Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

ACL failover configuration

Posted on 2009-04-01
1
351 Views
Last Modified: 2012-05-06
We have a CIsco 1751-V version 12.4 (23)  with AdvSecurity-K9 IOS image. This router have a VPN tunnel to the main office. However, one of of the three subnets on LAN side of this router ( Cisco 1751) is being natted at the main office router. Meaning that all traffic ( IPSec+Internet rquests) from that one subnet is being sent over the tunnel. Therefore, we are trying to establish a failover configuration for the above setup so that if the VPN tunnel drops, the the Cisco 1751 will start Natting that subnet unitl the tunnel is backup. I don't know if that is possible...but any suggestion/input is appriciated.
Here are the 3 subnet on same LAN interface:
10.0.0.0/26
10.0.0.65/26
10.0.0.129/25
Here are my two access-lists on this router:
NAT ACL:
access-list 100 deny   ip 10.0.0.0 0.0.0.63 any
access-list 100 deny   ip 10.0.0.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 100 permit ip 10.0.0.0 0.0.0.255 any

VPN ACL:

access-list 110 permit ip 10.0.0.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 110 permit ip 10.0.0.0 0.0.0.63 any

I know that I can manually remove this line "access-list 100 deny   ip 10.0.0.0 0.0.0.63 any" from the NAT ACl, and all that subnet traffic is NAT at the local router, but I'm looking into something that will trigger that action automatically, just like we do with tracking object  with static routes.
0
Comment
Question by:SamBizimungu
1 Comment
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 500 total points
ID: 24048819
The only thing I can think of to make this automatic would be to use a GRE/IPSEC tunnel between the 1751 and the headend router (assuming IOS router).  With this setup, you would have routes to the main office subnets via the "tunnel interface" and a default route out the physical interface.  You would then policy route all traffic from the 10.0.0.0 0.0.0.63 subnet via the tunnel interface but add tracking to the policy route-map for the other end of the tunnel.  If the tunnel is down, the 10.0.0.0 0.0.0.63 subnet will be routed out the physical Internet interface instead and the regular NAT rules would apply.

Keep in mind though, the most likely cause of the VPN tunnel being down is the loss of your local Internet connection so having this "failover" won't help anyway.  Granted, if you lose the headend router or headend Internet connection it would apply.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

New Server 172.16.200.2  was moved from behind Router R2 f0/1 to behind router R1 int f/01 and has now address 172.16.100.2. But we want users still to be able to connected to it by old IP. How to do it ? We can used destination NAT (DNAT).  In DNAT…
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question