Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 359
  • Last Modified:

ACL failover configuration

We have a CIsco 1751-V version 12.4 (23)  with AdvSecurity-K9 IOS image. This router have a VPN tunnel to the main office. However, one of of the three subnets on LAN side of this router ( Cisco 1751) is being natted at the main office router. Meaning that all traffic ( IPSec+Internet rquests) from that one subnet is being sent over the tunnel. Therefore, we are trying to establish a failover configuration for the above setup so that if the VPN tunnel drops, the the Cisco 1751 will start Natting that subnet unitl the tunnel is backup. I don't know if that is possible...but any suggestion/input is appriciated.
Here are the 3 subnet on same LAN interface:
10.0.0.0/26
10.0.0.65/26
10.0.0.129/25
Here are my two access-lists on this router:
NAT ACL:
access-list 100 deny   ip 10.0.0.0 0.0.0.63 any
access-list 100 deny   ip 10.0.0.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 100 permit ip 10.0.0.0 0.0.0.255 any

VPN ACL:

access-list 110 permit ip 10.0.0.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 110 permit ip 10.0.0.0 0.0.0.63 any

I know that I can manually remove this line "access-list 100 deny   ip 10.0.0.0 0.0.0.63 any" from the NAT ACl, and all that subnet traffic is NAT at the local router, but I'm looking into something that will trigger that action automatically, just like we do with tracking object  with static routes.
0
SamBizimungu
Asked:
SamBizimungu
1 Solution
 
JFrederick29Commented:
The only thing I can think of to make this automatic would be to use a GRE/IPSEC tunnel between the 1751 and the headend router (assuming IOS router).  With this setup, you would have routes to the main office subnets via the "tunnel interface" and a default route out the physical interface.  You would then policy route all traffic from the 10.0.0.0 0.0.0.63 subnet via the tunnel interface but add tracking to the policy route-map for the other end of the tunnel.  If the tunnel is down, the 10.0.0.0 0.0.0.63 subnet will be routed out the physical Internet interface instead and the regular NAT rules would apply.

Keep in mind though, the most likely cause of the VPN tunnel being down is the loss of your local Internet connection so having this "failover" won't help anyway.  Granted, if you lose the headend router or headend Internet connection it would apply.
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now