RE: L2L VPN redundancy for T1 link

["Stewart, John" <johns () artesyncp com>]

Paul Melson wrote:
> Can we safely assume that, since the other devices in the mix 
> here are Cisco products that when you say "firewall" that you're
> talking about a PIX? (Hence the reluctance to ask the firewall
> to do any routing?)

Actually, no. It is a Raptor firewall. I was not a PIX fan the last time I
had to deal with them (which, admittedly, was quite some years ago and I
understand they have improved).

The reason I am reluctant to have the firewall run any routing protocols is
I think it's just not a good idea to have anything but static routes on a
firewall (right??). Seems like a possible vector of attack that is not worth
the benefit.
 
> You might be able to eliminate the RAS network and attach the 3005
> to your internal network, and configure it to do RRI and OSPF with
> the 2811 to get path failover there.  But that still requires that
> all traffic passes through the 2811, it just happens behind the
> firewall instead of outside. It also means that you are stuck using
> the 3005's filtering capabilities to filter VPN
> clients and tunnels, which are sub par (to be kind).

Aye, to be very kind. I think I would be much more comfortable with the
internal router having an interface on the Internet network than to rely on
the 3005's filtering capabilities. 

> The better option would be to replace the current 
> firewall/VPN gear with devices that are designed for
> this type of failover scenario. :-\

Could you elucidate on this? What gear would do?

Thank you

johnS
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards