I've got a site-to-site VPN set up between 2 locations on a Pix 515 and 501 respectively. There also is a remote-user VPN set up on each of these Pixes. Everything works OK, except that I cannot get EIGRP updates from the inside LAN routers to go over the VPN. In fact the firewalls do not seem to be even seeing the traffic. The routing updates go over other (FR) interfaces OK, and I don't see anything unusual in the router configs. Anybody know of any problems with routing protocol updates over a VPN?
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
EIGRP updates over VPN 2
- Thread starter rpast
- Start date
-
1
- #2
HI.
How many routers (if any) do you have at the pix 501 side?
You can also use static routes on the internal router behind the pix 515 and use "redistribute static" on it to update the other frame relay routers.
It seems to me more reasonable to use static routes for small networks connected via VPN.
Yizhar Hurwitz
How many routers (if any) do you have at the pix 501 side?
You can also use static routes on the internal router behind the pix 515 and use "redistribute static" on it to update the other frame relay routers.
It seems to me more reasonable to use static routes for small networks connected via VPN.
Yizhar Hurwitz
not sure if this would be helpful, because I don't do much with VPN's but you need to make sure to pass multicast traffic over the VPN, thats how eigrp works. You might also try using the "neighbor" command under eigrp config
BuckWeet
BuckWeet
- Thread starter
- #4
Thank you Yishar and BuckWeet,
We have one router one the 501 side -- used to have static mappings there until I implemented failover for the Frame-relay we currently have at our three locations, including this smaller location (about 25 workstations). For the failover to work we needed something like EIGRP to granularize the route costs, and allow the primary link to be chosen over the failover once it recovered.
Anyway, I hope to keep the failover after tweeking it -- the reliability of the VPN is our main concern. But we may have to put some static maps back there if all else fails, as you suggest.
I've thought about poking holes in the firewall for EIGRP traffic, but have been surprised at how much gets let through without doing this -- H323, Telnet, the works. A VPN truly does seem to bypass normal firewall security, although I don't really understand how. That remote client is really treated as if it's in the office next door -- so much I still don't understand. I'll research the 'neighbor' parameter for EIGRP -- am not familiar with it.
If I get this resolved, I'll let you know. Any further suggestions or comments are certainly welcome. Thanks again.
We have one router one the 501 side -- used to have static mappings there until I implemented failover for the Frame-relay we currently have at our three locations, including this smaller location (about 25 workstations). For the failover to work we needed something like EIGRP to granularize the route costs, and allow the primary link to be chosen over the failover once it recovered.
Anyway, I hope to keep the failover after tweeking it -- the reliability of the VPN is our main concern. But we may have to put some static maps back there if all else fails, as you suggest.
I've thought about poking holes in the firewall for EIGRP traffic, but have been surprised at how much gets let through without doing this -- H323, Telnet, the works. A VPN truly does seem to bypass normal firewall security, although I don't really understand how. That remote client is really treated as if it's in the office next door -- so much I still don't understand. I'll research the 'neighbor' parameter for EIGRP -- am not familiar with it.
If I get this resolved, I'll let you know. Any further suggestions or comments are certainly welcome. Thanks again.
-
1
- #5
Since you're using two PIX's for your VPN, I assume you're using IPSec. The problem that you're running into is that you can't pass routing protocols, including EIGRP, across IPSec. If you used two IOS Routers, you could run IPSec across GRE tunnels, which would then pass EIGRP. Take a look at
for more info.
for more info.
- Thread starter
- #6
Thank you jims88,
I will certainly take a look at this soon. Lately, I've had connectivity problems, which have taken precedence over the routing protocol, failover issues. Ameritech installed a faulty 'last mile' to one of the facilities, and DSL is proving to be pretty touchy. We're getting another wire pair, but will probably ultimately resort to a cable modem. Hopefully the cable will prove more resilient. Very frustrating.
I can't wait to get back to the meat of the project. Thanks again for your response and link. I'll let you all know how this turns out.
Always willing to hear from anyone -- I look forward to contributing more to this interesting forum sometime soon -- as soon as I get half a breather.
I will certainly take a look at this soon. Lately, I've had connectivity problems, which have taken precedence over the routing protocol, failover issues. Ameritech installed a faulty 'last mile' to one of the facilities, and DSL is proving to be pretty touchy. We're getting another wire pair, but will probably ultimately resort to a cable modem. Hopefully the cable will prove more resilient. Very frustrating.
I can't wait to get back to the meat of the project. Thanks again for your response and link. I'll let you all know how this turns out.
Always willing to hear from anyone -- I look forward to contributing more to this interesting forum sometime soon -- as soon as I get half a breather.
HI.
> Any further suggestions or comments are certainly welcome
If you haven't done so, try XPosting the question also in the "Cisco routers" forum here, and in Cisco's own forums on their site.
Yizhar Hurwitz
> Any further suggestions or comments are certainly welcome
If you haven't done so, try XPosting the question also in the "Cisco routers" forum here, and in Cisco's own forums on their site.
Yizhar Hurwitz
- Status
Similar threads
- Locked
- Question
- Locked
- Question