Solved

ACL failover configuration

Posted on 2009-04-01
1
350 Views
Last Modified: 2012-05-06
We have a CIsco 1751-V version 12.4 (23)  with AdvSecurity-K9 IOS image. This router have a VPN tunnel to the main office. However, one of of the three subnets on LAN side of this router ( Cisco 1751) is being natted at the main office router. Meaning that all traffic ( IPSec+Internet rquests) from that one subnet is being sent over the tunnel. Therefore, we are trying to establish a failover configuration for the above setup so that if the VPN tunnel drops, the the Cisco 1751 will start Natting that subnet unitl the tunnel is backup. I don't know if that is possible...but any suggestion/input is appriciated.
Here are the 3 subnet on same LAN interface:
10.0.0.0/26
10.0.0.65/26
10.0.0.129/25
Here are my two access-lists on this router:
NAT ACL:
access-list 100 deny   ip 10.0.0.0 0.0.0.63 any
access-list 100 deny   ip 10.0.0.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 100 permit ip 10.0.0.0 0.0.0.255 any

VPN ACL:

access-list 110 permit ip 10.0.0.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 110 permit ip 10.0.0.0 0.0.0.63 any

I know that I can manually remove this line "access-list 100 deny   ip 10.0.0.0 0.0.0.63 any" from the NAT ACl, and all that subnet traffic is NAT at the local router, but I'm looking into something that will trigger that action automatically, just like we do with tracking object  with static routes.
0
Comment
Question by:SamBizimungu
1 Comment
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 500 total points
ID: 24048819
The only thing I can think of to make this automatic would be to use a GRE/IPSEC tunnel between the 1751 and the headend router (assuming IOS router).  With this setup, you would have routes to the main office subnets via the "tunnel interface" and a default route out the physical interface.  You would then policy route all traffic from the 10.0.0.0 0.0.0.63 subnet via the tunnel interface but add tracking to the policy route-map for the other end of the tunnel.  If the tunnel is down, the 10.0.0.0 0.0.0.63 subnet will be routed out the physical Internet interface instead and the regular NAT rules would apply.

Keep in mind though, the most likely cause of the VPN tunnel being down is the loss of your local Internet connection so having this "failover" won't help anyway.  Granted, if you lose the headend router or headend Internet connection it would apply.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
In the hope of saving someone else's sanity... About a year ago we bought a Cisco 1921 router with two ADSL/VDSL EHWIC cards to load balance local network traffic over the two broadband lines we have, but we couldn't get the routing to work consi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

774 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question