cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
901
Views
0
Helpful
0
Replies
Highlighted
Beginner

Dual wan on Cisco1921sec/k9 config help

Hello,

I need some advice on what you think is best based on our setup. We have a remote site running AD that has 2 x ADSL2+ ppoa lines(these do not support multilink says our ISP BT). All internet traffic goes back to our main site for filtering as does outlook for our exchange server. Both of these are done over a VPN which I currently have setup over 1 of the ADSL lines. I am at a loss what to do with the other ADSL connection. I tried creating another VPN on the other dialer back to our watchguard firewall for just the webfiltering traffic i.e.a single ip address however it ended up killing everything

Any advice on what you would do? even a weighted balance with failover would be ok. Also even though the 2nd line is up its not pingable.

version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname xxxxxx

!
boot-start-marker
boot system flash c1900-universalk9-mz.SPA.150-1.M5.bin
boot-end-marker
!
logging buffered 52000
enable secret 5 xxxxxx

enable password xxxxx

!
no aaa new-model
!
!
!
!
no ipv6 cef
ip source-route
ip cef
!
!
!
!
ip name-server 194.74.65.68
ip name-server 194.72.0.114
!
multilink bundle-name authenticated
!
!
crypto pki trustpoint TP-self-signed-2263841940
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2263841940
revocation-check none
rsakeypair TP-self-signed-2263841940
!
!
crypto pki certificate chain TP-self-signed-2263841940
certificate self-signed 01

   quit
license udi pid CISCO1921/K9 sn xxxxxxx

!
!
username admin privilege 15 secret 5 xxxxxxxx

!
redundancy
!
!
no ip ftp passive
!
!
crypto isakmp policy 9
encr 3des
authentication pre-share
crypto isakmp key xxxxxx address xxx.xxx.xxx.xxx
crypto isakmp aggressive-mode disable
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA4 esp-3des esp-sha-hmac
crypto ipsec df-bit clear
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to195.194.75.218
set peer 195.194.75.218
set transform-set ESP-3DES-SHA3
set pfs group2
match address 107
!
!
!
!
!
interface GigabitEthernet0/0
description spaldinglan$ETH-LAN$
ip address 10.0.8.1 255.255.248.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
!
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
!
interface ATM0/0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no atm ilmi-keepalive
!
!
interface ATM0/0/0.1 point-to-point
pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
!
!
interface ATM0/1/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no atm ilmi-keepalive
!
!
interface ATM0/1/0.1 point-to-point
description $ES_WAN$$FW_OUTSIDE$
pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 2
!
!
interface Dialer0
ip address negotiated
ip access-group spalding in
ip access-group spalding out
no ip redirects
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1350
dialer pool 2
dialer-group 2
ppp authentication chap callin
ppp chap hostname xxxxx
ppp chap password 0 xxxx
no cdp enable
crypto ipsec df-bit clear
!
!
interface Dialer2
mtu 1452
ip address negotiated
ip access-group spalding in
ip access-group spalding out
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1350
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname xxxx

ppp chap password xxx
no cdp enable
crypto map SDM_CMAP_1
crypto ipsec df-bit clear
!
!
ip forward-protocol nd
!
no ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source route-map SDM_RMAP_4 interface Dialer2 overload
ip route 0.0.0.0 0.0.0.0 Dialer2
!
ip access-list extended nat3
remark SDM_ACL Category=2
permit ip 10.0.0.0 0.0.0.255 any
ip access-list extended rule2
remark SDM_ACL Category=2
permit ip 10.0.0.0 0.0.0.255 any
ip access-list extended spalding
remark CCP_ACL Category=1
remark IPSec Rule
permit ip 192.168.100.0 0.0.0.255 10.0.8.0 0.0.7.255
remark IPSec Rule
permit ip host 172.16.222.30 10.0.8.0 0.0.7.255
remark IPSec Rule
permit ip 194.83.58.0 0.0.0.255 10.0.8.0 0.0.7.255
remark IPSec Rule
permit ip 194.83.59.0 0.0.0.255 10.0.8.0 0.0.7.255
remark IPSec Rule
permit ip 10.0.8.0 0.0.7.255 10.0.0.0 0.0.7.255
remark IPSec Rule
permit ip 10.0.0.0 0.0.7.255 10.0.8.0 0.0.7.255
remark IPSec Rule
permit ip 10.0.8.0 0.0.7.255 194.0.0.0 0.255.255.255
remark IPSec Rule
permit ip 10.0.8.0 0.0.7.255 172.16.0.0 0.0.255.255
remark IPSec Rule
permit ip 172.16.0.0 0.0.255.255 10.0.8.0 0.0.7.255
permit udp host 195.194.75.218 any eq non500-isakmp
permit udp host 195.194.75.218 any eq isakmp
permit esp host 195.194.75.218 any
permit ahp host 195.194.75.218 any
permit ip any any
!
access-list 1 remark INSIDE_IF=GigabitEthernet0/0
access-list 1 remark CCP_ACL Category=16
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 1 permit 172.16.0.0 0.0.0.255
access-list 1 permit 10.0.0.0 0.254.255.255
access-list 100 permit ip 0.0.0.0 255.255.254.0 0.0.0.0 255.255.0.0
access-list 101 permit ip 0.0.0.0 255.255.248.0 0.0.0.0 255.255.0.0
access-list 107 remark CCP_ACL Category=4
access-list 107 remark IPSec Rule
access-list 107 permit ip 10.0.8.0 0.0.7.255 172.16.0.0 0.0.255.255
access-list 107 remark IPSec Rule
access-list 107 permit ip 10.0.8.0 0.0.7.255 194.83.59.0 0.0.0.255
access-list 107 remark IPSec Rule
access-list 107 permit ip 10.0.8.0 0.0.7.255 194.83.58.0 0.0.0.255
access-list 107 remark IPSec Rule
access-list 107 permit ip 10.0.8.0 0.0.7.255 192.168.100.0 0.0.0.255
access-list 107 remark IPSec Rule
access-list 107 permit ip 10.0.8.0 0.0.7.255 10.0.0.0 0.0.7.255
access-list 108 remark CCP_ACL Category=2
access-list 108 remark IPSec Rule
access-list 108 deny   ip 10.0.8.0 0.0.7.255 192.168.100.0 0.0.0.255
access-list 108 remark IPSec Rule
access-list 108 deny   ip 10.0.8.0 0.0.7.255 10.0.0.0 0.0.7.255
access-list 108 remark IPSec Rule
access-list 108 deny   ip 10.0.8.0 0.0.7.255 194.83.58.0 0.0.0.255
access-list 108 remark IPSec Rule
access-list 108 deny   ip 10.0.8.0 0.0.7.255 194.83.59.0 0.0.0.255
access-list 108 remark IPSec Rule
access-list 108 deny   ip 10.0.8.0 0.0.7.255 172.16.0.0 0.0.255.255
access-list 108 permit ip 10.0.0.0 0.254.255.255 any
access-list 108 permit ip 172.16.0.0 0.0.0.255 any
access-list 108 permit ip 10.0.0.0 0.0.0.255 any
dialer-list 1 protocol ip permit
dialer-list 2 protocol ip permit
!
!
!
!
route-map SDM_RMAP_4 permit 1
match ip address 108
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
line vty 5 15
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
end