Resumen del contenido incluido en la página 1
61200890L1-29.4A
May 2005
Configuration Guide
Internet-based WAN Backup Solutions
using NetVanta
Overview
This configuration guide delineates the advantages of using the NetVanta
product line and the Internet for wide area network (WAN) connectivity. It
includes example scenarios using Internet-based backup solutions.
Resumen del contenido incluido en la página 2
Introduction Internet-based WAN Backup Solutions using NetVanta Introduction WAN communication links are traditionally the weakest component in computer networking. Unlike LAN components, which are typically in the owner's direct physical and administrative control, the facilities that make up the WAN link belong to and are controlled by a third party. These facilities also cover wide geographic areas, making them more susceptible to physical harm. Such characteristics make WAN links the si
Resumen del contenido incluido en la página 3
Internet-based WAN Backup Solutions using NetVanta The Internet as an Alternative Solution 1 - Primary = Frame Relay Service Provider, Alternate = ISP via Dial-up In this scenario (see Figure 1), a Frame Relay service provider supplies the Frame Relay access line and virtual circuit that connects a NetVanta remote site directly to the central site. Since this link is entirely over a provider's Frame Relay network, no firewall or VPN is required to protect the customer's network. The central
Resumen del contenido incluido en la página 4
The Internet as an Alternative Internet-based WAN Backup Solutions using NetVanta local-id fqdn REMOTE peer 10.254.255.85 attribute 10 authentication pre-share group 2 lifetime 300 ! crypto ike remote-id fqdn CENTRAL. preshared-key 1234567890 ! crypto ipsec transform-set dessha esp-des esp-sha-hmac mode tunnel ! crypto map HOSTviaDIAL 100 ipsec-ike match address REMOTE_to_CENTRAL set peer 10.254.255.85 set transform-set dessha set security-association lifetime second
Resumen del contenido incluido en la página 5
Internet-based WAN Backup Solutions using NetVanta The Internet as an Alternative ip address 10.254.255.26 255.255.255.252 access-policy FR dial-backup number 2222 digital-64k 1 1 ppp 2 ! link interface ppp 2/ISDN for dial backup in case this VC is lost ! interface ppp 2 description Dial Backup Interface to ISP with Firewall, VPN to CENTRAL Gateway ip address negotiated access-policy DIAL crypto map HOSTviaDIAL ppp authentication chap username ISP_Dial_Srv password a ppp cha
Resumen del contenido incluido en la página 6
The Internet as an Alternative Internet-based WAN Backup Solutions using NetVanta Solution 2 - Primary = Frame Relay Service Provider, Alternate = ISP via PPPoE/DSL-Cable In this scenario (see Figure 2), a Frame Relay service provider supplies the Frame Relay access line and virtual circuit that connects a NetVanta remote site directly to the central site. Since this link is entirely over a provider's Frame Relay network, no firewall or VPN is required to protect the customer's network. Th
Resumen del contenido incluido en la página 7
Internet-based WAN Backup Solutions using NetVanta The Internet as an Alternative local-id fqdn REMOTE peer 10.254.255.85 attribute 10 authentication pre-share group 2 lifetime 300 ! crypto ike remote-id fqdn CENTRAL. preshared-key 1234567890 ! crypto ipsec transform-set dessha esp-des esp-sha-hmac mode tunnel ! crypto map HOSTviaPoE 100 ipsec-ike match address REMOTE_to_CENTRAL set peer 10.254.255.85 set transform-set dessha set security-association lifetime seconds
Resumen del contenido incluido en la página 8
The Internet as an Alternative Internet-based WAN Backup Solutions using NetVanta access-policy FR ! interface ppp 1 description PPPoE Interface to ISP with Firewall, VPN to CENTRAL Gateway ip address negotiated access-policy PoE crypto map HOSTviaPoE ppp authentication chap username ISP_PPPoE_Srv password a ppp chap hostname ISP_Customer_PPPoE ppp chap password a mtu 1492 no shutdown cross-connect 2 eth 0/2 ppp 1 ! ! ip access-list extended Internet permit ip 10.1.1.2
Resumen del contenido incluido en la página 9
Internet-based WAN Backup Solutions using NetVanta The Internet as an Alternative Solution 3 - Primary = ISP via PPPoE/DSL-Cable, Alternate = ISP via Dial-up In this scenario (see Figure 3), the remote site has two ISP accounts, one via PPPoE using a DSL or cable modem and another via dial-up. Both are protected by the NetVanta firewall. This PPPoE connection is always on and is used for local Internet access (if the corporate security policy allows such connectivity) as well as being used
Resumen del contenido incluido en la página 10
The Internet as an Alternative Internet-based WAN Backup Solutions using NetVanta ip firewall fast-nat-failover ! ! If using the PPPoE and Dial-up ISP connections for local Internet access ! and using 'NAT source' with the address of the currently active interface, the ! previous command is necessary to allow sessions started on one interface to be ! terminated when the route to the destination switches to the other interface. ! ip crypto ! crypto ike policy 100 initiate aggressive no re
Resumen del contenido incluido en la página 11
Internet-based WAN Backup Solutions using NetVanta The Internet as an Alternative no shutdown ! interface eth 0/2 description Ethernet to DSL/Cable Modem no ip address no shutdown ! interface bri 1/3 description ISDN link to local PSTN isdn spid1 11111 isdn spid2 11112 no shutdown ! interface ppp 1 description PPPoE Interface to ISP with Firewall, VPN to CENTRAL Gateway - PRIMARY ip address negotiated no-default access-policy PoE crypto map HOSTviaPoE ppp authenticati
Resumen del contenido incluido en la página 12
The Internet as an Alternative Internet-based WAN Backup Solutions using NetVanta ! ip policy-class DIAL allow reverse list REMOTE_to_CENTRAL ! ip policy-class LOCALLAN allow list REMOTE_to_CENTRAL ! nat source list Internet interface ppp 1 overload policy PoE nat source list Internet interface ppp 2 overload policy DIAL ! ! Since the Internet traffic is using 'nat source' to the active interface IP address, ! a destination policy class is included in the previous NAT policies to con