RE: L2L VPN redundancy for T1 link

["Paul Melson" <psmelson () comcast net>]

Can we safely assume that, since the other devices in the mix here are Cisco
products that when you say "firewall" that you're talking about a PIX?
(Hence the reluctance to ask the firewall to do any routing?)

Anyway, I think you've painted yourself into a corner here.  You might be
able to eliminate the RAS network and attach the 3005 to your internal
network, and configure it to do RRI and OSPF with the 2811 to get path
failover there.  But that still requires that all traffic passes through the
2811, it just happens behind the firewall instead of outside.  It also means
that you are stuck using the 3005's filtering capabilities to filter VPN
clients and tunnels, which are sub par (to be kind).  This may be preferable
to using router ACL's to secure your T1, but that's a judgment call for your
organization to make.  So, I guess it's another option, but I'd stop short
of calling it "better."

The better option would be to replace the current firewall/VPN gear with
devices that are designed for this type of failover scenario. :-\

PaulM


-----Original Message-----
Subject: [fw-wiz] L2L VPN redundancy for T1 link


We have a remote office (site B) to which we have a T1 link (from site A).
The routers on each side of this T1 are Cisco 2811's, and they reside
internal on our trusted networks, talking EIGRP to our other internal
routers on both sides.

We currently have a site to site VPN connection between our firewalls, and
the firewall on each side is the default route from the internal networks,
so if the T1 goes down, the site A <-> site B traffic fails over to this L2L
VPN, without any routing protocol needed on the firewall.

We also have a Cisco VPN3005 on a RAS leg of our firewall, for users to
connect from home and while traveling. I do plan to move the L2L VPN to be
terminated on these at some point, though right now that is not the case (it
is currently terminated on the firewalls).

Site B has essentially the same gear (VPN3005 going in soon).

A hopefully helpful diagram:

    Internet
       |
       |
       |            +--------------+
       |            |              |
       |            | VPN3005      |
       +------------+ Concentrator |
       |            |              |
       |            +-----+--------+
       |                  |
+------+------+           |
|             |           |
|             |           |
|   Firewall  +-----------+-----
|             |    RAS Network
|             |
+------+------+
       |
       |
       |
+------+------+
|             |
|  Internal   | T1 to site B
|  T1 Router  +----------------------->
|  2811       |
|             |
+-------------+


The issue is that right now, when users connect with a VPN client to the
site A VPN3005, they cannot access network resources at site B, and vice
versa (since, on the firewall, the route to site B would be through the L2L
VPN rather than towards the internal network where the T1 router resides).

When we move the L2L VPN over to the 3005's, then I presume when a client
connects to site A's VPN3005 and tries to access the network at site B, the
traffic will go across the L2L VPN. However, the performance of this is
spotty, and we'd really like to be able to have this traffic go across the
T1 instead.

We would like to:

- Configure it such that traffic from VPN clients to the opposite site will
go across the T1 link.
- Still retain the L2L VPN as a failover for the T1 between A and B.
- If possible, not have a single point of failure for the link between A and
B.

It seems relatively simple to satisfy the first two requirements, but I'm
failing to see a good way to satisfy them all. One possibility:

Connect an interface from the internal T1 router (a 2811) directly to the
Internet network, bypassing the firewall (and do the same at site B). Set up
the L2L VPN on these routers, and then if the T1 fails it will simply fail
over to the VPN, terminated on the same box.

PRO:
Simple (KISS principle) - all data between site A and site B go through
these routers regardless of whether the T1 is up or down. No routing
protocols needed.

CON:
Adding a device directly on the Internet which bypasses our firewall. A
misconfiguration in the ACLs could allow traffic in or out to the Internet
which might have otherwise been stopped by the firewall. 


I've been whiteboarding other options, but they all either seem to require
the firewall to speak a routing protocol, or have a single point of failure
in the T1 routers. I'm fairly comfortable living with the latter, but I just
want to make sure I'm not missing something here.

Are there better options I am missing?

Thank you!

johnS

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards