How to configure these two so VPN from Cisco would still work?

Posted on 2007-10-04
Last Modified: 2011-10-03
We want to place a Dual WAN Router in front of a currently used PIX 506 that has VPN connections to other offices.
The Xincom XC DPG502 would be connected to two different providers (redundany).

The Cisco has now a static IP address where the VPN's are connected to.

I read an article on this but it doesn't detail how to configure the two systems.

Does anyone has such a setup working (and has the benefit of the failover etc)?
If can you explain the changes needed on the PIX and the setting of the Xincom?
(a schematic overview would be great!)
Can this be done with two static IP addresses (on the two wan ports on the Xincom) or do you need a static IP address also on the PIX (for the VPN) and then route that address through the Xincom?


Question by:TITANIAIT
    1 Comment
    LVL 1

    Accepted Solution

    I have been through a few setups to do what I think you are looking for.

    The PIX is not very friendly when it comes to failover between tunnels, I would make sure you are running at least the 6.3 series.

    * Ideal solution, but not practical
          - Use BGP for both internet connections and have 1 block of IP Addresses routed for both internet connections.

    * Easy way:
       - Configure PIX as it only has 1 Internet connection.
       - Use NAT on the internet router. NAT the Outside interface of the PIX to an IP Address off of the second internet providers block of addresses.
       - On the VPN side (Lan to Lan, or VPN Client side) use a primary and the backup (NAT) address. You should be able to add secondary addresses.

          The logic behind this trick is to only have 1 IP Address respond to the internet internet connection is up. The down side is the PIX would take extra time to fail over between the internet connections and would lose traffic. Not to mention if the Primary connection is flapping, it would cause chaos on the tunnels.
    Usually rare though.

    * Hard way:
          - Configure dedicated VPN Tunnels through both internet connections.

         Very tricky to do, and usually involves Routers using GRE tunnels, loopback interfaces, routing protocols, as well as static routes at all of the sites. I have seen less then 5 seconds failover between the internet connections dropping, might be worth the nightmare&

    Hope it helps!
    - brich330

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Join & Write a Comment

    Hi All,  Recently I have installed and configured a Sonicwall NS220 in the network as a firewall and Internet access gateway. All was working fine until users started reporting that they cannot use the Cisco VPN client to connect to the customer'…
    I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    734 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now