Firewall Wizards mailing list archives
RE: L2L VPN redundancy for T1 link
From: "Stewart, John" <johns () artesyncp com>
Date: Wed, 20 Apr 2005 12:34:21 -0500
Paul Melson wrote:
Can we safely assume that, since the other devices in the mix here are Cisco products that when you say "firewall" that you're talking about a PIX? (Hence the reluctance to ask the firewall to do any routing?)
Actually, no. It is a Raptor firewall. I was not a PIX fan the last time I had to deal with them (which, admittedly, was quite some years ago and I understand they have improved). The reason I am reluctant to have the firewall run any routing protocols is I think it's just not a good idea to have anything but static routes on a firewall (right??). Seems like a possible vector of attack that is not worth the benefit.
You might be able to eliminate the RAS network and attach the 3005 to your internal network, and configure it to do RRI and OSPF with the 2811 to get path failover there. But that still requires that all traffic passes through the 2811, it just happens behind the firewall instead of outside. It also means that you are stuck using the 3005's filtering capabilities to filter VPN clients and tunnels, which are sub par (to be kind).
Aye, to be very kind. I think I would be much more comfortable with the internal router having an interface on the Internet network than to rely on the 3005's filtering capabilities.
The better option would be to replace the current firewall/VPN gear with devices that are designed for this type of failover scenario. :-\
Could you elucidate on this? What gear would do? Thank you johnS _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- L2L VPN redundancy for T1 link Stewart, John (Apr 20)
- Re: L2L VPN redundancy for T1 link John Kougoulos (Apr 20)
- RE: L2L VPN redundancy for T1 link Sanford Reed (Apr 20)
- RE: L2L VPN redundancy for T1 link Paul Melson (Apr 20)
- <Possible follow-ups>
- RE: L2L VPN redundancy for T1 link Stewart, John (Apr 20)
- RE: L2L VPN redundancy for T1 link Stewart, John (Apr 20)
- RE: L2L VPN redundancy for T1 link Stewart, John (Apr 20)
- RE: L2L VPN redundancy for T1 link Sanford Reed (Apr 21)