Backup Interface using Tunnel

This is the current configuration:

LAN1 -> Cisco 1750 -> Private T1 -> Cisco 2600 -> LAN2 -> PIX ->

Internet

The Cisco 1750 also have a DSL connected to a WIC-1ENET Card. This is supposed to be a backup if the private line goes down. I have a configuration already in place and I know that something is wrong, but just not sure what it is. I think that I need a dialer of some kind, but not sure how to implement it. Currently EIGRP is being passed through the Private T1 between the 1750 and 2600 (RIP is there also, but is probably not necessary). I have configured the PIX to accept IPSEC VPN connections. I know that in order to pass EIGRP over the DSL, I would need to configure a Tunnel interface. I have configured a Tunnel interface on the 1750 and the 2600. My idea of how the configuration should look is this:

LAN1 -> Cisco 1750 -> DSL -> ISPEC over the Internet -> PIX -> LAN2 | |___ Cisco 2600 | ^ | | -------------------Tunnel with EIGRP-------------------------------

The Tunnel would come up when the Private Line goes down and go over the IPSEC connection from the 1750 to the PIX. The tunnel would go through the PIX to the 2600, if this makes sense. Here is what the

1750 looks like:

Cisco 1750:

crypto isakmp policy 10 encr 3des authentication pre-share group 2 lifetime 28800 crypto isakmp key xyxyxyx address x.x.113.5 ! ! crypto ipsec transform-set pix-set esp-des esp-sha-hmac ! crypto map pix 10 ipsec-isakmp ! Incomplete set peer x.x.113.5 set transform-set pix-set match address 110 ! ! ! interface Tunnel0 ip address 192.168.1.2 255.255.255.0 ip mtu 1436 tunnel source Ethernet0 tunnel destination 10.2.1.1 tunnel key 12508 ! interface Ethernet0 description DSL Connection bandwidth 768 ip address x.x.191.199 255.255.255.0 ip access-group 100 in ip nat outside half-duplex no cdp enable crypto map pix ! interface FastEthernet0 description Local LAN1 Segment ip address 10.3.1.1 255.255.255.0 speed auto ! interface Serial0 description 384K Frame-Relay to LAN2 bandwidth 1544 ip address 10.1.2.2 255.255.255.0 ! router eigrp 1 redistribute rip network 10.0.0.0 no auto-summary ! router rip redistribute eigrp 1 network 10.0.0.0 ! ip nat pool beacon1 x.x.191.199 x.x.191.199 netmask 255.255.255.0 ip nat inside source list 20 pool beacon1 ip nat inside source route-map nonat pool branch overload no ip classless ip route 0.0.0.0 0.0.0.0 10.1.2.1 ip route 0.0.0.0 0.0.0.0 x.x.191.1 180 ip route 10.2.1.0 255.255.255.0 Tunnel0 180 no ip http server no ip http secure-server ! ! access-list 102 permit ip any any access-list 102 deny eigrp any any access-list 102 deny udp any any eq rip access-list 130 deny ip 10.3.1.0 0.0.0.255 10.2.1.0 0.0.0.255 access-list 130 permit ip 10.3.1.0 0.0.0.255 any ! route-map nonat permit 10 match ip address 130 ! end

=========== PIX Firewall

sysopt connection permit-ipsec crypto ipsec transform-set myset esp-3des esp-sha-hmac crypto dynamic-map dynmap 30 set transform-set myset crypto map mymap 10 ipsec-isakmp crypto map mymap 10 match address 110 crypto map mymap 10 set pfs group2 crypto map mymap 10 set peer x.x.191.199 crypto map mymap 10 set transform-set myset crypto map mymap 10 set security-association lifetime seconds 3600 kilobytes 4608000 crypto map mymap 30 ipsec-isakmp dynamic dynmap crypto map mymap client authentication RADIUS crypto map mymap interface outside isakmp enable outside isakmp key xyxyxyx address x.x.113.5 netmask 255.255.255.255 no-xauth no-config-mode isakmp identity address isakmp nat-traversal 20 isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash sha isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 vpngroup mvpn address-pool bigpool vpngroup mvpn dns-server 10.2.1.20 10.3.1.20 vpngroup mvpn wins-server 10.2.1.20 vpngroup mvpn default-domain yyyyy.com vpngroup mvpn split-tunnel 101 vpngroup mvpn idle-time 1800 vpngroup mvpn max-time 86400 vpngroup mvpn password zzzzzzzzz

================= Cisco 2600

interface Tunnel0 ip address 192.168.1.1 255.255.255.0 ip mtu 1436 tunnel source Ethernet0/0 tunnel destination x.x.191.199 tunnel key 12508 ! ! interface Ethernet0/0 description Local LAN1 Segment ip address 10.2.1.1 255.255.255.0 ! ! interface Serial0/0 description T1 to LAN2 ip address 10.1.2.1 255.255.255.0 no fair-queue ! interface Ethernet0/1 no ip address ! router eigrp 1 redistribute rip network 10.0.0.0 ! router rip redistribute eigrp 1 network 10.0.0.0 ! no ip classless ip route 0.0.0.0 0.0.0.0 10.2.1.5 ip route 10.3.1.0 255.255.255.0 Tunnel0 180

Reply to
displays
Loading thread data ...

i havent done this on a PIX / router link, only router to router, but i have some suggestions about design.

why not have the tunnel up all the time and let the routing protocol sort out which is the best path?

adding a dialler is just making life more complicated.

"Dial up" of any kind for backup if complicated since if the main link is reliable, you dont use the backup very often. Given a realistic fault rate there is a good chance the backup would fail when you most need it.

and if the tunnel is always meant to be there, you can test it for carrying traffic without breaking the main link.

the "cost" is some keepalives down your DSL link.

Reply to
stephen

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.