Firewall Wizards mailing list archives
RE: L2L VPN redundancy for T1 link
From: "Sanford Reed" <sanford.reed () cox net>
Date: Thu, 21 Apr 2005 03:41:05 -0400
Actually more like this: Internet | | | | | +--------------+ | | | T1 Router | | | | | +--------------+ | | | ^ | | |GRE Tunnel |Via VPN |Tunnel to | Site B | | +------+------+ +--------------+ | | | | | | | VPN3005 | | Firewall +-----+ Concentrator +----- RAS Network | | | | | | +--------------+ +------+------+ | | | | +--------------+ | Internal | | Router | + w/ GRE Tunnel+ T1 to site B | to Site B |-----------------------> | Internal | | Router | +--------------+ | Site A Internal Networks Yes, I did mean FW to FW. My previous statement saying to "'flipped' the Router" was not the best wording. I should have used the 'art' to better indicate what I was trying to say so see my modified ASCII art of what I meant. Sorry. I forgot that we were using the External Router to MLPS 'merger several Internet T1s to get the bandwidth desired and to do BGP between two ISP Providers. The GRE tunnel passes the internal routing information (EIGRP) between site A & B. Because the GRE Tunnel is passing thru the VPN Tunnel the firewall Rules will be bypassed. The Internal Router maintains the possible routes to Site B and will automatically compensate for 'failure' of either possible route. The FW Tunnel keeps the data secure when it is passing over the Internet. However I have to point out that we did not have the 3005 to contend with however I'm thinking that if you modify it as I indicated above. Setup inbound rules to allow your Internet VPN users into the 3005 and then rules to allow traffic from the 3005 to 'pass-thru' to the internal address range it should work. This would have the added benefit of adding some FW controls to both the Internet VPN Clients and the RAS clients. If your Raptor can accept the Internet T1 directly then you can eliminate the external router. Sanford Reed (V) 757.406.7067 -----Original Message----- From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Stewart, John Sent: Wednesday, April 20, 2005 1:01 PM To: 'sanford.reed () reed-assoc-llc com' Cc: firewall-wizards () honor icsalabs com Subject: RE: [fw-wiz] L2L VPN redundancy for T1 link Sanford Reed wrote:
Our Router resided outside the Firewall with a HW - HW VPN tunnel built between firewalls for fail over. To avid routing problems we built a GRE connection via the VPN tunnel between internal routers to pass the needed EIGRP info. I think this would work for you if you 'flipped' the Router to the outside and configured it to do the Fail-over as needed.
So here's what I think you are describing, in beautiful ASCII art: Internet | | | +--------------+ | | | | | T1 Router | T1 to site B +------------+ +-----------------------> | | | | +--------------+ | | | | +--------------+ | | | | | VPN3005 | +------------+ Concentrator | | | | | +-----+--------+ | | +------+------+ | | | | | | | | Firewall +-----------+----- | | RAS Network | | +------+------+ | | | | Site A Internal Networks You say that you have a HW-HW VPN tunnel (do you mean FW-FW?). How does the traffic destined for site B from site A internal networks not go through this, since the firewall is the first hop towards the T1 router (now external)? Do you somehow set up GRE to tunnel all internal traffic (along with EIGRP) from an internal (site A) router to the T1 router, so the firewall doesn't touch it? And then if the T1 tunnel (or the T1 router) fails, the default route will now be to the firewall, so then the FW-FW VPN tunnel takes over? Seems like this might also work if we move the L2L VPN tunnel over to the 3005's, too. The firewall would simply have a route for site B networks pointing to the 3005. Sounds all a bit complicated, but if we want no single poitn of failure, I guess it is not simple. Interesting idea; thanks. johnS _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- L2L VPN redundancy for T1 link Stewart, John (Apr 20)
- Re: L2L VPN redundancy for T1 link John Kougoulos (Apr 20)
- RE: L2L VPN redundancy for T1 link Sanford Reed (Apr 20)
- RE: L2L VPN redundancy for T1 link Paul Melson (Apr 20)
- <Possible follow-ups>
- RE: L2L VPN redundancy for T1 link Stewart, John (Apr 20)
- RE: L2L VPN redundancy for T1 link Stewart, John (Apr 20)
- RE: L2L VPN redundancy for T1 link Stewart, John (Apr 20)
- RE: L2L VPN redundancy for T1 link Sanford Reed (Apr 21)