secondary gateway 1.1.1.2
Default gateway would be 1.1.1.1
so routes would look like this
0.0.0.0 0.0.0.0 1.1.1.1
If you knew generally where the vpn users were comming from you could point routes for those networks out the secondary gateway.
IE
5.5.5.5 255.0.0.0 1.1.1.2
6.6.6.6 255.0.0.0 1.1.1.2
HTH
Patrick
02-10-2006 12:31 AM
Hello,
you could use a WAN router in front of the PIX to connect to the ISPs. This router would be default gateway for the PIX. In this scenario you might have a problem with IP addressing. Do you have provider dependant IP addresses or your own IP addresses?
What is your current setup looking like?
I wonder which interfaces do connect you to the ISPs, i.e. do you have ethernet connections in place to both ISPs and connect them to the PIX?
Can you describe your setup to allow us to understand your options?
Hope this helps! Please rate all posts.
Regards, Martin
02-10-2006 03:03 AM
Hi
we dont have our own IPs. BGP is not an option now.
the router in front of the PIX will have 1 serial port conected to 1st ISP and one ethernet ports will be connected to 2nd ISP providing an ethernet based link.
The 2nd ethernet port in the router will be connected to the PIX outside interface.
This is my current planned scenario.
the final connectivity layout may change based on the solution.
Regards
Durga Prasad
02-10-2006 03:14 AM
I have never tried this but just an idea. SPlit the router into two using VRF lite. Terminate one IPSec onto one interface under the VRF. All locations terminating on that VPn will be routed out through that VRF only. Well if you want to try i can probably help you with the config
02-10-2006 03:18 AM
I have never tried this but just an idea. SPlit the router into two using VRF lite. Terminate one IPSec onto one interface under the VRF. All locations terminating on that VPn will be routed out through that VRF only. Well if you want to try i can probably help you with the config.
I think vrf aware IPSec may help you
02-10-2006 03:19 AM
I have never tried this but just an idea. SPlit the router into two using VRF lite. Terminate one IPSec onto one interface under the VRF. All locations terminating on that VPn will be routed out through that VRF only. Well if you want to try i can probably help you with the config.
I think vrf aware IPSec may help you
And also this link may help you
I think adding the vrf in the ISAKMP profile may do the trick
More on ISAKMP Profile
http://www.cisco.com/en/US/products/ps6635/products_white_paper0900aecd8034bd59.shtml
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide