Solved

ACL failover configuration

Posted on 2009-04-01
1
348 Views
Last Modified: 2012-05-06
We have a CIsco 1751-V version 12.4 (23)  with AdvSecurity-K9 IOS image. This router have a VPN tunnel to the main office. However, one of of the three subnets on LAN side of this router ( Cisco 1751) is being natted at the main office router. Meaning that all traffic ( IPSec+Internet rquests) from that one subnet is being sent over the tunnel. Therefore, we are trying to establish a failover configuration for the above setup so that if the VPN tunnel drops, the the Cisco 1751 will start Natting that subnet unitl the tunnel is backup. I don't know if that is possible...but any suggestion/input is appriciated.
Here are the 3 subnet on same LAN interface:
10.0.0.0/26
10.0.0.65/26
10.0.0.129/25
Here are my two access-lists on this router:
NAT ACL:
access-list 100 deny   ip 10.0.0.0 0.0.0.63 any
access-list 100 deny   ip 10.0.0.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 100 permit ip 10.0.0.0 0.0.0.255 any

VPN ACL:

access-list 110 permit ip 10.0.0.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 110 permit ip 10.0.0.0 0.0.0.63 any

I know that I can manually remove this line "access-list 100 deny   ip 10.0.0.0 0.0.0.63 any" from the NAT ACl, and all that subnet traffic is NAT at the local router, but I'm looking into something that will trigger that action automatically, just like we do with tracking object  with static routes.
0
Comment
Question by:SamBizimungu
1 Comment
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 500 total points
ID: 24048819
The only thing I can think of to make this automatic would be to use a GRE/IPSEC tunnel between the 1751 and the headend router (assuming IOS router).  With this setup, you would have routes to the main office subnets via the "tunnel interface" and a default route out the physical interface.  You would then policy route all traffic from the 10.0.0.0 0.0.0.63 subnet via the tunnel interface but add tracking to the policy route-map for the other end of the tunnel.  If the tunnel is down, the 10.0.0.0 0.0.0.63 subnet will be routed out the physical Internet interface instead and the regular NAT rules would apply.

Keep in mind though, the most likely cause of the VPN tunnel being down is the loss of your local Internet connection so having this "failover" won't help anyway.  Granted, if you lose the headend router or headend Internet connection it would apply.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

In a WLAN, anything you broadcast over the air can be intercepted.  By default a wireless network is wide open to all until security is configured. Even when security is configured information can still be intercepted! It is very important that you …
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now