08-11-2009 12:55 AM - edited 03-04-2019 05:42 AM
I have cisco 1811 router and trying to configure:
1- 2 Internet connections
one have live IP (wimax)
second one is direct DSL
2- Ipsec vpn on wimax connection
I am doing Policy based routing and having some problems
1- 2 Internet connections work properly but vpn dont connects
2- as soon i disable second internet connection my vpn connects.....
Please advise.. I can send u my network diagram + configuration...
08-11-2009 11:15 AM
Hi,
It seems your VPN traffic is routed over your DSL line and it shouldn't...
Could you post your config and describing what you want to achieve in terms of routing policy ?
Thanks
Laurent.
08-11-2009 07:19 PM
aaa new-model
aaa authentication login userauthen local
aaa authorization network groupauthor local
aaa session-id common
resource policy
ip cef
ip domain name millat.com.pk
ip name-server 10.16.6.11
ip name-server 203.99.163.240
!
username Junaid privilege 15 secret 5 $1xxxxxxxxxxxxxx
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key cisco123 address 58.27.233.210 no-xauth
!
crypto isakmp client configuration group vpnclient
key cisco123
dns 192.168.1.17
wins 192.168.1.17
domain millat.com.pk
pool ippool
acl 111
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10
set transform-set myset
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 1 ipsec-isakmp
! Incomplete
set peer 58.27.233.210
set transform-set myset
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
interface FastEthernet0
ip address 192.168.95.65 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet1
ip address 58.27.232.18 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map clientmap
!
interface Vlan1
ip address 192.168.74.1 255.255.255.0
ip access-group Internet in
ip nat inside
ip virtual-reassembly
ip policy route-map send_vpn
!
interface Async1
no ip address
encapsulation slip
!
ip local pool ippool 192.168.55.100 192.168.55.200
ip route 0.0.0.0 0.0.0.0 192.168.95.1
ip route 58.27.232.16 255.255.255.248 192.168.55.0
ip route 192.168.1.0 255.255.255.0 192.168.74.2
ip route 192.168.2.0 255.255.255.0 192.168.74.2
ip route 192.168.3.0 255.255.255.0 192.168.74.2
no ip http server
no ip http secure-server
ip nat inside source list deny_vpn_go_nat interface FastEthernet0 overload
ip nat inside source route-map send_vpn interface FastEthernet1 overload
ip nat inside source static tcp 192.168.74.1 23 interface FastEthernet1 23
!
ip access-list extended Internet
permit ip host 10.16.6.11 any
permit ip host 10.16.7.12 any
permit ip 192.168.74.0 0.0.0.255 any
permit ip 192.168.20.0 0.0.0.255 any
permit ip 192.168.1.0 0.0.0.255 any
permit ip host 192.168.2.2 any
permit ip host 192.168.2.3 any
ip access-list extended deny_vpn_go_nat
deny ip 192.168.74.0 0.0.0.255 192.168.20.0 0.0.3.255
deny ip 192.168.74.0 0.0.0.255 192.168.55.0 0.0.0.255
deny ip 192.168.1.0 0.0.0.255 any
permit ip any any
ip access-list extended id_vpn
permit ip 192.168.74.0 0.0.0.255 192.168.55.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any
!
access-list 111 permit ip 192.168.1.0 0.0.0.255 192.168.55.0 0.0.0.255
access-list 111 permit ip 192.168.74.0 0.0.0.255 192.168.55.0 0.0.0.255
!
route-map send_vpn permit 10
match ip address id_vpn
set ip next-hop 58.27.232.17
control-plane
!
line con 0
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
webvpn context Default_context
ssl authenticate verify all
08-11-2009 07:47 PM
In the above posted configuration, I am trying to achieve,
1- Running 2 Internet connections at the same time
2- Soft VPN
3- Site-to-site vpn with other regional office
4- VPN traffic will pass through fa1
5- General Internet traffic will pass through fa0
Internet Load balancing is not required,
Please advise
08-12-2009 05:44 AM
Hi,
Thanks for the info.
In this case, I would remove NAT config related to Fast1 and add static routes for 192.168.55.0 (soft VPN) and regional offices via Fast1.
I would also remove the PBR applied on VLAN 1
This way traffic will be forwarded based on the routing table.
interface FastEthernet1
no ip nat outside
!
no ip route 58.27.232.16 255.255.255.248 192.168.55.0
ip route 192.168.55.0 255.255.255.0 58.27.232.17
ip route
!
no ip nat inside source route-map send_vpn interface FastEthernet1 overload
!
int vlan 1
no ip policy route-map send_vpn
!
Now because VPN traffic is already routed via Fast1, you don't need the deny entry in deny_vpn_go_nat ACL.
I assume you already know there is no redundancy.
HTH
Laurent.
08-12-2009 07:04 PM
Hi,
Disabling PBR on int vlan 1 will prohibit internet connection to wateen.. isnt it??
Please see the attached sample network diagram,
I want my servers in DMZ should communicate with VPN users via Wateen connection
and the users in Inside (core switch 3560) must use PTCL connection,.
So that, Wateen connection will be dedicated for VPN traffic only...
Please advise...
08-16-2009 09:04 PM
HI GUYSsssssssss..........
PLEASE HELP ME.......
08-16-2009 09:50 PM
Hi
I have difficulties to post my reply, the thread is not updated for unknown reason.
You can keep your PBR on VLAN1 if you don't want to use static routes to reach your remote VPN subnets.
Also you need to configure a local PBR so the router will not use the default route to send its IKE/IPSEC packets:
access-list 101 permit esp host 58.27.232.18 any
Hi
I have difficulties to post my reply, the thread is not updated for unknown reason.
You can keep your PBR on VLAN1 if you don't want to use static routes to reach your remote VPN subnets.
Also you need to configure a local PBR so the router will not use the default route to send its IKE/IPSEC packets:
access-list 101 permit esp host 58.27.232.18 any
access-list 101 permit udp host 58.27.232.18 eq isakmp any
access-list 101 permit udp host 58.27.232.18 any eq isakmp
!
route-map IPSEC permit 10
match ip address 101
set ip next-hop 58.27.232.17
!
ip local policy route-map IPSEC
!
HTH
Laurent.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide