PIX alternate route via VPN?

Posted on 2007-04-09
Medium Priority
Last Modified: 2010-04-09
I have a PIX 515e in front of a network. On the Inside interface is another router that leads to a downstream internal network connected via a point to point T1 line. The downstream network uses the T1 line and PIX to the to the Internet.

For redundancy, we have a second internet connection and a second firewall installed locally on the downstream network.

Because we have remote users VPN’ing into the PIX to get to the downstream network, if the T1 line goes down they no longer have access to company resources.

What I’d like to do is build a VPN from the PIX to the second firewall on the LAN and use that as an alternate route back to the LAN should the T1 go down (which is has several times lately).

First, is that possible, and if so can someone guide me on how to setup the PIX to choose a path on a tunnel vs one located down its inside interface?

Hope this makes sense.
Question by:willp2
  • 2
LVL 79

Expert Comment

ID: 18881607
It might be a better solution for your VPN users to simply configure the other site PIX for VPN and set up the client with alternate IP. If one PIX is not accessible, they will automatically connect to the other one and still have access to everything on both networks through the P2P T1.
For users in Site A to use the Internet connection at Site B in case of Internet failure at A, then you have some other issues. I would suggest using the P2P router as the local gateway, setup SLA monitor on that router and let it change the routes from local PIX to remote router in event the local Internet goes down.
If you want more details on that, let me know.

Author Comment

ID: 18882503
Configuring the users with a second VPN gateway makes a lot of sense. I didn't think of that because the other firewall is not a PIX. I suppose its possible to get them to connect to that firewall anyway, as long as its setup correctly.

And yes, I'd love to hear more about the SLA monitor. That is definetly the other side of this issue that needs to be addressed.

LVL 79

Accepted Solution

lrmoore earned 1500 total points
ID: 18882711
Using this example, you can get some ideas of what it does.
Basically, setup a ping to a known host on the internet, make sure the path taken goes through your PIX. If the ping stops, then change the default route to the other router over the P2P link. Works pretty well, actually. You can also use Lan2Lan VPN between the two Internet firewalls as a backup for your P2P T1 the same way.


Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

621 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question