• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 289
  • Last Modified:

How to configure these two so VPN from Cisco would still work?

We want to place a Dual WAN Router in front of a currently used PIX 506 that has VPN connections to other offices.
The Xincom XC DPG502 would be connected to two different providers (redundany).

The Cisco has now a static IP address where the VPN's are connected to.

I read an article on this but it doesn't detail how to configure the two systems.

Questions:
Does anyone has such a setup working (and has the benefit of the failover etc)?
If can you explain the changes needed on the PIX and the setting of the Xincom?
(a schematic overview would be great!)
Can this be done with two static IP addresses (on the two wan ports on the Xincom) or do you need a static IP address also on the PIX (for the VPN) and then route that address through the Xincom?

Thanks

John
0
TITANIAIT
Asked:
TITANIAIT
1 Solution
 
brich330Commented:
I have been through a few setups to do what I think you are looking for.

The PIX is not very friendly when it comes to failover between tunnels, I would make sure you are running at least the 6.3 series.

* Ideal solution, but not practical
      - Use BGP for both internet connections and have 1 block of IP Addresses routed for both internet connections.
   

* Easy way:
   - Configure PIX as it only has 1 Internet connection.
   - Use NAT on the internet router. NAT the Outside interface of the PIX to an IP Address off of the second internet providers block of addresses.
   - On the VPN side (Lan to Lan, or VPN Client side) use a primary and the backup (NAT) address. You should be able to add secondary addresses.

      The logic behind this trick is to only have 1 IP Address respond to the internet internet connection is up. The down side is the PIX would take extra time to fail over between the internet connections and would lose traffic. Not to mention if the Primary connection is flapping, it would cause chaos on the tunnels.
Usually rare though.


* Hard way:
      - Configure dedicated VPN Tunnels through both internet connections.

     Very tricky to do, and usually involves Routers using GRE tunnels, loopback interfaces, routing protocols, as well as static routes at all of the sites. I have seen less then 5 seconds failover between the internet connections dropping, might be worth the nightmare&

Hope it helps!
- brich330
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now