1941 Dual Wan + Nat + VPN

secon-asc · ‎06-01-2012

Hello,

i've got some issues with a router Config.

We've two PPPoE WAn Connectios with static IP.

normal Internet Access with Nat should go through DSL-1 (failover to DSL-2)

Static Nat (Port Forward) and our RAS-VPN should work on both external IP's.

2 Site-to-Site VPNs should go on DSL-2 (Failover to DSL-1)

here my Config so far:

version 15.1

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

!

aaa new-model

!

aaa group server radius sdm-vpn-server-group-1

server 192.168.100.5 auth-port 1645 acct-port 1646

!

aaa authentication login default local

aaa authentication login ciscocp_vpn_xauth_ml_1 group sdm-vpn-server-group-1 local

aaa authorization exec default local

aaa authorization network ciscocp_vpn_group_ml_1 local

aaa authorization network ciscocp_vpn_group_ml_2 local

!

aaa session-id common

!

clock timezone Berlin 1 0

clock summer-time Berlin date Mar 30 2003 2:00 Oct 26 2003 3:00

!

no ipv6 cef

ip source-route

ip cef

!

ip domain name xxxxxx.de

ip name-server 8.8.8.8

ip name-server 8.8.4.4

!

multilink bundle-name authenticated

!

...

redundancy

!

ip scp server enable

!

track 1 ip sla 1

delay down 5 up 2

!

track 2 ip sla 2

delay down 5 up 2

!

crypto isakmp policy 1

encr aes 256

hash sha512

authentication pre-share

group 16

crypto isakmp policy 2

encr aes 256

authentication pre-share

group 2

!

crypto isakmp key dummy address Site1-IP

crypto isakmp xauth timeout 10

!

crypto isakmp client configuration group RAS_VPN_1

key udfgdfg

pool SDM_POOL_1

acl 150

max-users 30

netmask 255.255.255.192

!

crypto isakmp client configuration group RAS_VPN_2

key asdfasdfsdf

pool SDM_POOL_2

acl 151

max-users 30

netmask 255.255.255.192

!

crypto isakmp profile ciscocp-ike-profile-1

match identity group RAS_VPN_1

client authentication list ciscocp_vpn_xauth_ml_1

isakmp authorization list ciscocp_vpn_group_ml_1

client configuration address respond

virtual-template 1

crypto isakmp profile ciscocp-ike-profile-2

match identity group RAS_VPN_2

client authentication list ciscocp_vpn_xauth_ml_1

isakmp authorization list ciscocp_vpn_group_ml_2

client configuration address respond

virtual-template 2

!

crypto ipsec transform-set RAS_VPN esp-aes 256 esp-sha-hmac

!

crypto ipsec profile CiscoCP_Profile1

description RAS VPN 1

set security-association idle-time 3600

set transform-set RAS_VPN

set isakmp-profile ciscocp-ike-profile-1

!

crypto ipsec profile CiscoCP_Profile2

description RAS VPN 2

set security-association idle-time 3600

set transform-set RAS_VPN

set isakmp-profile ciscocp-ike-profile-2

!

!---VPN: Site-to-Site

crypto ipsec transform-set VPN esp-aes 256 esp-sha512-hmac

!

crypto map D1_Site 10 ipsec-isakmp

set peer Site1_ip

set transform-set VPN

match address VPN_1

crypto map D1_Site 20 ipsec-isakmp

set peer Site1_ip

set transform-set VPN

match address VPN_2

!

!--- Inerface Configuration

interface Loopback0

ip address 192.168.230.1 255.255.255.192

!

interface Loopback1

ip address 172.20.230.1 255.255.255.192

!

interface GigabitEthernet0/0

description green

no ip address

ip virtual-reassembly in

ip tcp adjust-mss 1412

duplex auto

speed auto

!

interface GigabitEthernet0/0.1

description LAN

encapsulation dot1Q 2 native

ip address 192.168.100.2 255.255.255.0

ip nbar protocol-discovery

ip flow ingress

ip flow egress

ip nat inside

ip virtual-reassembly in

ip policy route-map PBR

!

interface GigabitEthernet0/1

description WI orange

no ip address

ip tcp adjust-mss 1412

duplex auto

speed auto

!

interface GigabitEthernet0/1.1

description LAN 2

encapsulation dot1Q 1 native

ip address 172.20.100.2 255.255.255.0

ip nbar protocol-discovery

ip flow ingress

ip flow egress

ip virtual-reassembly in

!

interface FastEthernet0/0/0

description DSL-1

no ip address

duplex auto

speed auto

pppoe enable group global

pppoe-client dial-pool-number 1

!

interface FastEthernet0/0/1

description DSL-2

no ip address

ip virtual-reassembly in

duplex auto

speed auto

pppoe enable group global

pppoe-client dial-pool-number 2

!

interface Virtual-Template1 type tunnel

description RAS-VPN 1

ip unnumbered Loopback0

tunnel mode ipsec ipv4

tunnel protection ipsec profile CiscoCP_Profile1

!

interface Virtual-Template2 type tunnel

description RAS-VPN 2

ip unnumbered Loopback1

tunnel mode ipsec ipv4

tunnel protection ipsec profile CiscoCP_Profile2

!

interface Dialer1

description DSL-1 (VDSL)

ip address negotiated

ip mtu 1452

ip nbar protocol-discovery

ip flow ingress

ip flow egress

ip nat outside

ip virtual-reassembly in

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname xxx

ppp chap password 0 xxx

ppp pap sent-username xxx password 0 xxx

crypto map D1_Site

!

interface Dialer2

description DSL-2 (T-DSL)

ip address negotiated

ip mtu 1452

ip nbar protocol-discovery

ip flow ingress

ip flow egress

ip nat outside

ip virtual-reassembly in

encapsulation ppp

dialer pool 2

dialer-group 2

ppp authentication chap pap callin

ppp chap hostname xxx

ppp chap password 0 xxx

ppp pap sent-username xxx password 0 xxx

crypto map D1_Site

!

ip local pool SDM_POOL_1 192.168.230.34 192.168.230.62

ip local pool SDM_POOL_2 172.20.230.34 172.20.230.62

ip forward-protocol nd

!

no ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http secure-port 10443

ip http timeout-policy idle 60 life 86400 requests 10000

!

!--- DNS Server

ip dns server

!

!--- NAT

ip nat inside source route-map NAT_DSL-1 interface Dialer1 overload

ip nat inside source route-map NAT_DSL-2 interface Dialer2 overload

!

!--- NAT Access-Lists

access-list 100 remark -= Outgoing NAT -> DSL-1 =-

access-list 100 deny ip 192.168.100.0 0.0.0.255 192.168.40.0 0.0.0.255

access-list 100 permit ip 192.168.100.0 0.0.0.255 any

access-list 101 remark -= Outgoing NAT -> DSL-2 =-

access-list 101 deny ip 192.168.100.0 0.0.0.255 192.168.40.0 0.0.0.255

access-list 101 permit ip 192.168.100.0 0.0.0.255 any

!--- Policy-Based-Routing Access-List

access-list 110 remark -= PBR 1 =-

access-list 110 permit ip 192.168.100.0 0.0.0.255 any

!

!--- Routing

ip route 0.0.0.0 0.0.0.0 Dialer2 track 2

ip route 0.0.0.0 0.0.0.0 Dialer1 track 1

!

!--- VPN Access-Lists

ip access-list extended VPN_1

permit ip 192.168.100.0 0.0.0.255 192.168.40.0 0.0.0.255

ip access-list extended VPN_2

permit ip 172.20.100.0 0.0.0.255 172.20.110.0 0.0.0.255

!

access-list 150 remark -= RAS VPN 1 =-

access-list 150 remark CCP_ACL Category=4

access-list 150 permit ip 192.168.100.0 0.0.0.255 any

access-list 151 remark -= RAS VPN 2 =-

access-list 151 remark CCP_ACL Category=4

access-list 151 permit ip 172.20.100.0 0.0.0.255 any

!

dialer-list 1 protocol ip permit

dialer-list 2 protocol ip permit

!

!--- Route Maps

route-map NAT_DSL-1 permit

match ip address 100

match interface Dialer1

!

route-map NAT_DSL-2 permit

match ip address 101

match interface Dialer2

!

route-map PBR permit 10

match ip address 110

set interface Dialer 1

route-map PBR permit 20

match ip address 110

set interface Dialer 2

!

ip radius source-interface GigabitEthernet0/0.1

!

ip sla 1

icmp-echo Dialer1_ip

tag Check DSL-1

threshold 300

timeout 500

frequency 5

ip sla schedule 1 life forever start-time now

ip sla 2

icmp-echo Dialer2_ip

tag Check DSL-2

threshold 300

timeout 500

frequency 1

ip sla schedule 2 life forever start-time now

!

radius-server host 192.168.100.5 auth-port 1645 acct-port 1646 timeout 10 key xxxxx

....

end

my problems start very early, sometimes i'm not able to ping anything outside.. have you got some suggestions for me?