Solved

ACL failover configuration

Posted on 2009-04-01
1
349 Views
Last Modified: 2012-05-06
We have a CIsco 1751-V version 12.4 (23)  with AdvSecurity-K9 IOS image. This router have a VPN tunnel to the main office. However, one of of the three subnets on LAN side of this router ( Cisco 1751) is being natted at the main office router. Meaning that all traffic ( IPSec+Internet rquests) from that one subnet is being sent over the tunnel. Therefore, we are trying to establish a failover configuration for the above setup so that if the VPN tunnel drops, the the Cisco 1751 will start Natting that subnet unitl the tunnel is backup. I don't know if that is possible...but any suggestion/input is appriciated.
Here are the 3 subnet on same LAN interface:
10.0.0.0/26
10.0.0.65/26
10.0.0.129/25
Here are my two access-lists on this router:
NAT ACL:
access-list 100 deny   ip 10.0.0.0 0.0.0.63 any
access-list 100 deny   ip 10.0.0.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 100 permit ip 10.0.0.0 0.0.0.255 any

VPN ACL:

access-list 110 permit ip 10.0.0.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 110 permit ip 10.0.0.0 0.0.0.63 any

I know that I can manually remove this line "access-list 100 deny   ip 10.0.0.0 0.0.0.63 any" from the NAT ACl, and all that subnet traffic is NAT at the local router, but I'm looking into something that will trigger that action automatically, just like we do with tracking object  with static routes.
0
Comment
Question by:SamBizimungu
1 Comment
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 500 total points
ID: 24048819
The only thing I can think of to make this automatic would be to use a GRE/IPSEC tunnel between the 1751 and the headend router (assuming IOS router).  With this setup, you would have routes to the main office subnets via the "tunnel interface" and a default route out the physical interface.  You would then policy route all traffic from the 10.0.0.0 0.0.0.63 subnet via the tunnel interface but add tracking to the policy route-map for the other end of the tunnel.  If the tunnel is down, the 10.0.0.0 0.0.0.63 subnet will be routed out the physical Internet interface instead and the regular NAT rules would apply.

Keep in mind though, the most likely cause of the VPN tunnel being down is the loss of your local Internet connection so having this "failover" won't help anyway.  Granted, if you lose the headend router or headend Internet connection it would apply.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
How to use a IP block on cisco 877 3 42
WAN IP Conflict on Sonicwall 5 90
EIGRP Full Mesh 2 65
What is CPU in "RP/0/RSP0/CPU0:router#"? 6 31
Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now