Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
652
Views
0
Helpful
3
Replies

DSL backup for T1 problem

prafuljaded
Level 3
Level 3

‎05-26-2005 12:47 PM - edited ‎03-03-2019 09:41 AM

My network has a T1 primary with DSL backup.T1 is on serial0/0 and DSL is ethernet1/0.

When T1 goes down,DSL doesn't kick off and I lose IPSec connectivity to this router LAN.

Should I be adding a statement

'ip nat inside source route-map nonat pool dsl overload' to the below config. Can anyone verify it. Cant get the T1 down during these hours

Config:

-------

version 12.3

service timestamps debug datetime localtime show-timezone

service timestamps log datetime localtime show-timezone

service password-encryption

!

hostname router

!

boot-start-marker

boot-end-marker

!

logging buffered 12000 debugging

enable secret 5 xxxx

username router password 7 xxxx

memory-size iomem 20

clock timezone central -6

no aaa new-model

ip subnet-zero

!

!

no ip domain lookup

ip name-server 21x.x.x.x

ip name-server 21x.x.x.y

!

ip cef

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key #### 65.x.x.1

!

crypto ipsec security-association lifetime seconds 120

!

crypto ipsec transform-set cm-transformset-1 esp-3des esp-sha-hmac

!

crypto map cm 1 ipsec-isakmp

set peer 65.x.x.1

set transform-set cm-transformset-1

match address 120

!

interface FastEthernet0/0

ip address 192.168.148.254 255.255.255.0

ip helper-address 192.168.x.x

ip helper-address 192.168.y.y

ip nat inside

speed auto

full-duplex

!

interface Serial0/0

ip address 10.1.x.x.255.255.252

ip nat outside

no fair-queue

service-module t1 remote-alarm-enable

crypto map cm

ip rtp header-compression

!

interface Ethernet1/0

ip address 20.1.1.x.x.255.248

ip nat outside

half-duplex

crypto map cm

!

router eigrp 1

redistribute connected

passive-interface FastEthernet0/0

network 192.168.148.0

network 192.168.251.0

auto-summary

no eigrp log-neighbor-changes

!

ip nat pool branch 10.1.1.1 10.1.1.1 netmask 255.255.255.252

ip nat pool dsl 20.1.x.x.1.1.1 netmask 255.255.255.248

ip nat inside source route-map nonat pool branch overload

ip classless

ip route 0.0.0.0 0.0.0.0 Serial0/0

ip route 0.0.0.0 0.0.0.0 e1/0 130

access-list 120 permit ip 192.168.148.0 0.0.0.255 192.168.0.0 0.0.255.255

access-list 130 deny ip 192.168.148.0 0.0.0.255 192.168.0.0 0.0.255.255

access-list 130 permit ip 192.168.148.0 0.0.0.255 any

!

route-map nonat permit 10

match ip address 130

Praful

Labels:
0 Helpful
3 Replies 3

thisisshanky
Level 11
Level 11

‎05-26-2005 04:18 PM

NAT is required only for communication from the LAN side of the router to the internet side. The problem, that IPSEC could be dropping here is because of crypto map configuration error. This is a LAN2LAN tunnel, so peer addresses have to be defined. On the remote side you would have set the peer address to be 10.1.1.1 (serial0 ip address), but when T1 goes down, the tunnel needs to be reestablished to 20.1.1.1. For this to happen you should have two crypto maps at the remote side as well as two isakmp peers set for 10.1.1.1 and 20.1.1.1. Have you verified whether this has been configured ?

For inside to outside access (for hosts) make sure

you configure two nat inside source commands with each pool. Check NAT with route-maps in this link

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080093fca.shtml

HTH

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus
0 Helpful

prafuljaded
Level 3
Level 3
In response to thisisshanky

‎05-27-2005 05:33 AM

Thanx Shankar.I have a PIX on the other end and have all the configs as below working fine I guess I can think of.

crypto map xxx 2 ipsec-isakmp

crypto map xxx 2 match address xxx051

crypto map xxx 2 set peer 10.1.1.1

crypto map xxx 2 set peer 20.1.1.1

crypto map xxx 2 set transform-set tripledes

crypto map xxx 2 set security-association lifetime seconds 120 kilobytes 4608000

crypto map xxx interface outside

crypto ipsec transform-set tripledes esp-3des esp-sha-hmac

sysopt connection permit-ipsec

access-list xxx051 permit ip 192.168.0.0 255.255.0.0 192.168.148.0 255.255.255.0

access-list nonat permit ip 192.168.0.0 255.255.0.0 192.168.148.0 255.255.255.0

isakmp key xxx address 10.1.1.1 netmask 255.255.255.255 no-xauth no-config-mode

isakmp key xxx address 20.1.1.1 netmask 255.255.255.255 no-xauth no-config-mode

isakmp enable outside

isakmp identity address

nat (inside) 0 access-list nonat

nat (inside) 1 0.x.x.x.0.0.0 0 0

Praful

0 Helpful

thisisshanky
Level 11
Level 11
In response to prafuljaded

‎05-30-2005 05:42 PM

Praful,

Can you get a debug output "debug crypto isakmp" when the T1 fails and the IPSEC tries to establish over the DSL tunnel. (Do the debugs during off peak hours). Also have you tried configuring two seperate instance of the crypto map on the pix with individual set peer commands ?

Sankar.

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus
0 Helpful
Customers Also Viewed These Support Documents