RE: [fw-wiz] L2L VPN redundancy for T1 link

From: Stewart, John (
Date: 04/20/05

  • Next message: Stewart, John: "RE: [fw-wiz] L2L VPN redundancy for T1 link"
    Date: Wed, 20 Apr 2005 12:34:21 -0500

    Paul Melson wrote:
    > Can we safely assume that, since the other devices in the mix
    > here are Cisco products that when you say "firewall" that you're
    > talking about a PIX? (Hence the reluctance to ask the firewall
    > to do any routing?)

    Actually, no. It is a Raptor firewall. I was not a PIX fan the last time I
    had to deal with them (which, admittedly, was quite some years ago and I
    understand they have improved).

    The reason I am reluctant to have the firewall run any routing protocols is
    I think it's just not a good idea to have anything but static routes on a
    firewall (right??). Seems like a possible vector of attack that is not worth
    the benefit.
    > You might be able to eliminate the RAS network and attach the 3005
    > to your internal network, and configure it to do RRI and OSPF with
    > the 2811 to get path failover there. But that still requires that
    > all traffic passes through the 2811, it just happens behind the
    > firewall instead of outside. It also means that you are stuck using
    > the 3005's filtering capabilities to filter VPN
    > clients and tunnels, which are sub par (to be kind).

    Aye, to be very kind. I think I would be much more comfortable with the
    internal router having an interface on the Internet network than to rely on
    the 3005's filtering capabilities.

    > The better option would be to replace the current
    > firewall/VPN gear with devices that are designed for
    > this type of failover scenario. :-\

    Could you elucidate on this? What gear would do?

    Thank you

    firewall-wizards mailing list

  • Next message: Stewart, John: "RE: [fw-wiz] L2L VPN redundancy for T1 link"