RE: [fw-wiz] L2L VPN redundancy for T1 link
From: Stewart, John (johns_at_artesyncp.com)
To: email@example.com Date: Wed, 20 Apr 2005 12:34:21 -0500
Paul Melson wrote:
> Can we safely assume that, since the other devices in the mix
> here are Cisco products that when you say "firewall" that you're
> talking about a PIX? (Hence the reluctance to ask the firewall
> to do any routing?)
Actually, no. It is a Raptor firewall. I was not a PIX fan the last time I
had to deal with them (which, admittedly, was quite some years ago and I
understand they have improved).
The reason I am reluctant to have the firewall run any routing protocols is
I think it's just not a good idea to have anything but static routes on a
firewall (right??). Seems like a possible vector of attack that is not worth
> You might be able to eliminate the RAS network and attach the 3005
> to your internal network, and configure it to do RRI and OSPF with
> the 2811 to get path failover there. But that still requires that
> all traffic passes through the 2811, it just happens behind the
> firewall instead of outside. It also means that you are stuck using
> the 3005's filtering capabilities to filter VPN
> clients and tunnels, which are sub par (to be kind).
Aye, to be very kind. I think I would be much more comfortable with the
internal router having an interface on the Internet network than to rely on
the 3005's filtering capabilities.
> The better option would be to replace the current
> firewall/VPN gear with devices that are designed for
> this type of failover scenario. :-\
Could you elucidate on this? What gear would do?
firewall-wizards mailing list