cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
546
Views
0
Helpful
6
Replies

VPN through different ISPs (paths)

Hi

Our objective is to have connectivity from two different ISPs for redundancy for inward VPN when remote clients dial-in. it neednot be automatic fallback. we will create two connection entries in the user's client. some users will be asked to connect via ISP one and the remaining through ISP 2. if either of the links fail they will connect through the other ISP.

as usual PIX does not support multiple Gateways. so the pix is allowing the VPN connect only from the interface which has the default gateway. How do we get the pix to give simultaneous VPN connections through the second ISP also.

6 Replies 6

Patrick Laidlaw
Level 4
Level 4

Hello,

You probably will only be able to set it up for known networks to go out the secondary gw.

Example

Primay gateway 1.1.1.1

Secondary gateway 1.1.1.2

Default gateway would be 1.1.1.1

so routes would look like this

0.0.0.0 0.0.0.0 1.1.1.1

If you knew generally where the vpn users were comming from you could point routes for those networks out the secondary gateway.

IE

5.5.5.5 255.0.0.0 1.1.1.2

6.6.6.6 255.0.0.0 1.1.1.2

HTH

Patrick

mheusinger
Level 10
Level 10

Hello,

you could use a WAN router in front of the PIX to connect to the ISPs. This router would be default gateway for the PIX. In this scenario you might have a problem with IP addressing. Do you have provider dependant IP addresses or your own IP addresses?

What is your current setup looking like?

I wonder which interfaces do connect you to the ISPs, i.e. do you have ethernet connections in place to both ISPs and connect them to the PIX?

Can you describe your setup to allow us to understand your options?

Hope this helps! Please rate all posts.

Regards, Martin

Hi

we dont have our own IPs. BGP is not an option now.

the router in front of the PIX will have 1 serial port conected to 1st ISP and one ethernet ports will be connected to 2nd ISP providing an ethernet based link.

The 2nd ethernet port in the router will be connected to the PIX outside interface.

This is my current planned scenario.

the final connectivity layout may change based on the solution.

Regards

Durga Prasad

I have never tried this but just an idea. SPlit the router into two using VRF lite. Terminate one IPSec onto one interface under the VRF. All locations terminating on that VPn will be routed out through that VRF only. Well if you want to try i can probably help you with the config

I have never tried this but just an idea. SPlit the router into two using VRF lite. Terminate one IPSec onto one interface under the VRF. All locations terminating on that VPn will be routed out through that VRF only. Well if you want to try i can probably help you with the config.

I think vrf aware IPSec may help you

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t15/ft_vrfip.htm#wp1037829

I have never tried this but just an idea. SPlit the router into two using VRF lite. Terminate one IPSec onto one interface under the VRF. All locations terminating on that VPn will be routed out through that VRF only. Well if you want to try i can probably help you with the config.

I think vrf aware IPSec may help you

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t15/ft_vrfip.htm#wp1037829

And also this link may help you

http://www.cisco.com/en/US/partner/tech/tk583/tk372/technologies_configuration_example09186a00801eafcb.shtml

I think adding the vrf in the ISAKMP profile may do the trick

More on ISAKMP Profile

http://www.cisco.com/en/US/products/ps6635/products_white_paper0900aecd8034bd59.shtml