Re: Cisco 1921 Dual ADSL Load Balancing/Failover?

bostonacuk · ‎03-29-2011

Hello,

We have purchased a Cisco 1921 with twin ADSL after advice from a Cisco sales rep. However I am having trouble working out the load balancing/fail over config for the device.

I would like traffic to balance over both ADSL lines and if one goes down not to interrupt connectivity.

I had a look at ppp multilink but I am unsure our ISP (BT) support this?

This is my current config which I think only one ADSL line is being used. Some input would be appreciated

Robbie

!
! Last configuration change at 13:18:34 UTC Tue Mar 29 2011
!
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname xxxxxx

!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret 5 xxxxx

enable password xxxx

!
no aaa new-model
!
no ipv6 cef
ip source-route
ip cef
!
!
!
!
ip name-server 194.74.65.68
ip name-server 194.72.0.114
multilink bundle-name authenticated
!
!
crypto pki trustpoint TP-self-signed-xxxxxx

enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-xxxxx0
revocation-check none
rsakeypair TP-self-signed-xxxxx!
!
crypto pki certificate chain TP-self-signed-xxxxxx

certificate self-signed 02 nvram:IOS-Self-Sig#4.cer
license udi pid CISCO1921/K9 xxxxx

!
!
username admin privilege 15 secret 5 xxxxxxxxxx/
!
!
!
!
!
!
interface GigabitEthernet0/0
description lan$ETH-LAN$
ip address 10.0.8.1 255.255.248.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface ATM0/0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no atm ilmi-keepalive
dsl operating-mode adsl2
!
interface ATM0/0/0.1 point-to-point
description $ES_WAN$$FW_OUTSIDE$
ip flow ingress
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface ATM0/1/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no atm ilmi-keepalive
dsl operating-mode adsl2
!
interface ATM0/1/0.1 point-to-point
description $ES_WAN$$FW_OUTSIDE$
ip flow ingress
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Dialer0
mtu 1483
ip address negotiated
ip access-group spalding in
ip access-group spalding out
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname xxxxx

ppp chap password 0 xxxxx

ppp multilink
ppp multilink links minimum 2
ppp multilink fragment disable
ppp timeout multilink link add 2
no cdp enable
!
interface Dialer1
mtu 1483
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname xxxxx

ppp chap password 0 xxxxx

ppp link reorders
ppp multilink
ppp multilink links minimum 2
ppp multilink fragment disable
ppp timeout multilink link add 2
no cdp enable
!
ip forward-protocol nd
!
no ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 10.0.15.201 3389 interface Dialer0 3389
ip nat outside source static tcp 195.194.75.218 3389 10.0.15.200 3389 extendable
ip route 0.0.0.0 0.0.0.0 Dialer0
!
access-list 1 remark INSIDE_IF=GigabitEthernet0/0
access-list 1 permit 10.0.0.0 0.254.255.255
dialer-list 1 protocol ip permit
!
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
line vty 5 15
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
end

Fabrice Ducomble · ‎04-07-2011

Since both DSL links are with same provider, check first if he's providing some sort of load balacing mechanism (MPPP or any layer3 sharing). That's always the best way to achieve efficient load sharing.

If he doesn't, you can look at the below CCO doc which gives an example for load balacing with dynamic NAT. 
You need in your case 2 default static route and likely use object tracking to check connectivity.

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a0080950834.shtml

Finally, if you want also to make internal server accessible via both links, you'll need to look at the below post in case provider in using uRPF.

https://supportforums.cisco.com/message/3297523#3297523

Thx,

Fabrice

bostonacuk · ‎04-08-2011

How would this work with a VPN currently over Dialer2? Would I apply the same site to site VPN on the other Dialer?

Can you see any reason why it isnt possible to connect via Dialer0 from the outside? doesnt ping or anything

Robbie

Fabrice Ducomble · ‎04-08-2011

I guess the router is terminating a VPN connection and you would like to get redundancy for this VPN connection, correct ?

If yes, that's not a big deal if VPN users need only to access internal services (accessing the Internet through the VPN is another story). This only requires PBR on the inside interface to force traffic destined to private IPs to the selected primary dialer. You need as well to use next-hop tracking to make sure we fall back to secondary dialer when primary is not working properly.

route-map PBR-LAN permit 10

match ip address IPSEC

set ip next-hop verify-availability 10 track 1

set ip next-hop verify-availability 20

!

ip access-list extended IPSEC

permit ip

Having said that, with dialer, we typically don't know the next-hops IP so you might then need to use a fake next-hop (1.1.1.1 for ex) in PBR and use tracking in static route defined for the fake next-hop :

route-map PBR-LAN permit 10

match ip address IPSEC

set ip next-hop recursive 1.1.1.1

ip route 1.1.1.1 255.255.255.255 track 1
ip route 1.1.1.1 255.255.255.255 track 2

ip access-list extended IPSEC

permit ip

N.B. track 1 and track 2 could track whatever known (and always available, typically DNS servers) address on the Internet and specify source IP of probe being primary dialer for track 1 and secondary dilaer for track 2...

Regarding the reachability problem you mentioned, I guess this shows provider is using uRPF so you need to make sure that packets originated by the router are sent out based on source IP. This is achieved with local PBR but might be a challenge to define the acl if address provided dynamically by provider is not within a pre-defined range...

ip local policy route-map LOCAL-PBR
!
route-map LOCAL-PBR permit 10
match ip address DIALER-0-ADD
set interface dialer0
!
route-map LOCAL-PBR permit 20
match ip address DILAER1-ADD
set interface dialer1
!
ip access-list extended DIALER-0-ADD
permit ip [range of IPs for dialer0] any
ip access-list extended DIALER-1-ADD
permit ip [range of IPs for dialer1] any

bostonacuk · ‎04-08-2011

ip local policy route-map LOCAL-PBR
!
route-map LOCAL-PBR permit 10
match ip address DIALER-0-ADD
set interface dialer0
!
route-map LOCAL-PBR permit 20
match ip address DIALER2-ADD
set interface dialer2
!
ip access-list extended DIALER-0-ADD
permit ip 217.35.xx.xxx any
ip access-list extended DIALER-2-ADD
permit ip 217.36.xx.xx any

The range for the dialer is that the LAN? or the dialers static ip?

Thanks

Robbie

Shawn Munster · ‎04-04-2015

Hi,

Can anyone help me with this config? not very reliable.

Building configuration...

Current configuration : 17349 bytes
!
! Last configuration change at 06:08:06 UTC Sun Apr 5 2015 by Shawn
!
version 15.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Router
!
boot-start-marker
boot system flash0:c2900-universalk9-mz.SPA.154-3.M2.bin
boot-end-marker
!
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret 5 $1$sNeA$GB6.SMrcsxPf51tK2Eo9Z.
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authorization exec local_author local
!
!
!
!
!
aaa session-id common
!
!
!
!
!
!
no ip source-route
!
!
!
!
!
!
!
!

ip port-map user-protocol--8 port udp 3392
ip port-map user-protocol--9 port tcp 3397
ip port-map user-protocol--2 port udp 3391
ip port-map user-protocol--3 port tcp 14000
ip port-map user-protocol--1 port tcp 3391
ip port-map user-protocol--6 port udp 3394
ip port-map user-protocol--7 port tcp 3392
ip port-map user-protocol--4 port udp 14100
ip port-map user-protocol--5 port tcp 3394
ip port-map user-protocol--10 port udp 3397
!
ip dhcp excluded-address 192.168.1.1 192.168.1.49
ip dhcp excluded-address 192.168.10.1 192.168.10.49
!
ip dhcp pool DHCP_POOL1
import all
network 192.168.1.0 255.255.255.0
dns-server 139.130.4.4 203.50.2.71
default-router 192.168.1.1
lease infinite
!
ip dhcp pool ccp-pool1
import all
network 192.168.10.0 255.255.255.0
dns-server 139.130.4.4 203.50.2.71
default-router 192.168.10.1
lease infinite
!
!
!
no ip bootp server
ip host SHAWN-PC 192.168.1.10
ip host DIAG 192.168.1.5
ip host MSERV 192.168.1.13
ip name-server 139.130.4.4
ip name-server 203.50.2.71
ip cef
ip cef load-sharing algorithm include-ports source destination
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
cts logging verbose
!
crypto pki trustpoint TP-self-signed-1982477479
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1982477479
revocation-check none
rsakeypair TP-self-signed-1982477479
!
!
license udi pid

license boot module c2900 technology-package securityk9
license boot module c2900 technology-package datak9
!
!
!
redundancy
!
!
!
!
!
controller VDSL 0/0/0
operating mode adsl2+
!
controller VDSL 0/1/0
operating mode adsl2+
no cdp run
track timer interface 5
!
track 1 interface Dialer0 ip routing
delay down 15 up 10
!
track 2 interface Dialer1 ip routing
delay down 15 up 10
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map type inspect match-all sdm-nat-user-protocol--7-1
match access-group 104
match protocol user-protocol--7
match access-group 102
class-map type inspect match-all sdm-nat-user-protocol--4-2
match access-group 101
match protocol user-protocol--4
class-map type inspect match-all sdm-nat-user-protocol--6-1
match access-group 103
match protocol user-protocol--6
class-map type inspect match-all sdm-nat-user-protocol--5-1
match access-group 103
match protocol user-protocol--5
class-map type inspect match-all sdm-nat-user-protocol--4-1
match access-group 102
match protocol user-protocol--4
class-map type inspect match-all sdm-nat-user-protocol--7-2
match access-group 101
match protocol user-protocol--7
class-map type inspect match-all sdm-nat-user-protocol--3-1
match access-group 102
match protocol user-protocol--3
class-map type inspect match-all sdm-nat-user-protocol--2-1
match access-group 101
match protocol user-protocol--2
class-map type inspect match-all sdm-nat-user-protocol--1-2
match access-group 102
match protocol user-protocol--1
class-map type inspect match-all sdm-nat-user-protocol--1-1
match access-group 101
match protocol user-protocol--1
class-map type inspect match-all sdm-nat-user-protocol--2-2
match access-group 102
match protocol user-protocol--2
class-map type inspect match-all sdm-nat-user-protocol--3-2
match access-group 101
match protocol user-protocol--3
class-map type inspect match-all sdm-nat-user-protocol--8-2
match access-group 101
match protocol user-protocol--8
class-map type inspect match-all sdm-nat-user-protocol--9-2
match access-group 104
match protocol user-protocol--9
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-all sdm-nat-user-protocol--9-1
match access-group 101
match protocol user-protocol--9
match access-group 104
class-map type inspect match-all sdm-nat-user-protocol--8-1
match access-group 104
match protocol user-protocol--8
match access-group 102
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-nat-user-protocol--10-2
match access-group 104
match protocol user-protocol--10
class-map type inspect match-all sdm-nat-user-protocol--10-1
match access-group 101
match protocol user-protocol--10
match access-group 104
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any ccp-cls-insp-traffic
match protocol pptp
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all SDM_GRE
match access-group name SDM_GRE
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all ccp-protocol-http
match protocol http
class-map type inspect match-any CCP_PPTP
match class-map SDM_GRE
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
!
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop
policy-map type inspect sdm-pol-NATOutsideToInside-1
class type inspect sdm-nat-user-protocol--1-1
inspect
class type inspect sdm-nat-user-protocol--2-1
inspect
class type inspect sdm-nat-user-protocol--3-1
inspect
class type inspect sdm-nat-user-protocol--4-1
inspect
class type inspect sdm-nat-user-protocol--5-1
inspect
class type inspect sdm-nat-user-protocol--6-1
inspect
class type inspect sdm-nat-user-protocol--7-1
inspect
class type inspect sdm-nat-user-protocol--8-1
inspect
class type inspect sdm-nat-user-protocol--9-1
inspect
class type inspect sdm-nat-user-protocol--10-1
inspect
class type inspect CCP_PPTP
pass
class type inspect sdm-nat-user-protocol--7-2
inspect
class type inspect sdm-nat-user-protocol--8-2
inspect
class type inspect sdm-nat-user-protocol--1-2
inspect
class type inspect sdm-nat-user-protocol--2-2
inspect
class type inspect sdm-nat-user-protocol--9-2
inspect
class type inspect sdm-nat-user-protocol--10-2
inspect
class type inspect sdm-nat-user-protocol--3-2
inspect
class type inspect sdm-nat-user-protocol--4-2
inspect
class class-default
drop log
policy-map type inspect ccp-permit
class class-default
drop
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
!
zone security in-zone
zone security out-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-NATOutsideToInside-1
!
!
!
!
!
!
!
!
!
!
interface Null0
no ip unreachables
!
interface Embedded-Service-Engine0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
shutdown
!
interface GigabitEthernet0/0
description $ETH-LAN$
ip address 192.168.10.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
shutdown
duplex auto
speed auto
no mop enabled
!
interface ATM0/0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no atm ilmi-keepalive
!
interface ATM0/0/0.1 point-to-point
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface ATM0/0/0.2 point-to-point
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
!
interface Ethernet0/0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
shutdown
no mop enabled
!
interface ATM0/1/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no atm ilmi-keepalive
!
interface ATM0/1/0.1 point-to-point
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 2
!
!
interface Ethernet0/1/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
shutdown
no mop enabled
!
interface GigabitEthernet0/3/0
no ip address
!
interface GigabitEthernet0/3/1
no ip address
!
interface GigabitEthernet0/3/2
no ip address
!
interface GigabitEthernet0/3/3
no ip address
!
interface GigabitEthernet0/3/4
no ip address
!
interface GigabitEthernet0/3/5
no ip address
!
interface GigabitEthernet0/3/6
no ip address
!
interface GigabitEthernet0/3/7
no ip address
!
interface Vlan1
description $FW_INSIDE$
ip address 192.168.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
!
interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip nat outside
ip virtual-reassembly in
zone-member security out-zone
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname erescu0@direct.telstra.net
ppp chap password 7 1444405858557A
ppp pap sent-username erescu0@direct.telstra.net password 7 135645415F5D54
ppp multilink
!
interface Dialer1
description $FW_OUTSIDE$
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip nat outside
ip virtual-reassembly in
zone-member security out-zone
encapsulation ppp
dialer pool 2
dialer-group 2
ppp authentication chap pap callin
ppp chap hostname mun17238880@direct.telstra.net
ppp chap password 7 01475E540E5D55
ppp pap sent-username mun17238880@direct.telstra.net password 7 055F5E5F741A1D
ppp multilink
!
!
!
router eigrp as#
!
!
router eigrp 10
network 192.168.1.1 0.0.0.0
!
router rip
version 2
network 192.168.1.0
no auto-summary
!
ip forward-protocol nd
!
ip http server
ip http access-class 3
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip dns server
ip nat inside source static tcp 192.168.1.10 3392 interface Dialer1 3392
ip nat inside source static udp 192.168.1.10 3392 interface Dialer1 3392
ip nat inside source static tcp 192.168.1.35 3391 interface Dialer0 3391
ip nat inside source static udp 192.168.1.35 3391 interface Dialer0 3391
ip nat inside source static tcp 192.168.1.5 3394 interface Dialer0 3394
ip nat inside source static udp 192.168.1.5 3394 interface Dialer0 3394
ip nat inside source static tcp 192.168.1.17 3397 interface Dialer0 3397
ip nat inside source static udp 192.168.1.17 3397 interface Dialer0 3397
ip nat inside source static tcp 192.168.1.10 14000 interface Dialer0 14000
ip nat inside source static udp 192.168.1.10 14100 interface Dialer0 14100
ip nat inside source route-map ADSL0 interface Dialer0 overload
ip nat inside source route-map ADSL1 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer0 track 1
ip route 0.0.0.0 0.0.0.0 Dialer1 track 2
!
ip access-list extended NAT
remark CCP_ACL Category=18
permit ip 192.0.0.0 0.255.255.255 any
ip access-list extended SDM_GRE
remark CCP_ACL Category=1
permit gre any any
remark CCP_ACL Category=1
ip access-list extended STATIC-NAT-SERVICES
permit ip host 192.168.1.35 any
permit ip host 192.168.1.5 any
permit ip host 192.168.1.10 any
permit ip host 192.168.1.17 any
!
dialer-list 1 protocol ip permit
dialer-list 2 protocol ip permit
!
route-map ADSL0 permit 10
match ip address NAT
match interface Dialer0
!
route-map ADSL1 permit 10
match ip address NAT
match interface Dialer1
!
!
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 remark HTTP Access-class list
access-list 2 remark CCP_ACL Category=1
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 2 deny any
access-list 2 remark HTTP Access-class list
access-list 2 remark CCP_ACL Category=1
access-list 3 remark HTTP Access-class list
access-list 3 remark CCP_ACL Category=1
access-list 3 permit 192.168.1.0 0.0.0.255
access-list 3 deny any
access-list 10 remark INSIDE_IF=NAT
access-list 10 remark CCP_ACL Category=2
access-list 10 permit 192.168.1.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 139.130.227.0 0.0.0.255 any
access-list 100 permit ip 203.45.106.0 0.0.0.255 any
access-list 101 remark CCP_ACL Category=0
access-list 101 permit ip any host 192.168.1.10
access-list 101 remark CCP_ACL Category=0
access-list 101 permit ip any host 192.168.1.35
access-list 101 permit tcp any any eq www
access-list 102 remark CCP_ACL Category=0
access-list 102 permit ip any host 192.168.1.35
access-list 102 remark CCP_ACL Category=0
access-list 102 permit ip any host 192.168.1.10
access-list 103 remark CCP_ACL Category=0
access-list 103 permit ip any host 192.168.1.5
access-list 104 remark CCP_ACL Category=0
access-list 104 permit ip any host 192.168.1.17
!
!
!
control-plane
!
!
banner login ^CCE-Rescue Systems^C
!
line con 0
login authentication local_authen
transport output telnet
line aux 0
login authentication local_authen
transport output telnet
line 2
no activation-character
no exec
transport preferred none
transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
authorization exec local_author
login authentication local_authen
transport input telnet ssh
line vty 5 15
authorization exec local_author
login authentication local_authen
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end

Thanks

Shawn

Fabrice Ducomble · ‎04-08-2015

Hi Shawn,

What part of your config doesn't work as you expect ? Static NAT, Dynamic NAT, failover, etc.. ?

Thx,

Fabrice

Shawn Munster · ‎05-17-2015

Hi Fabrice,

I have been trying to get load balancing between the two ADSL connections

and still have incoming connections to my servers.

when I have equal routes gives me that best download speeds.

but no connection from the outside.

ip route 0.0.0.0 0.0.0.0 Dialer0 track 1

ip route 0.0.0.0 0.0.0.0 Dialer1 10 track 2

is the only way for connections to servers work.

Regards,

Shawn.

Building configuration...

Current configuration : 13178 bytes
!
! Last configuration change at 11:04:44 UTC Sun May 17 2015 by Shawn
!
version 15.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authorization exec local_author local
!
!
!
!
!
aaa session-id common
!
!
!
!
!
!
no ip source-route
!
!
!
!
!
!
!
!

ip port-map user-protocol--2 port udp 3392
ip port-map user-protocol--3 port tcp 3391
ip port-map user-protocol--1 port tcp 3392
ip port-map user-protocol--6 port tcp 14100
ip port-map user-protocol--4 port udp 3391
ip port-map user-protocol--5 port tcp 14000
!
ip dhcp excluded-address 192.168.1.1 192.168.1.49
!
ip dhcp pool DHCP_POOL
import all
network 192.168.1.0 255.255.255.0
dns-server 139.130.4.4 203.50.2.71
default-router 192.168.1.1
lease infinite
!
!
!
no ip bootp server
ip name-server 139.130.4.4
ip name-server 203.50.2.71
ip cef
ip cef load-sharing algorithm include-ports source destination
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
cts logging verbose
!
crypto pki trustpoint TP-self-signed-1982477479
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1982477479
revocation-check none
rsakeypair TP-self-signed-1982477479
!
!
crypto pki certificate chain TP-self-signed-1982477479
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31393832 34373734 3739301E 170D3135 30353137 30393236
30395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 39383234
37373437 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B1DB 80FC4173 9A6E3809 D6B9D26A 4504D057 91E3B29E 9A280AD8 84D9B75E
EE54A95B 8155046E 35ED13AF 10737E6D C8C9D659 B0FA175C BCD2D8EC E7DCC788
3E2DA4B4 1436F8D6 D0258736 D1885668 E7194CB3 8F06C778 DE8AE70E B4F35A6E
5A62104F 09BD44A3 50EB257D 6DB0349D DB36E30F AD01E8B7 BD74621A A8504316
971B0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 14CD9762 FE2A5E12 48E75D7D 4F94431E 82833562 DB301D06
03551D0E 04160414 CD9762FE 2A5E1248 E75D7D4F 94431E82 833562DB 300D0609
2A864886 F70D0101 05050003 81810088 DACB0EB9 A2FC089B 161BE708 4EC0A57C
5370CDB7 8FE0056B FC0ABE79 61C17024 C33FD98D 9F09E506 08EB4558 1DD62FC5
98274FA0 268F0273 2929797C 0964AD41 70B577F7 ABA65C72 A24FC2A5 236D12EB
D042DD57 3855CF69 89A46260 607BF44B DBB00AFF FB724591 5889F9C9 273A488D
B6089B42 E20C4AC5 43C344CA B3F5DA
quit
license udi pid CISCO2901/K9 sn
license boot module c2900 technology-package securityk9
license boot module c2900 technology-package datak9
!
!
username Shawn privilege 15 secret 5
!
redundancy
!
!
!
!
!
controller VDSL 0/0/0
operating mode adsl2+
!
controller VDSL 0/1/0
operating mode adsl2+
no cdp run
!
track 1 ip sla 1
delay down 20 up 10
!
track 2 ip sla 2
delay down 20 up 10
!
ip tcp synwait-time 10
!
class-map type inspect match-all sdm-nat-user-protocol--6-1
match access-group 103
match protocol user-protocol--6
class-map type inspect match-all sdm-nat-user-protocol--5-1
match access-group 103
match protocol user-protocol--5
class-map type inspect match-all sdm-nat-user-protocol--4-1
match access-group 102
match protocol user-protocol--4
class-map type inspect match-all sdm-nat-user-protocol--3-1
match access-group 102
match protocol user-protocol--3
class-map type inspect match-all sdm-nat-user-protocol--2-1
match access-group 101
match protocol user-protocol--2
class-map type inspect match-all sdm-nat-user-protocol--1-1
match access-group 101
match protocol user-protocol--1
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any ccp-cls-insp-traffic
match protocol pptp
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all SDM_GRE
match access-group name SDM_GRE
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all ccp-protocol-http
match protocol http
class-map type inspect match-any CCP_PPTP
match class-map SDM_GRE
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
!
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop
policy-map type inspect sdm-pol-NATOutsideToInside-1
class type inspect sdm-nat-user-protocol--1-1
inspect
class type inspect sdm-nat-user-protocol--2-1
inspect
class type inspect sdm-nat-user-protocol--3-1
inspect
class type inspect sdm-nat-user-protocol--4-1
inspect
class type inspect sdm-nat-user-protocol--5-1
inspect
class type inspect sdm-nat-user-protocol--6-1
inspect
class type inspect CCP_PPTP
pass
class class-default
drop log
policy-map type inspect ccp-permit
class class-default
drop
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
!
zone security in-zone
zone security out-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-NATOutsideToInside-1
!
!
!
!
!
!
!
!
!
!
interface Null0
no ip unreachables
!
interface Embedded-Service-Engine0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
shutdown
!
interface GigabitEthernet0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
shutdown
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
shutdown
duplex auto
speed auto
no mop enabled
!
interface ATM0/0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no atm ilmi-keepalive
!
interface ATM0/0/0.1 point-to-point
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Ethernet0/0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
shutdown
no mop enabled
!
interface ATM0/1/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no atm ilmi-keepalive
!
interface ATM0/1/0.1 point-to-point
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 2
!
!
interface Ethernet0/1/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
shutdown
no mop enabled
!
interface GigabitEthernet0/3/0
no ip address
!
interface GigabitEthernet0/3/1
no ip address
!
interface GigabitEthernet0/3/2
no ip address
!
interface GigabitEthernet0/3/3
no ip address
!
interface GigabitEthernet0/3/4
no ip address
!
interface GigabitEthernet0/3/5
no ip address
!
interface GigabitEthernet0/3/6
no ip address
!
interface GigabitEthernet0/3/7
no ip address
!
interface Vlan1
description $FW_INSIDE$
ip address 192.168.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
!
interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly in
zone-member security out-zone
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname
ppp chap password 7

interface Dialer1
description $FW_OUTSIDE$
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly in
zone-member security out-zone
encapsulation ppp
dialer pool 2
dialer-group 2
ppp authentication chap callin
ppp chap hostname
ppp chap password
!
!
!
router eigrp 1
variance 2
network 192.168.1.0
!
router ospf 1
maximum-paths 2
!
router rip
network 192.168.1.0
!
ip forward-protocol nd
!
ip http server
ip http access-class 1
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source route-map ADSL0 interface Dialer0 overload
ip nat inside source route-map ADSL1 interface Dialer1 overload
ip nat inside source static tcp 192.168.1.35 3391 203.45.106.133 3391 extendable
ip nat inside source static udp 192.168.1.35 3391 203.45.106.133 3391 extendable
ip nat inside source static tcp 192.168.1.5 3392 203.45.106.133 3392 extendable
ip nat inside source static udp 192.168.1.5 3392 203.45.106.133 3392 extendable
ip nat inside source static tcp 192.168.1.10 14000 203.45.106.133 14000 extendable
ip nat inside source static tcp 192.168.1.10 14100 203.45.106.133 14100 extendable
ip route 0.0.0.0 0.0.0.0 Dialer0 track 1
ip route 192.168.1.0 255.255.255.0 Dialer0 track 1
ip route 0.0.0.0 0.0.0.0 Dialer1 10 track 2
ip route 192.168.1.0 255.255.255.0 Dialer1 10 track 2
!
ip access-list extended NAT
remark Be sure to exclude remote LANs in this ACL
deny ip 192.168.1.0 0.0.0.255 192.168.7.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any
ip access-list extended SDM_GRE
remark CCP_ACL Category=1
permit gre any any
!
ip sla 1
icmp-echo 203.45.253.1 source-interface Dialer0
threshold 4000
frequency 5
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo 203.45.253.1 source-interface Dialer1
threshold 4000
frequency 5
ip sla schedule 2 life forever start-time now
logging trap debugging
dialer-list 1 protocol ip permit
dialer-list 2 protocol ip permit
!
route-map ADSL0 permit 10
match ip address NAT
match interface Dialer0
!
route-map ADSL1 permit 10
match ip address NAT
match interface Dialer1
!
!
access-list 1 remark HTTP Access-class list
access-list 1 remark CCP_ACL Category=1
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 deny any
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 remark CCP_ACL Category=0
access-list 101 permit ip any host 192.168.1.5
access-list 102 remark CCP_ACL Category=0
access-list 102 permit ip any host 192.168.1.35
access-list 103 remark CCP_ACL Category=0
access-list 103 permit ip any host 192.168.1.10
!
!
!
control-plane
!
!
banner login ^CERS^C
!
line con 0
login authentication local_authen
transport output telnet
line aux 0
login authentication local_authen
transport output telnet
line 2
no activation-character
no exec
transport preferred none
transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
authorization exec local_author
login authentication local_authen
transport input telnet ssh
line vty 5 15
authorization exec local_author
login authentication local_authen
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end

Fabrice Ducomble · ‎04-08-2011

Depends what you want to achieve with this route-map ?

Applying PBR on dialer is only needed to handle Internet traffic through VPN connection.

Thx,

Fabrice

bostonacuk · ‎04-08-2011

Sorry Fabrice I had two parts of your config meshed together. I have corrected it above and the local PBR works

Now that is working I will move onto the next step of using both lines for VPN

Robbie

bostonacuk · ‎04-11-2011

This is where I am at now. LOCAL PBR working as is 1 VPN. I want to now either balance that VPN to the other Dialer or set specific IP's for the other dialer(these might be assigned to he IP range of the main dialers VPN)

The bits im confused on which is stopping me making progress is

SDM_RMAP_4? What is this it was auto generated and denying IP's?

It is also used here ip nat inside source route-map SDM_RMAP_4 interface Dialer2 overload

version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname xxxxx

!
boot-start-marker
boot system flash c1900-universalk9-mz.SPA.150-1.M5.bin
boot-end-marker
!
logging buffered 52000
enable secret 5 xxxxxxx

enable password xxxx

!
no aaa new-model
!
!
!
!
no ipv6 cef
ip source-route
ip cef
!
!
!
!
ip name-server 194.74.65.68
ip name-server 194.72.0.114
!
multilink bundle-name authenticated
!
!
crypto pki trustpoint TP-self-signed-2263841940
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2263841940
revocation-check none
rsakeypair TP-self-signed-2263841940
!
!
crypto pki certificate chain TP-self-signed-2263841940
certificate self-signed 01
3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
29816CC6 F92D9FB0
6C1C45F6 05A25ED0 9C81C940 43C0B3CC 617F46
quit
license udi pid CISCO1921/K9 sn FCZ1512905W
!
!
username admin privilege 15 secret 5 xxxx

!
redundancy
!
!
no ip ftp passive
!
!
crypto isakmp policy 9
encr 3des
authentication pre-share
crypto isakmp key xxxx address xxxxxx

crypto isakmp aggressive-mode disable
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA4 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA5 esp-3des esp-sha-hmac
crypto ipsec df-bit clear
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to195.194.75.218
set peer 195.194.75.218
set transform-set ESP-3DES-SHA3
set pfs group2
match address 107
!
crypto map SDM_CMAP_2 1 ipsec-isakmp
description Tunnel to195.194.75.218
set peer 195.194.75.218
set transform-set ESP-3DES-SHA5
set pfs group2
match address 104
!
!
!
!
!
interface GigabitEthernet0/0
description spaldinglan$ETH-LAN$
ip address 10.0.8.1 255.255.248.0

ip policy route-map PBR-LAN
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
!
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
!
interface ATM0/0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no atm ilmi-keepalive
!
!
interface ATM0/0/0.1 point-to-point
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface ATM0/1/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no atm ilmi-keepalive
!
!
interface ATM0/1/0.1 point-to-point
description $ES_WAN$$FW_OUTSIDE$
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 2
!
!
interface Dialer0
ip address negotiated
no ip redirects
no ip proxy-arp
ip flow ingress
ip nat outside

ip access-group spalding in
ip access-group spalding out
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1350
dialer pool 2
dialer-group 2
ppp authentication chap callin
ppp chap hostname xxxx

ppp chap password 0 xxxx

no cdp enable

crypto map SDM_CMAP_1
crypto ipsec df-bit clear
!
!
interface Dialer2
mtu 1452
ip address negotiated
ip access-group spalding in
ip access-group spalding out
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1350
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname xxxxx

ppp chap password 0 xxxx

no cdp enable
crypto map SDM_CMAP_1
crypto ipsec df-bit clear
!
!
ip local policy route-map LOCAL-PBR
ip forward-protocol nd
!
no ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source route-map SDM_RMAP_4 interface Dialer2 overload
ip route 1.1.1.1 255.255.255.255 Dialer2 track 1
ip route 1.1.1.1 255.255.255.255 Dialer0 track 2
ip route 0.0.0.0 0.0.0.0 Dialer2
!
ip access-list extended DIALER-0-ADD
permit ip host dialerip any
ip access-list extended DIALER-2-ADD
permit ip host dialerip any
ip access-list extended STATIC-NAT-ISP1
permit ip 10.0.8.0 0.0.7.255 any
ip access-list extended STATIC-NAT-ISP2
permit ip 10.0.8.0 0.0.7.255 any
ip access-list extended nat3
remark SDM_ACL Category=2
permit ip 10.0.0.0 0.0.0.255 any
ip access-list extended rule2
remark SDM_ACL Category=2
permit ip 10.0.0.0 0.0.0.255 any
ip access-list extended spalding
remark CCP_ACL Category=1
remark IPSec Rule
permit ip 192.168.100.0 0.0.0.255 10.0.8.0 0.0.7.255
remark IPSec Rule
permit ip host 172.16.222.30 10.0.8.0 0.0.7.255
remark IPSec Rule
permit ip 194.x.x.0 0.0.0.255 10.0.8.0 0.0.7.255
remark IPSec Rule
permit ip 194.x.x.0 0.0.0.255 10.0.8.0 0.0.7.255
remark IPSec Rule
permit ip 10.0.8.0 0.0.7.255 10.0.0.0 0.0.7.255
remark IPSec Rule
permit ip 10.0.0.0 0.0.7.255 10.0.8.0 0.0.7.255
remark IPSec Rule
permit ip 10.0.8.0 0.0.7.255 194.0.0.0 0.255.255.255
remark IPSec Rule
permit ip 10.0.8.0 0.0.7.255 172.16.0.0 0.0.255.255
remark IPSec Rule
permit ip 172.16.0.0 0.0.255.255 10.0.8.0 0.0.7.255
permit udp host xxxxxx any eq non500-isakmp
permit udp host xxxxxx any eq isakmp
permit esp host xxxxxx any
permit ahp host xxxxxx any
permit ip any any
!
access-list 1 remark INSIDE_IF=GigabitEthernet0/0
access-list 1 remark CCP_ACL Category=16
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 1 permit 172.16.0.0 0.0.0.255
access-list 1 permit 10.0.0.0 0.254.255.255
access-list 104 remark CCP_ACL Category=4
access-list 104 remark IPSec Rule
access-list 104 permit ip 10.0.8.0 0.0.7.255 host 172.16.222.30
access-list 107 remark CCP_ACL Category=4
access-list 107 remark IPSec Rule
access-list 107 permit ip 10.0.8.0 0.0.7.255 172.16.0.0 0.0.255.255
access-list 107 remark IPSec Rule
access-list 107 permit ip 10.0.8.0 0.0.7.255 xx.xx.59.0 0.0.0.255
access-list 107 remark IPSec Rule
access-list 107 permit ip 10.0.8.0 0.0.7.255 xx.xx.58.0 0.0.0.255
access-list 107 remark IPSec Rule
access-list 107 permit ip 10.0.8.0 0.0.7.255 xx.xx.100.0 0.0.0.255
access-list 107 remark IPSec Rule
access-list 107 permit ip 10.0.8.0 0.0.7.255 10.0.0.0 0.0.7.255
access-list 108 remark CCP_ACL Category=2
access-list 108 remark IPSec Rule
access-list 108 deny   ip 10.0.8.0 0.0.7.255 192.168.100.0 0.0.0.255
access-list 108 remark IPSec Rule
access-list 108 deny   ip 10.0.8.0 0.0.7.255 10.0.0.0 0.0.7.255
access-list 108 remark IPSec Rule
access-list 108 deny   ip 10.0.8.0 0.0.7.255 xx.xx.58.0 0.0.0.255
access-list 108 remark IPSec Rule
access-list 108 deny   ip 10.0.8.0 0.0.7.255 xx.xx.59.0 0.0.0.255
access-list 108 remark IPSec Rule
access-list 108 deny   ip 10.0.8.0 0.0.7.255 172.16.0.0 0.0.255.255
access-list 108 permit ip 10.0.0.0 0.254.255.255 any
access-list 108 permit ip 172.16.0.0 0.0.0.255 any
access-list 108 permit ip 10.0.0.0 0.0.0.255 any
dialer-list 1 protocol ip permit
dialer-list 2 protocol ip permit
!
!
!
!
route-map LOCAL-PBR permit 10
match ip address DIALER-0-ADD
set interface Dialer0
!
route-map LOCAL-PBR permit 20
match ip address DIALER2-ADD
set interface Dialer2
!

route-map PBR-LAN permit 10
match ip address 107
set ip next-hop recursive 1.1.1.1
!
route-map SDM_RMAP_4 permit 1
match ip address 108
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
line vty 5 15
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
end

bostonacuk · ‎04-12-2011

I have read that the IPSEC VPN I am using doesn't support load balancing and that I need to use GRE over IPSEC

http://www.dslreports.com/faq/10380

If I find out more i'll post here but if anyone can help me quicker this would be appreciated. The peer device is a watchguard firebox and not a cisco router

Robbie

Fabrice Ducomble · ‎04-13-2011

There is indeed no way to use both DSL connections simultaneously for VPN traffic, no matter the tunnel type.

You can only use the 2 DSLs in failover scenario (2nd DSL only used when primary stops working).

Hope this helps,

Fabrice

chad patterson · ‎01-16-2013

No need to listen to the naysayers, I have actually acheived this exact setup on a Cisco 2801 with dual HWIC-1ADSL cards, and the performance is outstanding, (so far). You just have to use route-maps with tracking (I tried CEF with load-sharing and it didn't work so well). I used this page for resources:

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_configuration_example09186a00809454c7.shtml