01-29-2023 10:27 AM - edited 01-29-2023 10:29 AM
Dear Team,
I have implemented Hot Standby Router Protocol (HSRP) on two routers, each with an uplink to the Internet Service Provider (ISP). I have also configured Secure Sockets Layer Virtual Private Network (SSL-VPN(anyconnect)) on both routers and I am able to access internal resources while connecting to the active router SSL-VPN.
However, I am facing an issue while connecting to the standby SSL-VPN, as I am unable to access internal resources(10.5.6.x/24). This issue arises even i switch the HSRP(standby router VPN is not providing the access to internal resouces(10.5.6.x/24)). Ultimate goal is to get the access to my 10.5.6.0/24 n/w which connecting to the VPN(17.25.185.18:3443)
I would like to seek your assistance in resolving this issue and setting up the standby router VPN for access to internal resources. Can you please advise what could be the problem and how it can be resolved?
Thank you for your prompt attention to this matter.
SSL-VPN configuration on standby router #R2
crypto pki trustpoint 247_TRUST_POINT
enrollment selfsigned
serial-number
subject-name CN=247rack-certificate
revocation-check crl
rsakeypair 247_RSA_KEYS
!
crypto pki trustpoint SLA-TrustPoint
revocation-check crl
!
crypto ssl proposal SSL_VPN_PROPOSAL
protection rsa-3des-ede-sha1 rsa-rc4128-md5 rsa-aes128-sha1 rsa-aes256-sha1
!
crypto ssl authorization policy SSL_VPN_AUTH_POLICY
pool WEB_VPN_POOL
def-domain example.com
route set access-list SPLIT
!
crypto ssl policy SSL_VPN_POLICY
ssl proposal SSL_VPN_PROPOSAL
pki trustpoint 247_TRUST_POINT sign
ip address local 17.25.185.18 port 3443
!
crypto ssl profile SSL_VPN_PROFILE
match policy SSL_VPN_POLICY
aaa authentication user-pass list WEB_VPN
aaa authorization group user-pass list WEB_VPN SSL_VPN_AUTH_POLICY
authentication remote user-pass
max-users 100
!
ip local pool WEB_VPN_POOL 10.5.6.111 10.5.6.120
I gave the ISP IP as VPN-IP for both routers
R2#sho run int g1
Building configuration...
Current configuration : 323 bytes
!
interface GigabitEthernet1
ip flow monitor 247MONITOR input
ip flow monitor 247MONITOR output
ip address 17.25.185.18 255.255.255.252
ip nbar protocol-discovery
ip access-group WAN_IN in
negotiation auto
ipv6 address 2706:D408:DA1:1::2/64
ipv6 traffic-filter v6BLOCK-SMTP in
no mop enabled
no mop sysid
end
ACL-configuration:
ip access-list extended WAN_IN
10 permit ip object-group MGMT_IPS object-group NATIVE_IPS
20 deny tcp any object-group NATIVE_IPS eq www log
30 deny tcp any object-group NATIVE_IPS eq 443 log
40 deny ip 192.168.0.0 0.0.255.255 any log
50 deny ip 10.0.0.0 0.255.255.255 any log
60 deny ip 172.16.0.0 0.15.255.255 any log
70 deny ip 104.218.121.0 0.0.0.255 any log
80 deny ip 104.218.122.0 0.0.0.255 any log
90 deny ip 104.218.123.0 0.0.0.255 any log
100 deny ip 162.220.55.0 0.0.0.255 any log
110 deny ip 169.197.76.0 0.0.3.255 any log
120 permit ip any any
Best regards - Menon.
01-29-2023 11:53 AM
what device model and what IOS running on this?
What is Active Device configuration Look like?
I do not see any HSRP config the one posted - am I missing something here?
When you build High Availability - how are you able to connect the standby Router? (or are you doing to Failover for testing ?)
Do you have a high-level network diagram of how your setup looks like?
01-29-2023 12:46 PM
Hi balaji,
Router is Cisco csr1000v, IOS XE Software, Version 17.03.04a
HSRP won't transfer the configs from active to standby for making both router identical. And o configured the HSRP on the sub interfaces where the traffic in/out - G1 is the ISP interface. Please find the hsrp config of standby.
R2 - standby router
interface GigabitEthernet1
ip flow monitor 247MONITOR input
ip flow monitor 247MONITOR output
ip address 17.25.185.18 255.255.255.252
ip nbar protocol-discovery
ip access-group WAN_IN in
negotiation auto
ipv6 address 2706:D408:DA1:1::2/64
ipv6 traffic-filter v6BLOCK-SMTP in
no mop enabled
no mop sysid
!
interface GigabitEthernet2
ip address 10.5.6.9 255.255.255.0
standby use-bia
negotiation auto
vrrp 92 ip 10.5.6.7
no mop enabled
no mop sysid
!
interface GigabitEthernet3
no ip address
standby use-bia scope interface
negotiation auto
no mop enabled
no mop sysid
!
interface GigabitEthernet3.95
encapsulation dot1Q 95
ip address 10.0.0.2 255.255.255.248
!
interface GigabitEthernet3.122
encapsulation dot1Q 122
ip address 14.28.122.2 255.255.255.0
ip access-group BLOCK-SMTP in
standby use-bia scope interface
standby version 2
standby 1 ipv6 2301:FAA6:BD0::1/64
standby 1 priority 20
standby 1 preempt
standby 122 ip 14.28.122.3
standby 122 timers msec 250 msec 750
standby 122 priority 15
standby 122 preempt
ipv6 address 2301:FAA6:BD0::9/64
arp timeout 60
!
interface GigabitEthernet3.123
encapsulation dot1Q 123
ip address 14.28.123.2 255.255.255.0
ip access-group BLOCK-SMTP in
standby use-bia scope interface
standby 123 ip 14.28.123.3
standby 123 timers msec 250 msec 750
standby 123 priority 15
standby 123 preempt
!
interface GigabitEthernet3.169
encapsulation dot1Q 169
ip address 69.17.76.2 255.255.252.0
ip access-group BLOCK-SMTP in
standby use-bia scope interface
standby 169 ip 69.17.76.3
standby 169 timers msec 250 msec 750
standby 169 priority 15
standby 169 preempt
!
interface GigabitEthernet3.300
description newscope23.148.1.0
encapsulation dot1Q 300
ip flow monitor 247MONITOR output
ip address 25.158.1.2 255.255.255.0
ip access-group BLOCK-SMTP in
standby use-bia scope interface
standby 55 ip 25.158.1.3
standby 55 timers msec 250 msec 750
standby 55 priority 15
standby 55 preempt
arp timeout 60
!
interface GigabitEthernet3.504
encapsulation dot1Q 504
ip address 14.218.121.2 255.255.255.0
ip access-group BLOCK-SMTP in
standby use-bia scope interface
standby 100 ip 14.218.121.3
standby 100 timers msec 250 msec 750
standby 100 priority 15
standby 100 preempt
!
interface GigabitEthernet3.520
description Remote Access
encapsulation dot1Q 520
ip address 73.205.187.98 255.255.255.224
ip access-group BLOCK-SMTP in
standby use-bia scope interface
standby 250 ip 73.205.187.99
standby 250 timers msec 250 msec 750
standby 250 priority 15
standby 250 preempt
!
interface GigabitEthernet3.521
encapsulation dot1Q 521
ip address 62.220.55.2 255.255.255.0
ip access-group BLOCK-SMTP in
standby use-bia scope interface
standby version 2
standby 1 ipv6 2620:FFA6:300::1/64
standby 1 priority 20
standby 1 preempt
standby 251 ip 62.220.55.3
standby 251 timers msec 250 msec 750
standby 251 priority 15
standby 251 preempt
ipv6 address 2620:FFA6:300::9/64
arp timeout 60
!
R1 - active router
interface GigabitEthernet1
ip flow monitor 247MONITOR input
ip flow monitor 247MONITOR output
ip address 17.25.184.86 255.255.255.252
ip nbar protocol-discovery
ip access-group WAN_IN in
negotiation auto
ipv6 address 2706:D408:DA1:1::2/126
ipv6 traffic-filter v6BLOCK-SMTP in
no mop enabled
no mop sysid
!
interface GigabitEthernet2
ip address 10.5.6.8 255.255.255.0
standby use-bia
negotiation auto
vrrp 92 ip 10.5.6.7
vrrp 92 priority 150
no mop enabled
no mop sysid
!
interface GigabitEthernet3
no ip address
standby use-bia scope interface
negotiation auto
no mop enabled
no mop sysid
!
interface GigabitEthernet3.95
encapsulation dot1Q 95
ip address 10.0.0.1 255.255.255.248
!
interface GigabitEthernet3.122
description Remote Access
encapsulation dot1Q 122
ip address 14.28.122.2 255.255.255.0
ip access-group BLOCK-SMTP in
standby use-bia scope interface
standby version 2
standby 1 ipv6 2301:FAA6:BD0::1/64
standby 1 priority 200
standby 1 preempt
standby 122 ip 14.28.122.3
standby 122 timers msec 250 msec 750
standby 122 priority 150
standby 122 preempt
ipv6 address 2301:FAA6:BD0::8/64
arp timeout 60
!
interface GigabitEthernet3.123
description Remote Access
encapsulation dot1Q 123
ip address 14.28.123.1 255.255.255.0
standby use-bia scope interface
standby 123 ip 14.28.123.3
standby 123 timers msec 250 msec 750
standby 123 priority 150
standby 123 preempt
!
interface GigabitEthernet3.169
description Remote Access
encapsulation dot1Q 169
ip address 69.17.76.1 255.255.252.0
ip access-group BLOCK-SMTP in
standby use-bia scope interface
standby 169 ip 69.17.76.3
standby 169 timers msec 250 msec 750
standby 169 priority 150
standby 169 preempt
!
interface GigabitEthernet3.300
description newscope23.148.1.0
encapsulation dot1Q 300
ip flow monitor 247MONITOR output
ip address 25.158.1.1 255.255.255.0
ip access-group BLOCK-SMTP in
standby use-bia scope interface
standby 55 ip 25.158.1.3
standby 55 timers msec 250 msec 750
standby 55 priority 150
standby 55 preempt
arp timeout 60
!
interface GigabitEthernet3.504
description Remote Access
encapsulation dot1Q 504
ip address 14.218.121.2 255.255.255.0
ip access-group BLOCK-SMTP in
standby use-bia scope interface
standby 100 ip 14.218.121.3
standby 100 timers msec 250 msec 750
standby 100 priority 150
standby 100 preempt
!
interface GigabitEthernet3.520
description Remote Access
encapsulation dot1Q 520
ip address 73.205.187.97 255.255.255.224
ip access-group BLOCK-SMTP in
standby use-bia scope interface
standby 250 ip 73.205.187.99
standby 250 timers msec 250 msec 750
standby 250 priority 150
standby 250 preempt
!
interface GigabitEthernet3.521
description Remote Access
encapsulation dot1Q 521
ip address 62.220.55.1 255.255.255.0
ip access-group BLOCK-SMTP in
standby use-bia scope interface
standby version 2
standby 1 ipv6 2620:FFA6:300::1/64
standby 1 priority 200
standby 1 preempt
standby 251 ip 62.220.55.3
standby 251 timers msec 250 msec 750
standby 251 priority 150
standby 251 preempt
ipv6 address 2620:FFA6:300::9/64
arp timeout 60
!
My goal is to access the Internal resources in subnet 10.5.6.0/24 while using standby router VPN. Not sure ACL or something else is blocking or not! please find the acl and static routing below, for advertising the subnet am using BGP.
!
ip tftp source-interface GigabitEthernet3.521
ip route 0.0.0.0 0.0.0.0 10.5.6.3 250
ip route 10.2.6.0 255.255.255.0 10.5.6.10
ip route 10.3.6.0 255.255.255.0 10.5.6.10
ip route 10.4.6.0 255.255.255.0 10.5.6.10
ip route 10.6.6.0 255.255.255.0 10.5.6.10
ip route 10.7.6.0 255.255.255.0 10.5.6.10
ip route 10.8.6.0 255.255.255.0 10.5.6.10
ip route 172.16.2.0 255.255.255.0 172.16.5.10
ip route 172.16.3.0 255.255.255.0 172.16.5.10
ip route 172.16.4.0 255.255.255.0 172.16.5.10
!
ip access-list standard SPLIT
10 permit 10.3.0.0 0.0.255.255
20 permit 10.4.0.0 0.0.255.255
30 permit 10.5.0.0 0.0.255.255
40 permit 10.6.0.0 0.0.255.255
50 permit 10.7.0.0 0.0.255.255
!
ip access-list extended BLOCK-SMTP
10 deny ip any 10.0.0.0 0.255.255.255
20 deny ip any 172.16.0.0 0.15.255.255
30 deny ip any 192.168.0.0 0.0.255.255
40 permit ip host 162.220.55.203 any
50 permit ip host 162.220.55.120 any
60 permit ip host 162.220.55.181 any
70 permit ip host 162.220.55.202 any
80 permit ip host 162.220.55.245 any
90 permit ip host 162.220.55.223 any
100 deny tcp any any eq smtp
110 deny tcp any any eq 139
120 deny tcp any any eq 445
130 permit ip any any
ip access-list extended WAN_IN
10 permit ip object-group MGMT_IPS object-group NATIVE_IPS
20 deny tcp any object-group NATIVE_IPS eq www log
30 deny tcp any object-group NATIVE_IPS eq 443 log
40 deny ip 192.168.0.0 0.0.255.255 any log
50 deny ip 10.0.0.0 0.255.255.255 any log
60 deny ip 172.16.0.0 0.15.255.255 any log
70 deny ip 104.218.121.0 0.0.0.255 any log
80 deny ip 104.218.122.0 0.0.0.255 any log
90 deny ip 104.218.123.0 0.0.0.255 any log
100 deny ip 162.220.55.0 0.0.0.255 any log
110 deny ip 169.197.76.0 0.0.3.255 any log
120 permit ip any any
ip access-list extended mgmt_access
10 permit ip 162.220.52.0 0.0.3.255 any
20 permit ip host 217.122.155.149 any
30 permit ip 69.28.248.0 0.0.0.255 any
40 permit ip 104.218.120.0 0.0.0.255 any
50 permit ip 23.148.0.0 0.0.0.255 any
60 permit ip host 68.161.210.205 any
70 permit ip 10.0.0.0 0.255.255.255 any
80 permit ip host 103.72.179.19 any
90 permit ip host 217.122.220.242 any
100 permit ip host 103.99.207.182 any
!
!
Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide