Sanford Reed wrote:

> Our Router resided outside the Firewall with a HW - HW VPN tunnel
> built between firewalls for fail over. To avid routing problems we
> built a GRE connection via the VPN tunnel between internal routers
> to pass the needed EIGRP info.
>
> I think this would work for you if you 'flipped' the Router
> to the outside and configured it to do the Fail-over as needed.


So here's what I think you are describing, in beautiful ASCII art:



Internet
|
|
| +--------------+
| | |
| | T1 Router | T1 to site B
+------------+ +----------------------->
| | |
| +--------------+
|
|
|
| +--------------+
| | |
| | VPN3005 |
+------------+ Concentrator |
| | |
| +-----+--------+
| |
+------+------+ |
| | |
| | |
| Firewall +-----------+-----
| | RAS Network
| |
+------+------+
|
|
|
|
Site A
Internal
Networks


You say that you have a HW-HW VPN tunnel (do you mean FW-FW?). How does the
traffic destined for site B from site A internal networks not go through
this, since the firewall is the first hop towards the T1 router (now
external)?

Do you somehow set up GRE to tunnel all internal traffic (along with EIGRP)
from an internal (site A) router to the T1 router, so the firewall doesn't
touch it? And then if the T1 tunnel (or the T1 router) fails, the default
route will now be to the firewall, so then the FW-FW VPN tunnel takes over?

Seems like this might also work if we move the L2L VPN tunnel over to the
3005's, too. The firewall would simply have a route for site B networks
pointing to the 3005.

Sounds all a bit complicated, but if we want no single poitn of failure, I
guess it is not simple.

Interesting idea; thanks.

johnS
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/li...rewall-wizards