Solved: Help Dual wan setup. Upstream Vpn and ISP split traffic

thlillyr · ‎11-03-2020

I started a position at a new company and inherited a mess. I have a cisco C3900 router feeding a cisco 3560x switch. The switch does the inter Vlan routing. I will later expand this as I improve their networking topology.

My current issue: Their local network does not have internet access. The only active wan link is to an upstream Checkpoint VPN device that is a site to site VPN. I want to add an ISP to a second wan interface to provide internet for the local network. Currently they have a physically separate network for internet access as no one before me could figure it out. I have added the ISP router to a wan port on the c3900 router. I can ping the ISP gateway from the router but cannot ping outside addresses. I cannot ping the ISP gateway from the switch or a client PC. Having only recently obtained my CCNA I feel a little out of my depth. There is only one static route set on the router and that is to forward traffic up to the VPN Wan connection. The gateway of last resort is also statically assigned to the Checkpoint VPN. Removing either of these breaks the VPN link. After reading a lot of forum posts i tried several static routes changes to the gateway of last resort and PBR maps. Nothing worked. If someone could help that would be much appreciated. The router config is below.

Note: I do not have access to anything upstream on the VPN wan link. Also this router has a bunch of left over config as I am told it was removed from one department and given to us without a config wipe. I'm working on cleaning that up. I have to finish identifying to unneeded networks which has been hard as nobody has any idea as to what is in use.

Config:

version 15.0

no ipv6 cef
ip source-route
ip cef
!
!
no ip dhcp conflict logging
ip dhcp excluded-address 192.168.160.0 192.168.160.25
ip dhcp excluded-address 192.168.163.0 192.168.163.25
ip dhcp excluded-address 192.168.162.0 192.168.162.25
ip dhcp excluded-address 192.168.161.0 192.168.161.25
ip dhcp excluded-address 192.168.164.0 192.168.164.25
!
ip dhcp pool LAN0
network 192.168.160.0 255.255.255.0
default-router 192.168.160.1
dns-server 192.168.163.58
!
ip dhcp pool LAN3
network 192.168.163.0 255.255.255.0
default-router 192.168.163.1
dns-server 192.168.163.15
!
ip dhcp pool LAN2
network 192.168.162.0 255.255.255.0
default-router 192.168.162.1
dns-server 192.168.163.58
!
ip dhcp pool LAN1
network 192.168.161.0 255.255.255.0
default-router 192.168.161.1
dns-server 192.168.163.58
!
ip dhcp pool LAN4
network 192.168.164.0 255.255.255.0
default-router 192.168.164.1
dns-server 192.168.163.58
!
ip dhcp pool lan3
dns-server 192.168.163.227
!
!
no ip domain lookup
ip domain name wtblab
multilink bundle-name authenticated

!
interface GigabitEthernet0/0 * Not in use
description Rise Broadband Open WAN Link
ip address dhcp
duplex auto
speed auto
!
interface GigabitEthernet0/1 * not in use
ip address 192.168.162.1 255.255.255.0
duplex auto
speed auto
!
interface GigabitEthernet0/2 * Downstream to local access switch
ip address 192.168.163.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface GigabitEthernet0/0/0
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/1/0 * VPN Wan link
description PRN_VPN
ip address 172.16.248.113 255.255.255.248
negotiation auto
!
interface FastEthernet0/2/0
ip address 192.168.60.100 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/2/1 * Not In use
ip address 192.168.101.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/3/0 *This is the WAN ISP link
ip address 192.168.50.2 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/3/1
description PRN_VPN
ip address dhcp
shutdown
duplex auto
speed auto
!
interface GigabitEthernet4/0
ip address 192.168.160.1 255.255.255.0
!
!
router eigrp 109
network 192.168.50.0
network 192.168.160.0
network 192.168.161.0
network 192.168.162.0
network 192.168.163.0
network 192.168.164.0
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source route-map NAT_TO_VPN interface FastEthernet0/2/0 overload
ip route 0.0.0.0 0.0.0.0 172.16.248.114
!
!
route-map NAT_TO_VPN permit 10
match ip address 1
match interface FastEthernet0/2/0
!
route-map NAT_TO_ISP permit 10
match ip address 1 100
match interface FastEthernet0/3/0
!
!
!
control-plane
!

Georg Pauwen · ‎11-03-2020

Hello,

understood. Right now, you have a default route pointing to (I think) the Checkpoint ? Do you need any traffic at all to go to the Checkpoint ?

The thing is, with the below configuration (important parts marked in bold), your clients would get access to the Internet, but lose connectivity to the Checkpoint:

no ipv6 cef
ip source-route
ip cef
!
!
no ip dhcp conflict logging
ip dhcp excluded-address 192.168.160.0 192.168.160.25
ip dhcp excluded-address 192.168.163.0 192.168.163.25
ip dhcp excluded-address 192.168.162.0 192.168.162.25
ip dhcp excluded-address 192.168.161.0 192.168.161.25
ip dhcp excluded-address 192.168.164.0 192.168.164.25
!
ip dhcp pool LAN0
network 192.168.160.0 255.255.255.0
default-router 192.168.160.1
dns-server 192.168.163.58
!
ip dhcp pool LAN3
network 192.168.163.0 255.255.255.0
default-router 192.168.163.1
dns-server 192.168.163.15
!
ip dhcp pool LAN2
network 192.168.162.0 255.255.255.0
default-router 192.168.162.1
dns-server 192.168.163.58
!
ip dhcp pool LAN1
network 192.168.161.0 255.255.255.0
default-router 192.168.161.1
dns-server 192.168.163.58
!
ip dhcp pool LAN4
network 192.168.164.0 255.255.255.0
default-router 192.168.164.1
dns-server 192.168.163.58
!
ip dhcp pool lan3
dns-server 192.168.163.227
!
no ip domain lookup
ip domain name wtblab
multilink bundle-name authenticated

!
interface GigabitEthernet0/0 * Not in use
description Rise Broadband Open WAN Link
ip address dhcp
duplex auto
speed auto
!
interface GigabitEthernet0/1 * not in use
ip address 192.168.162.1 255.255.255.0
duplex auto
speed auto
!
interface GigabitEthernet0/2 * Downstream to local access switch
ip address 192.168.163.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface GigabitEthernet0/0/0
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/1/0 * VPN Wan link
description PRN_VPN
ip address 172.16.248.113 255.255.255.248
negotiation auto
!
interface FastEthernet0/2/0
ip address 192.168.60.100 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/2/1 * Not In use
ip address 192.168.101.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/3/0 *This is the WAN ISP link
ip address 192.168.50.2 255.255.255.0
--> ip nat outside
duplex auto
speed auto
!
interface FastEthernet0/3/1
description PRN_VPN
ip address dhcp
shutdown
duplex auto
speed auto
!
interface GigabitEthernet4/0
ip address 192.168.160.1 255.255.255.0
!
router eigrp 109
network 192.168.50.0
network 192.168.160.0
network 192.168.161.0
network 192.168.162.0
network 192.168.163.0
network 192.168.164.0
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
--> ip nat inside source list 1 interface FastEthernet0/3/0 overload
--> ip route 0.0.0.0 0.0.0.0 192.168.50.2
!
--> access-list 1 permit 192.168.0.0 0.0.255.255
!
route-map NAT_TO_VPN permit 10
match ip address 1
match interface FastEthernet0/2/0
!
route-map NAT_TO_ISP permit 10
match ip address 1 100
match interface FastEthernet0/3/0
!
!
!
control-plane

View solution in original post

Georg Pauwen · ‎11-03-2020

Hello,

the easiest would probably be to use static routes and specify which traffic you want to go to the Checkpoint:

ip route x.x.x.x y.y.y.y 172.16.248.114

You obviously need to know which traffic goes where.

Then, use the default route for everything else (which means everything going out to the Internet).
--> ip route 0.0.0.0 0.0.0.0 192.168.50.2

View solution in original post

paul driver · ‎11-04-2020

Hello
FYI - I know i have come in late into this and it seems you have a resolution but reveiwing your configuration it doesnt look correct?

Your NAT access list seems incorrect:

access-list 1 permit 192.168.163.0 0.0.0.255 < Okay
access-list 1 permit 192.168.160.0 0.0.0.255 <--- not in use
access-list 1 permit 172.16.0.0 0.0.255.255 < no nat interface
access-list 1 permit 172.16.134.0 0.0.0.255 < no nat interface
access-list 1 permit 192.168.101.0 0.0.0.255 <-not in use
access-list 1 permit 192.168.161.0 0.0.0.255 <--- not in use
access-list 1 permit 192.168.162.0 0.0.0.255 <--- not in use
access-list 1 permit 192.168.164.0 0.0.0.255 < not in use
access-list 1 permit 172.16.248.0 0.0.0.255 < not nat interface
access-list 1 permit 141.221.0.0 0.0.255.255 <-- external no nat
access-list 1 permit 10.255.254.0 0.0.0.255 <-- external no nat
access-list 1 permit 10.10.48.0 0.0.0.255 <-- doesnt exist

Also instead of using static routes you could have policy based the routing as an alternative
Example:
no ip route 10.255.254.0 255.255.255.0 172.16.248.114
no ip route 141.221.0.0 255.255.0.0 172.16.248.114
no ip route 172.16.0.0 255.255.0.0 172.16.248.114
no ip route 172.16.134.0 255.255.255.0 172.16.248.114

ip access-list extended PBR_acl
permit ip any 10.255.254.0 0.0.0.255
permit ip any 141.221.0.0 0.0.255.255
permit ip any 172.16.0.0 0.0.255.255

route-map PBR_rm permit 10
match ip address PBR_acl
set ip next-hop 172.16.248.114

interface GigabitEthernet0/2
ip policy route-map PBR_rm

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

Georg Pauwen · ‎11-03-2020

Hello,

is this the interface connected to the ISP gateway, the interface you want to use for Internet access ?

interface FastEthernet0/3/0 *This is the WAN ISP link
ip address 192.168.50.2 255.255.255.0
duplex auto
speed auto

thlillyr · ‎11-03-2020

Yes that is my ISP. It is connected to a cisco small business router provided by the ISP. I have access to it and can configure it. It has a DHCP server running on network 192.168.50.0 I've statically assigned the interface 192.168.50.2 the Gateway of the ISP router is 192.168.50.1

Georg Pauwen · ‎11-03-2020

Hello,

understood. Right now, you have a default route pointing to (I think) the Checkpoint ? Do you need any traffic at all to go to the Checkpoint ?

The thing is, with the below configuration (important parts marked in bold), your clients would get access to the Internet, but lose connectivity to the Checkpoint:

no ipv6 cef
ip source-route
ip cef
!
!
no ip dhcp conflict logging
ip dhcp excluded-address 192.168.160.0 192.168.160.25
ip dhcp excluded-address 192.168.163.0 192.168.163.25
ip dhcp excluded-address 192.168.162.0 192.168.162.25
ip dhcp excluded-address 192.168.161.0 192.168.161.25
ip dhcp excluded-address 192.168.164.0 192.168.164.25
!
ip dhcp pool LAN0
network 192.168.160.0 255.255.255.0
default-router 192.168.160.1
dns-server 192.168.163.58
!
ip dhcp pool LAN3
network 192.168.163.0 255.255.255.0
default-router 192.168.163.1
dns-server 192.168.163.15
!
ip dhcp pool LAN2
network 192.168.162.0 255.255.255.0
default-router 192.168.162.1
dns-server 192.168.163.58
!
ip dhcp pool LAN1
network 192.168.161.0 255.255.255.0
default-router 192.168.161.1
dns-server 192.168.163.58
!
ip dhcp pool LAN4
network 192.168.164.0 255.255.255.0
default-router 192.168.164.1
dns-server 192.168.163.58
!
ip dhcp pool lan3
dns-server 192.168.163.227
!
no ip domain lookup
ip domain name wtblab
multilink bundle-name authenticated

!
interface GigabitEthernet0/0 * Not in use
description Rise Broadband Open WAN Link
ip address dhcp
duplex auto
speed auto
!
interface GigabitEthernet0/1 * not in use
ip address 192.168.162.1 255.255.255.0
duplex auto
speed auto
!
interface GigabitEthernet0/2 * Downstream to local access switch
ip address 192.168.163.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface GigabitEthernet0/0/0
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/1/0 * VPN Wan link
description PRN_VPN
ip address 172.16.248.113 255.255.255.248
negotiation auto
!
interface FastEthernet0/2/0
ip address 192.168.60.100 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/2/1 * Not In use
ip address 192.168.101.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/3/0 *This is the WAN ISP link
ip address 192.168.50.2 255.255.255.0
--> ip nat outside
duplex auto
speed auto
!
interface FastEthernet0/3/1
description PRN_VPN
ip address dhcp
shutdown
duplex auto
speed auto
!
interface GigabitEthernet4/0
ip address 192.168.160.1 255.255.255.0
!
router eigrp 109
network 192.168.50.0
network 192.168.160.0
network 192.168.161.0
network 192.168.162.0
network 192.168.163.0
network 192.168.164.0
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
--> ip nat inside source list 1 interface FastEthernet0/3/0 overload
--> ip route 0.0.0.0 0.0.0.0 192.168.50.2
!
--> access-list 1 permit 192.168.0.0 0.0.255.255
!
route-map NAT_TO_VPN permit 10
match ip address 1
match interface FastEthernet0/2/0
!
route-map NAT_TO_ISP permit 10
match ip address 1 100
match interface FastEthernet0/3/0
!
!
!
control-plane

thlillyr · ‎11-03-2020

That's the problem. I have a lot of traffic going to the checkpoint. It provides 2 vpns services. A site to site connection AND remote client VPN which is heavily used as most of the office is working from home. So I need a way for vpn traffic to route out the VPN wan and internet to route out the ISP wan.

Georg Pauwen · ‎11-03-2020

Hello,

the easiest would probably be to use static routes and specify which traffic you want to go to the Checkpoint:

ip route x.x.x.x y.y.y.y 172.16.248.114

You obviously need to know which traffic goes where.

Then, use the default route for everything else (which means everything going out to the Internet).
--> ip route 0.0.0.0 0.0.0.0 192.168.50.2

thlillyr · ‎11-03-2020

All of my traffic is coming from 192.168.163.0 Will that work to have 2 static routes with the same source?

Georg Pauwen · ‎11-03-2020

Hello,

tthe static route doesn't care about the source. You specify just the destination. The default route will take care of the rest. So, you need to find out which traffic needs to go through the VPN/Checkpoint, that is, which networks are on the other side. Does that make sense ?

thlillyr · ‎11-03-2020

Dang it I even knew that. I need some sleep then I'll give that suggestion a try.

thlillyr · ‎11-03-2020

Ok It seems to be working partially. I've added all the static routs for the VPN and then set the default route to the 50.1. VPN is working as it should. The Router is able to ping to 8.8.8.8. The clients cannot ping the internet. They can ping the ISP gateway just fine at 192.168.50.1 and they ping all of the VPN address too. It may be a DNS issue as that was a total mess when I arrived. (It was running off a NAS) I've since made a Windows Domain with a DNS server. Question is Is it my windows DNS server or is there a misconfigure on the switch with DNS.

Georg Pauwen · ‎11-03-2020

Hello,

even without any DNS, your clients should be able to ping 8.8.8.8. So we still must be missing something. Where does a traceroute from one of your clients to 8.8.8.8 stop ?

thlillyr · ‎11-03-2020

Opps made a mistake the Clients cannot ping 192.168.50.1 (ISP gateway.) The router can and it can reach the internet. Here is the updated config.

boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings

no aaa new-model
clock timezone mst -7
clock summer-time mst recurring
!
no ipv6 cef
ip source-route
ip cef
!
!
no ip dhcp conflict logging
ip dhcp excluded-address 192.168.160.0 192.168.160.25
ip dhcp excluded-address 192.168.163.0 192.168.163.25
ip dhcp excluded-address 192.168.162.0 192.168.162.25
ip dhcp excluded-address 192.168.161.0 192.168.161.25
ip dhcp excluded-address 192.168.164.0 192.168.164.25
!
ip dhcp pool LAN0
network 192.168.160.0 255.255.255.0
default-router 192.168.160.1
dns-server 192.168.163.58
!
ip dhcp pool LAN3
network 192.168.163.0 255.255.255.0
default-router 192.168.163.1
!
ip dhcp pool LAN2
network 192.168.162.0 255.255.255.0
default-router 192.168.162.1
dns-server 192.168.163.58
!
ip dhcp pool LAN1
network 192.168.161.0 255.255.255.0
default-router 192.168.161.1
dns-server 192.168.163.58
!
ip dhcp pool LAN4
network 192.168.164.0 255.255.255.0
default-router 192.168.164.1
dns-server 192.168.163.58
!
!
no ip domain lookup
ip domain name wtblab
multilink bundle-name authenticated
!
!
!

!
!
!
!
interface GigabitEthernet0/0
ip address 192.168.161.1 255.255.255.0
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address 192.168.162.1 255.255.255.0
duplex auto
speed auto
!
interface GigabitEthernet0/2
ip address 192.168.163.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface GigabitEthernet0/0/0
ip address 192.168.164.1 255.255.255.0
negotiation auto
!
interface GigabitEthernet0/1/0
description PRN_VPN
ip address 172.16.248.113 255.255.255.248
negotiation auto
!
interface FastEthernet0/2/0
ip address 192.168.60.100 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/2/1
ip address 192.168.101.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/3/0
description RiseBroadband
ip address 192.168.50.2 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/3/1
description PRN_VPN
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet4/0
ip address 192.168.160.1 255.255.255.0
!
!
router eigrp 109
network 192.168.160.0
network 192.168.161.0
network 192.168.162.0
network 192.168.163.0
network 192.168.164.0
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list 1 interface FastEthernet0/2/0 overload
ip route 0.0.0.0 0.0.0.0 192.168.50.1
ip route 141.221.0.0 255.255.0.0 172.16.248.114
ip route 172.16.0.0 255.255.0.0 172.16.248.114
ip route 172.16.134.0 255.255.255.0 172.16.248.114
ip route 192.168.98.0 255.255.255.0 192.168.101.2
ip route 192.168.99.0 255.255.255.0 192.168.101.2
!
access-list 1 permit 192.168.163.0 0.0.0.255
access-list 1 permit 192.168.160.0 0.0.0.255
access-list 1 permit 172.16.0.0 0.0.255.255
access-list 1 permit 172.16.134.0 0.0.0.255
access-list 1 permit 192.168.101.0 0.0.0.255
access-list 1 permit 192.168.161.0 0.0.0.255
access-list 1 permit 192.168.162.0 0.0.0.255
access-list 1 permit 192.168.164.0 0.0.0.255
access-list 1 permit 172.16.248.0 0.0.0.255
access-list 1 permit 141.221.0.0 0.0.255.255
!
!
!
control-plane
!
*******************************************************************************

thlillyr · ‎11-03-2020

This is my sh ip route:

Gateway of last resort is 192.168.50.1 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 192.168.50.1
S 141.221.0.0/16 [1/0] via 172.16.248.114
172.16.0.0/16 is variably subnetted, 4 subnets, 4 masks
S 172.16.0.0/16 [1/0] via 172.16.248.114
S 172.16.134.0/24 [1/0] via 172.16.248.114
C 172.16.248.112/29 is directly connected, GigabitEthernet0/1/0
L 172.16.248.113/32 is directly connected, GigabitEthernet0/1/0
192.168.50.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.50.0/24 is directly connected, FastEthernet0/3/0
L 192.168.50.2/32 is directly connected, FastEthernet0/3/0
192.168.160.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.160.0/24 is directly connected, GigabitEthernet4/0
L 192.168.160.1/32 is directly connected, GigabitEthernet4/0
192.168.163.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.163.0/24 is directly connected, GigabitEthernet0/2
L 192.168.163.1/32 is directly connected, GigabitEthernet0/2

thlillyr · ‎11-03-2020

Solved it. I forgot to add the NAT outside rules you previously posted.

thlillyr · ‎11-03-2020

For the Benefit of anyone reading this thread when its Necro this is what the fix was.

My router had a static default route that was pushing ALL traffic to the VPN. In order to effectivly split the traffic I had to create static routes for each network segment that was on the VPN and use a Default route to send any remaining traffic out the ISP. I had to Nat outside both Interface. That required a rule for each interface as you see can see in the Config. I mad it simple and used the same access list for each Nat rule. This is not ideal for everyone as it doesn't allow for granular control to each interface. (I'll fix it later It was just to get it working.) With that done and the static routes in place it worked. Here is my final config with Notes added *Notes:

Interfaces:

interface GigabitEthernet0/0 *Not in use
ip address 192.168.161.1 255.255.255.0
duplex auto
speed auto
!
interface GigabitEthernet0/1 *Not in use
ip address 192.168.162.1 255.255.255.0
duplex auto
speed auto
!
interface GigabitEthernet0/2 *This goes to my primary switch connecting the local network to the Router
ip address 192.168.163.1 255.255.255.0
ip nat inside *This was a key Configuration item
ip virtual-reassembly
duplex auto
speed auto
!
interface GigabitEthernet0/0/0 * Not in use
ip address 192.168.164.1 255.255.255.0
negotiation auto
!
interface GigabitEthernet0/1/0 *This is my VPN uplink. Initially a default route was forwarding all traffic to it.
description PRN_VPN
ip address 172.16.248.113 255.255.255.248
negotiation auto
!
interface FastEthernet0/2/0 *This is can be ignored as its just a bridge to another network segment and not relevant to the problem
ip address 192.168.60.100 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/2/1 * Not in use
ip address 192.168.101.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/3/0 *This is My ISP connection I set the Interface IP to 50.2 as the gateway on the other side was 50.1
description ISP Wan
ip address 192.168.50.2 255.255.255.0
ip nat outside *This was key to getting this interface to work. I couldn't properly route traffic out this interface without nat.
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/3/1 * Not In use
description PRN_VPN
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet4/0 *Not In use
ip address 192.168.160.1 255.255.255.0

Rules:

ip nat inside source list 1 interface FastEthernet0/3/0 overload * This is the Nat Rule that uses an access list to allow traffic going to specific subnets.
ip route 0.0.0.0 0.0.0.0 192.168.50.1 Global Catch all rule to send any traffic that doesn't match a static route out the ISP
ip route 10.255.254.0 255.255.255.0 172.16.248.114
ip route 141.221.0.0 255.255.0.0 172.16.248.114
ip route 172.16.0.0 255.255.0.0 172.16.248.114
ip route 172.16.134.0 255.255.255.0 172.16.248.114
ip route 192.168.98.0 255.255.255.0 192.168.101.2
ip route 192.168.99.0 255.255.255.0 192.168.101.2

Note* All of these routes are Just to forward traffic to the VPN. All of the subnets are behind the VPN Interface. The route forces any traffic with a matching network destination to go through the VPN Wan Interface. It was a challenge to track down all the subnets.

*Note. This access list allows each subnet to access the Nated interface gi0/3/0
access-list 1 permit 192.168.163.0 0.0.0.255

access-list 1 permit 192.168.160.0 0.0.0.255
access-list 1 permit 172.16.0.0 0.0.255.255
access-list 1 permit 172.16.134.0 0.0.0.255
access-list 1 permit 192.168.101.0 0.0.0.255
access-list 1 permit 192.168.161.0 0.0.0.255
access-list 1 permit 192.168.162.0 0.0.0.255
access-list 1 permit 192.168.164.0 0.0.0.255
access-list 1 permit 172.16.248.0 0.0.0.255
access-list 1 permit 141.221.0.0 0.0.255.255
access-list 1 permit 10.255.254.0 0.0.0.255
access-list 1 permit 10.10.48.0 0.0.0.255

Huge Thanks to George Pauwen for helping me set this straight.