1. Home
  2. Cisco Systems
  3. Cisco 1750 to PIX 515 Routing question

Cisco 1750 to PIX 515 Routing question

I'm creating a Site to Site VPN Failover connection between a Cisco

1750 Router and a PIX 515 Firewall. I have a question about routing. The 1750 will initiate the connection if the primary connection goes down. The packets obviously should route from LAN behind the 1750 to the LAN behind the PIX. But my question is, how will packets going from LAN behind the PIX know to got through the VPN connection instead of using the regular connection between the two networks? Is the route dynamically created when the Router connects to the PIX and added to the the current list of routes on the PIX? I've included both the Router and the PIX config.

Thanks....

1750 Router

------------------ ! version 11.2 service password-encryption ! hostname 1750Router ! enable secret 5 xxxxxxxxxxxxxxxxxxxxxx enable password 7 xxxxxxxxxxxxx ! no ip domain-lookup ! crypto isakmp policy 10 authentication pre-share encryption 3des group 2 hash sha lifetime 28800 crypto isakmp key xyxyxyx address x.x.117.15 ! crypto ipsec transform-set pix-set esp-des esp-sha-hmac ! crypto map pix 10 ipsec-isakmp set peer x.x.117.15 set transform-set pix-set match address 110 ! ! interface FastEthernet0 description Local LAN ip address 10.3.1.1 255.255.255.0 ! interface Serial0 description Frame-Relay to Main Office bandwidth 1544 ip address 10.1.2.2 255.255.255.0 ! interface Ethernet0 description DSL Connection ip address x.x.191.169 255.255.255.0 ip access-group 100 in ip nat outside no shutdown no cdp enable bandwidth 768 crypto map pix ! router eigrp 1 redistribute rip network 10.0.0.0 ! router rip redistribute eigrp 1 network 10.0.0.0 ! ip nat pool local1 x.x.191.169 x.x.191.169 netmask 255.255.255.0 ip nat inside source list 20 pool local1 ip nat inside source route-map nonat pool branch overload no ip classless ip route 0.0.0.0 0.0.0.0 10.1.2.1 100 ip route 0.0.0.0 0.0.0.0 x.x.191.1 250 ! access-list 100 permit esp any any access-list 100 permit ahp any any access-list 100 permit icmp any any access-list 100 permit tcp any any established access-list 100 permit udp any any eq isakmp aceess-list 100 permit udp any any eq netbios-ns access-list 100 permit udp any any eq netbios-dgm access-list 102 deny eigrp any any access-list 102 deny udp any any eq RIP access-list 102 permit ip any any access-list 110 permit ip 10.3.1.0 0.0.0.255 10.2.1.0 0.0.0.255 access-list 130 deny ip 10.3.1.0 0.0.0.255 10.2.1.0 0.0.0.255 access-list 130 permit ip 10.3.1.0 0.0.0.255 any ! route-map nonat permit 10 match ip address 130 ! line con 0 exec-timeout 0 0 line vty 0 4 password 7 06020E2A435A08 login ! end

PIX 515

-----------

PIX Version 6.3(3) interface ethernet0 auto interface ethernet1 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password 6ZN2OmW5fLXsIQBK encrypted passwd N58TEyopO9S56DF5 encrypted hostname PIX515 domain-name yyyyy.com fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list 102 permit icmp any any access-list 102 permit tcp any host x.x.117.30 eq smtp access-list 102 permit tcp any host x.x.117.32 eq smtp access-list 102 permit tcp any host x.x.117.30 eq lotusnotes access-list 102 permit tcp any host x.x.117.32 eq lotusnotes access-list 102 permit tcp any host x.x.117.30 eq www access-list 102 permit tcp any host x.x.117.32 eq www access-list 102 permit tcp any host x.x.117.33 eq ftp access-list 102 permit tcp any host x.x.117.32 eq https access-list 102 permit tcp any host x.x.117.50 eq pcanywhere-data access-list 102 permit udp any host x.x.117.50 eq pcanywhere-status access-list 102 permit udp any host x.x.117.100 eq pcanywhere-status access-list 102 permit tcp any host x.x.117.100 eq pcanywhere-data access-list 102 permit tcp any host x.x.117.100 eq 1503 access-list 102 permit tcp any host x.x.117.100 eq 522 access-list 102 permit tcp any host x.x.117.100 eq h323 access-list 101 permit ip 10.2.1.0 255.255.255.0 192.168.2.0

255.255.255.0 access-list 101 permit ip 10.3.1.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list 110 permit ip 10.2.1.0 255.255.255.0 10.3.1.0 255.255.255.0 pager lines 24 logging on logging buffered debugging mtu outside 1500 mtu inside 1500 ip address outside x.x.117.15 255.255.255.0 ip address inside 10.2.1.5 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool bigpool 192.168.2.102-192.168.2.200 pdm history enable arp timeout 14400 global (outside) 1 x.x.117.102-x.x.117.200 netmask 255.255.255.0 global (outside) 1 x.x.117.101 netmask 255.255.255.0 nat (inside) 0 access-list 101 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 static (inside,outside) x.x.117.30 10.2.1.30 netmask 255.255.255.255 0 0 static (inside,outside) x.x.117.32 10.2.1.32 netmask 255.255.255.255 0 0 static (inside,outside) x.x.117.33 10.2.1.33 netmask 255.255.255.255 0 0 static (inside,outside) x.x.117.100 10.2.1.100 netmask 255.255.255.255 0 0 static (inside,outside) x.x.117.50 10.2.1.50 netmask 255.255.255.255 0 0 access-group 102 in interface outside route outside 0.0.0.0 0.0.0.0 x.x.117.1 1 route inside 10.3.1.0 255.255.255.0 10.2.1.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server RADIUS (inside) host 10.2.1.33 cisco123 timeout 5 aaa-server LOCAL protocol local no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps tftp-server inside 10.2.1.50 config.txt floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set myset esp-3des esp-sha-hmac crypto dynamic-map dynmap 30 set transform-set myset crypto map mymap 10 ipsec-isakmp crypto map mymap 10 match address 110 crypto map mymap 10 set pfs group2 crypto map mymap 10 set peer x.x.191.169 crypto map mymap 10 set transform-set myset crypto map mymap 10 set security-association lifetime seconds 3600 kilobytes 4608000 crypto map mymap 30 ipsec-isakmp dynamic dynmap crypto map mymap client authentication RADIUS crypto map mymap interface outside isakmp enable outside isakmp key xyxyxyx address x.x.117.15 netmask 255.255.255.255 no-xauth no-config-mode isakmp identity address isakmp nat-traversal 20 isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash sha isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 vpngroup mechvpn address-pool bigpool vpngroup mechvpn dns-server 10.2.1.20 10.3.1.20 vpngroup mechvpn wins-server 10.2.1.20 vpngroup mechvpn default-domain yyyyy.com vpngroup mechvpn split-tunnel 101 vpngroup mechvpn idle-time 1800 vpngroup mechvpn max-time 86400 vpngroup mechvpn password zzzzzzzzz telnet timeout 5 ssh timeout 5 console timeout 0 terminal width 80
Reply to
displays
Loading thread data ...

Try putting a "floating" static route on the router behind the PIX.

Router(config)# ip route 10.1.1.0 255.255.255.0 FastEthernet0/1 10.1.0.1 200

A floating static route has an administrative weight higher than the dynamic routing protocol. The dynamic routing protocol, such as EIGRP which has an administrative weight of 90, is the preferred method of determining the route to the destination network - 10.1.1.0/24 in this example. When the link drops, the advertisement of the network goes away, and the static route with an administrative weight of 200 is the next best choice.

Reply to
Scott Perry

IOS 11.2 on 1750 ??? - you might want to upgrade this to something a little more recent

no ip classless

Reply to
Merv

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.