ACL failover configuration
Posted on 2009-04-01
We have a CIsco 1751-V version 12.4 (23) with AdvSecurity-K9 IOS image. This router have a VPN tunnel to the main office. However, one of of the three subnets on LAN side of this router ( Cisco 1751) is being natted at the main office router. Meaning that all traffic ( IPSec+Internet rquests) from that one subnet is being sent over the tunnel. Therefore, we are trying to establish a failover configuration for the above setup so that if the VPN tunnel drops, the the Cisco 1751 will start Natting that subnet unitl the tunnel is backup. I don't know if that is possible...but any suggestion/input is appriciated.
Here are the 3 subnet on same LAN interface:
Here are my two access-lists on this router:
access-list 100 deny ip 10.0.0.0 0.0.0.63 any
access-list 100 deny ip 10.0.0.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 100 permit ip 10.0.0.0 0.0.0.255 any
access-list 110 permit ip 10.0.0.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 110 permit ip 10.0.0.0 0.0.0.63 any
I know that I can manually remove this line "access-list 100 deny ip 10.0.0.0 0.0.0.63 any" from the NAT ACl, and all that subnet traffic is NAT at the local router, but I'm looking into something that will trigger that action automatically, just like we do with tracking object with static routes.