Backup Interface using Tunnel

NewsGroups | Search | Tools

User Password

Lost Password?

comp.dcom.sys.cisco

get this group's latest topics as an RSS feed

add this group's latest topics to your My MSN content

add this group's latest topics to your My Yahoo content

add this group's latest topics to your Google content

Yahoo!

Google

Windows Live

del.icio.us digg

digg

Netscape

Subject

Author

Date

Backup Interface using Tunnel

displays

08-05-2007

Re: Backup Interface using Tunnel

stephen

08-05-2007

Posted by displays on August 5, 2007, 1:37 pm

If you were Registered and logged in, you could reply and use other advanced thread options

This is the current configuration:

LAN1 -> Cisco 1750 -> Private T1 -> Cisco 2600 -> LAN2 -> PIX ->
Internet

The Cisco 1750 also have a DSL connected to a WIC-1ENET Card. This is
supposed to be a backup if the private line goes down. I have a
configuration already in place and I know that something is wrong, but
just not sure what it is. I think that I need a dialer of some kind,
but not sure how to implement it. Currently EIGRP is being passed
through the Private T1 between the 1750 and 2600 (RIP is there also,
but is probably not necessary). I have configured the PIX to accept
IPSEC VPN connections. I know that in order to pass EIGRP over the
DSL, I would need to configure a Tunnel interface. I have configured a
Tunnel interface on the 1750 and the 2600. My idea of how the
configuration should look is this:

LAN1 -> Cisco 1750 -> DSL -> ISPEC over the Internet -> PIX -> LAN2

| |___
Cisco 2600

|
^

|
|
-------------------Tunnel with
EIGRP-------------------------------

The Tunnel would come up when the Private Line goes down and go over
the IPSEC connection from the 1750 to the PIX. The tunnel would go
through the PIX to the 2600, if this makes sense. Here is what the
1750 looks like:

Cisco 1750:

crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto isakmp key xyxyxyx address x.x.113.5
!
!
crypto ipsec transform-set pix-set esp-des esp-sha-hmac
!
crypto map pix 10 ipsec-isakmp
! Incomplete
set peer x.x.113.5
set transform-set pix-set
match address 110
!
!
!
interface Tunnel0
ip address 192.168.1.2 255.255.255.0
ip mtu 1436
tunnel source Ethernet0
tunnel destination 10.2.1.1
tunnel key 12508
!
interface Ethernet0
description DSL Connection
bandwidth 768
ip address x.x.191.199 255.255.255.0
ip access-group 100 in
ip nat outside
half-duplex
no cdp enable
crypto map pix
!
interface FastEthernet0
description Local LAN1 Segment
ip address 10.3.1.1 255.255.255.0
speed auto
!
interface Serial0
description 384K Frame-Relay to LAN2
bandwidth 1544
ip address 10.1.2.2 255.255.255.0
!
router eigrp 1
redistribute rip
network 10.0.0.0
no auto-summary
!
router rip
redistribute eigrp 1
network 10.0.0.0
!
ip nat pool beacon1 x.x.191.199 x.x.191.199 netmask 255.255.255.0
ip nat inside source list 20 pool beacon1
ip nat inside source route-map nonat pool branch overload
no ip classless
ip route 0.0.0.0 0.0.0.0 10.1.2.1
ip route 0.0.0.0 0.0.0.0 x.x.191.1 180
ip route 10.2.1.0 255.255.255.0 Tunnel0 180
no ip http server
no ip http secure-server
!
!
access-list 102 permit ip any any
access-list 102 deny eigrp any any
access-list 102 deny udp any any eq rip
access-list 130 deny ip 10.3.1.0 0.0.0.255 10.2.1.0 0.0.0.255
access-list 130 permit ip 10.3.1.0 0.0.0.255 any
!
route-map nonat permit 10
match ip address 130
!
end

===========
PIX Firewall

sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto dynamic-map dynmap 30 set transform-set myset
crypto map mymap 10 ipsec-isakmp
crypto map mymap 10 match address 110
crypto map mymap 10 set pfs group2
crypto map mymap 10 set peer x.x.191.199
crypto map mymap 10 set transform-set myset
crypto map mymap 10 set security-association lifetime seconds 3600
kilobytes 4608000
crypto map mymap 30 ipsec-isakmp dynamic dynmap
crypto map mymap client authentication RADIUS
crypto map mymap interface outside
isakmp enable outside
isakmp key xyxyxyx address x.x.113.5 netmask 255.255.255.255 no-xauth
no-config-mode
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup mvpn address-pool bigpool
vpngroup mvpn dns-server 10.2.1.20 10.3.1.20
vpngroup mvpn wins-server 10.2.1.20
vpngroup mvpn default-domain yyyyy.com
vpngroup mvpn split-tunnel 101
vpngroup mvpn idle-time 1800
vpngroup mvpn max-time 86400
vpngroup mvpn password zzzzzzzzz

=================
Cisco 2600

interface Tunnel0
ip address 192.168.1.1 255.255.255.0
ip mtu 1436
tunnel source Ethernet0/0
tunnel destination x.x.191.199
tunnel key 12508
!
!
interface Ethernet0/0
description Local LAN1 Segment
ip address 10.2.1.1 255.255.255.0
!
!
interface Serial0/0
description T1 to LAN2
ip address 10.1.2.1 255.255.255.0
no fair-queue
!
interface Ethernet0/1
no ip address
!
router eigrp 1
redistribute rip
network 10.0.0.0
!
router rip
redistribute eigrp 1
network 10.0.0.0
!
no ip classless
ip route 0.0.0.0 0.0.0.0 10.2.1.5
ip route 10.3.1.0 255.255.255.0 Tunnel0 180

Posted by stephen on August 5, 2007, 3:46 pm

If you were Registered and logged in, you could reply and use other advanced thread options

> This is the current configuration:

> LAN1 -> Cisco 1750 -> Private T1 -> Cisco 2600 -> LAN2 -> PIX ->

> Internet

> The Cisco 1750 also have a DSL connected to a WIC-1ENET Card. This is

> supposed to be a backup if the private line goes down. I have a

> configuration already in place and I know that something is wrong, but

> just not sure what it is. I think that I need a dialer of some kind,

> but not sure how to implement it. Currently EIGRP is being passed

> through the Private T1 between the 1750 and 2600 (RIP is there also,

> but is probably not necessary). I have configured the PIX to accept

> IPSEC VPN connections. I know that in order to pass EIGRP over the

> DSL, I would need to configure a Tunnel interface. I have configured a

> Tunnel interface on the 1750 and the 2600. My idea of how the

> configuration should look is this:

> LAN1 -> Cisco 1750 -> DSL -> ISPEC over the Internet -> PIX -> LAN2

> | |___

> Cisco 2600

> |

> ^

> |

> -------------------Tunnel with

> EIGRP-------------------------------

> The Tunnel would come up when the Private Line goes down and go over

> the IPSEC connection from the 1750 to the PIX. The tunnel would go

> through the PIX to the 2600, if this makes sense.

i havent done this on a PIX / router link, only router to router, but i have
some suggestions about design.

why not have the tunnel up all the time and let the routing protocol sort
out which is the best path?

adding a dialler is just making life more complicated.

"Dial up" of any kind for backup if complicated since if the main link is
reliable, you dont use the backup very often. Given a realistic fault rate
there is a good chance the backup would fail when you most need it.

and if the tunnel is always meant to be there, you can test it for carrying
traffic without breaking the main link.

the "cost" is some keepalives down your DSL link.

<SNIP>
--
Regards

stephen_hope@xyzworld.com - replace xyz with ntl

Similar Threads	Posted
backup GRE tunnel	February 3, 2007, 1:14 pm
backup tunnel configuration	November 6, 2005, 8:20 pm
GRE Tunnel up/up Cannot ping tunnel interface	March 6, 2006, 3:55 pm
Using a backup interface with NAT	June 28, 2005, 11:03 am
Using BRI interface as backup	November 10, 2005, 1:25 am
pots backup for ATM interface	February 3, 2005, 12:29 am
static nat with backup interface	September 8, 2006, 9:12 am
Backup for mpls interface	December 21, 2006, 6:43 am
Cisco dial backup with async interface	May 30, 2006, 9:23 pm
GRE - Tunnel Interface	March 15, 2005, 6:25 pm

other useful resources:
The Federal Communications Commission (FCC)
Telecommunications Industry Association
Electronic and Software Security Products and Services
International Telecommunication Union

Custom CGI Perl and PHP programming by 1-Script.com