RV042 and pix with load balancing

Discussion in 'Cisco' started by jcharth@hotmail.com, Oct 12, 2005.

  1. Guest

    Hello I was looking at the linksys rv042 and it seems a preatty good
    router. Does anyone know how to set this up? one crypto map two peers
    or two crypt maps with two look alike access-lists? do i need failover
    enabled on the pix? are there any special requiremetns for this? thanks
    , Oct 12, 2005
    #1
    1. Advertising

  2. In article <>,
    <> wrote:
    :Hello I was looking at the linksys rv042 and it seems a preatty good
    :router. Does anyone know how to set this up? one crypto map two peers
    :eek:r two crypt maps with two look alike access-lists? do i need failover
    :enabled on the pix? are there any special requiremetns for this? thanks

    You can't do load balancing with PIX 6.x. I don't know if you can
    with PIX 7.0 but I don't recall seeing that as one of the features added.
    --
    I am spammed, therefore I am.
    Walter Roberson, Oct 12, 2005
    #2
    1. Advertising

  3. Guest

    May be is something on the rv042 side. I guess the only way to know is
    to buy one and if it does not work send it back
    , Oct 13, 2005
    #3
  4. In article <>,
    <> wrote:
    :May be is something on the rv042 side. I guess the only way to know is
    :to buy one and if it does not work send it back

    For PIX 6.x, there is nothing you can do that will make it load
    balance, at least not for TCP. You can have -destination- routes
    to different places, but that's not load balancing, that's just
    routing. If you have the same traffic flows arriving via multiple
    interfaces then the Adaptive Security will refuse to believe that
    packets arriving on the other interfaces are authorized. If you have
    multiple IPSec peers in the same crypto policy, then it will only
    ever use one of them at a time, with there being obscure algorithms
    that lead to cutting off an old peer if a new one manages to start up.
    If you have the same crypto ACL on multiple crypto map policies, it will
    match the traffic on the lowest policy number and will never even look
    to see whether the other policies might match the traffic.

    I don't know what can be done with PIX 7.0.
    --
    If you like, you can repeat the search with the omitted results included.
    Walter Roberson, Oct 13, 2005
    #4
  5. Guest

    , Oct 13, 2005
    #5
  6. In article <>,
    <> wrote:
    :I found this example but the subnets on the access lists are different,
    :so i dont think it applies and i bet it wont work with loadbalancing.

    :how ever may be for fault toulerance, I can add a second peer to the
    :pix in the same crypto map right?

    You can add something like 6 peers to the same crypto map policy clause.
    Those are for fault tolerance only.

    Anything beyond that would have to be handled at a stage before.
    For example, if you had a router inside the PIX perimeter that
    did policy based routing such that any one flow was always routed
    the same way, and at the LAN router you were to NAT the different
    policy outlets seperately, then as far as the PIX would be concerned
    they would be different inside hosts and the PIX would be able to
    run them through different VPN tunnels.

    You can also do -some- of that directly on the PIX, by using
    a combination of policy NAT and multiple crypto map policies. The
    crypto map match-address ACLs are not looked at until -after- NAT
    has taken place, so if you can express your different streams in terms
    of diferent layer 4 policies that can be source NAT'd to different IPs
    then the crypto map could be specific to the different post-NAT'd sources
    and so send them through different tunnels. But at least in PIX 6.x,
    you cannot split a single flow over multiple outlets -- per packet
    load balancing from within PIX 6.x is Right Out for TCP [UDP... might
    be hackable, icmp not.]
    --
    These .signatures are sold by volume, and not by weight.
    Walter Roberson, Oct 13, 2005
    #6
  7. Guest

    what if i have to pixes and one router behind the pixes using ospf or
    ibgp to route the packets through the right pix? i can probably
    establish two tunels with rv042 and have the packets go to one or the
    other base on availability right? well anyway i think ill give it a
    shot.
    , Oct 14, 2005
    #7
  8. In article <>,
    <> wrote:
    :what if i have to pixes and one router behind the pixes using ospf or
    :ibgp to route the packets through the right pix? i can probably
    :establish two tunels with rv042 and have the packets go to one or the
    :eek:ther base on availability right? well anyway i think ill give it a
    :shot.

    PIX 6.2 supports reading OSPF routes directly, except on the PIX 501.
    But that's a *routing* configuration, not a *load balancing*
    configuration.

    There is no circumstance under which a PIX 6.x will accept a TCP
    packet for a flow that was previously going through a different PIX
    [other than PIX failover.]

    You can do some UDP stuff with multiple PIX by abusing the fact that
    each UDP packet is independantly considered to be a flow in itself, but
    consider the case where the UDP goes out on one PIX and the reply comes
    back on the other: unless the second PIX has been configured to accept
    UDP for -all- ports [because the outgoing had a dynamic source port],
    then the adaptive security on the second PIX is not going to allow
    the packet in.

    Effectively, if you want to do load balancing, you need to do it
    on the WAN side of the PIX.
    --
    I was very young in those days, but I was also rather dim.
    -- Christopher Priest
    Walter Roberson, Oct 14, 2005
    #8
  9. In article <>,
    <> wrote:
    >what if i have to pixes and one router behind the pixes using ospf or
    >ibgp to route the packets through the right pix? i can probably
    >establish two tunels with rv042 and have the packets go to one or the
    >other base on availability right? well anyway i think ill give it a
    >shot.
    >


    If you can put routers behind the firewalls, redundancy becomes much
    easier. Just treat the IPsec tunnels as non-broadcast point-to-point
    links and use a routing protocol to select the tunnel to use. Load
    balancing is automatic if you use an IGP and GRE tunnels. BGP routing
    saves overhead, but makes load balancing much more difficult. See
    the white paper "Redundant Routes in IPSec VPNs" on my web site
    for some examples (load balancing is not addressed, but you can
    fill that in, because load balancing is typically useless if you
    don't have robust redundancy).

    Good luck and have fun!
    --
    Vincent C Jones, Consultant Expert advice and a helping hand
    Networking Unlimited, Inc. for those who want to manage and
    Tenafly, NJ Phone: 201 568-7810 control their networking destiny
    http://www.networkingunlimited.com
    Vincent C Jones, Oct 14, 2005
    #9
  10. Guest

    Thanks Vincent. I read all your papers a few days I go hopping to find
    an answer to my problem. Do you think it is ok to do the ipsec and gre
    tunnels in a router behind the pix? i have a 2621 that has a few
    ethernet ports open. I also have a tasman t1 router with to lan
    interfaces. I
    , Oct 14, 2005
    #10
  11. In article <>,
    <> wrote:
    >Thanks Vincent. I read all your papers a few days I go hopping to find
    >an answer to my problem. Do you think it is ok to do the ipsec and gre
    >tunnels in a router behind the pix? i have a 2621 that has a few
    >ethernet ports open. I also have a tasman t1 router with to lan
    >interfaces. I


    I'm having a bit of a challenge parsing your response, but I'll do the
    best I can.

    The GRE tunnels must terminate on a router, PIX don't route the way you
    need them to for this application.

    IPsec can be done by firewall or by router. On the firewall is usually
    easier (less opportunity for confusion), but not necessarily better. The
    bigger challenge is usually getting both ends of the IPsec tunnel to
    agree on all parameters so the tunnel will come up and stay up.

    2621 VPN performance may not be adequate. It also requires upgrading to
    crypto or firewall feature set (if you're not there already).

    Good luck and have fun!
    --
    Vincent C Jones, Consultant Expert advice and a helping hand
    Networking Unlimited, Inc. for those who want to manage and
    Tenafly, NJ Phone: 201 568-7810 control their networking destiny
    http://www.networkingunlimited.com
    Vincent C Jones, Oct 16, 2005
    #11
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    1
    Views:
    2,289
    Vincent C Jones
    Nov 21, 2005
  2. Bob Simon

    VPN between PIX and Linksys RV042

    Bob Simon, Aug 31, 2007, in forum: Cisco
    Replies:
    0
    Views:
    1,370
    Bob Simon
    Aug 31, 2007
  3. mmark751969

    pix to rv042 vpn

    mmark751969, Aug 17, 2009, in forum: Cisco
    Replies:
    0
    Views:
    435
    mmark751969
    Aug 17, 2009
  4. palas_123
    Replies:
    1
    Views:
    2,048
    donjohnston
    Dec 28, 2009
  5. PIX vs RV042

    , Jul 1, 2010, in forum: Cisco
    Replies:
    0
    Views:
    490
Loading...

Share This Page