08-28-2012 03:54 PM - edited 03-04-2019 05:24 PM
Hello
I'm having trouble because I can only have one internet connection at a time for it to work. If I connect the 2 wan to the router then the 2 of them doesn't work. I'm pretty sure is a access list problem that I dont know about. Please help me to properly set up the 2 wans and load balancing if posible thanks for the help!!
ip dhcp pool quest
network 10.10.11.0 255.255.255.0
default-router 10.10.11.1
dns-server 8.8.8.8 8.8.4.4
!
ip dhcp pool roadrunner
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 8.8.8.8 8.8.4.4
!
!
ip cef
ip name-server 8.8.8.8
ip name-server 8.8.4.4
no ipv6 cef
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 28800
crypto isakmp key test1 address xx.xx.xx.153
crypto isakmp key test2 address xx.xx.xx.24
!
!
crypto ipsec transform-set qwest esp-3des esp-md5-hmac
crypto ipsec transform-set roadrunner esp-3des esp-md5-hmac
!
!
crypto map qwest 1 ipsec-isakmp
set peer xx.xx.xx.24
set transform-set qwest
match address 100
!
crypto map roadrunner 1 ipsec-isakmp
set peer xx.xx.xx.153
set transform-set roadrunner
match address 101
!
!
interface FastEthernet0
description roadrunner
switchport access vlan 2
!
interface FastEthernet1
description roadrunner
switchport access vlan 2
!
interface FastEthernet2
description roadrunner
switchport access vlan 2
!
interface FastEthernet3
description roadrunner
switchport access vlan 2
!
interface FastEthernet4
description qwest
!
interface FastEthernet5
description qwest
!
interface FastEthernet6
description qwest
!
interface FastEthernet7
description qwest
!
interface FastEthernet8
description qwest connection
no ip address
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface GigabitEthernet0
description roadrunner connection
ip address xx.xx.xx.xx 255.255.255.252
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map roadrunner
!
interface wlan-ap0
description Service module interface to manage the embedded AP
no ip address
arp timeout 0
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
!
interface Vlan1
description quest
ip address 10.10.11.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Vlan2
description roadrunner
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Async1
no ip address
encapsulation slip
!
interface Dialer1
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname xxxxxxx
ppp chap password 0 xxxxxxx
crypto map qwest
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list nat interface Dialer1 overload
ip nat inside source list roadrunner interface GigabitEthernet0 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0
!
ip access-list extended nat
deny ip 10.10.11.0 0.0.0.255 10.10.10.0 0.0.0.255
permit ip 10.10.11.0 0.0.0.255 any
ip access-list extended roadrunner
deny ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any
!
access-list 1 permit 10.10.11.0 0.0.0.255
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 100 permit ip 10.10.11.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
dialer-list 1 protocol ip permit
dialer-list 100 protocol ip permit
08-29-2012 12:42 AM
Hi,
there is 2 things you must modify:
1)
no ip route 0.0.0.0 0.0.0.0 gig0
ip route 0.0.0.0 0.0.0.0 x.x.x.x where x.x.x.x is next-hop out Gig0 interface
2)
no ip nat inside source list nat interface Dialer1 overload
no ip nat inside source list roadrunner interface GigabitEthernet0 overload
ip nat inside source route-map Dialer1 interface Dialer1
ip nat inside source route-map Roadrunner interface Gig0
route-map Roadrunner
match ip address roadrunner
match interface Gig0
route-map Dialer1
match ip address nat
match interface Dialer1
Regards.
Alain
Don't forget to rate helpful posts.
08-29-2012 09:35 AM
thank you for the responce...changes were made but now the vpn stoped working any idea???
ip nat inside source route-map Dialer1 interface Dialer1 overload
ip nat inside source route-map Roadrunner interface GigabitEthernet0 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 0.0.0.0 0.0.0.0 xx.xx.xx.133
!
ip access-list extended nat
deny ip 10.10.11.0 0.0.0.255 10.10.10.0 0.0.0.255
permit ip 10.10.11.0 0.0.0.255 any
ip access-list extended nat1
deny ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any
!
access-list 1 permit 10.10.11.0 0.0.0.255
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 100 permit ip 10.10.11.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
dialer-list 1 protocol ip permit
!
!
!
!
route-map Dialer1 permit 10
match ip address nat
match interface Dialer1
!
route-map Roadrunner permit 10
match ip address roadrunner
match interface GigabitEthernet0
08-29-2012 10:20 AM
Hi,
I don't see any ACL roadrunner anymore it was replaced by ACL nat1 so
route-map Roadrunner permit 10
match ip address roadrunne
match interface GigabitEthernet0
should become
route-map Roadrunner permit 10
match ip address nat1
match interface GigabitEthernet0
Regards.
Alain
Don't forget to rate helpful posts.
08-29-2012 10:35 AM
changes were made but vpn from qwest on dial1 doesnt connect...and i was connected and working before we did the changes...any idea why? thanks
route-map Roadrunner permit 10
match ip address nat1
match interface GigabitEthernet0
08-29-2012 10:42 AM
Hi,
if you ping a host in 10.10.10.0 from a host in 10.10.11.0 post following outputs:
sh crypto isa sa
sh crypto ipsec sa
sh access-list nat before and after the ping
Regards.
Alain
Don't forget to rate helpful posts.
08-29-2012 11:10 AM
I disconected the roadrunner wan and have only dialer1 connected to test vpn...
sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
xx.xx.xx.210 xx.xx.xx.24 QM_IDLE 2003 ACTIVE
IPv6 Crypto ISAKMP SA
-----------------------------------------------------------------------------
sh crypto ipsec sa
interface: GigabitEthernet0
Crypto map tag: roadrunner, local addr xx.xx.xx.134
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
current_peer xx.xx.xx.153 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: xx.xx.xx.134, remote crypto endpt.: xx.xx.xx.153
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
interface: Dialer1
Crypto map tag: qwest, local addr xx.xx.xx.210
protected vrf: (none)
local ident (addr/mask/prot/port): (10.10.11.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
current_peer xx.xx.xx.24 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: xx.xx.xx.210, remote crypto endpt.: xx.xx.xx.24
path mtu 1492, ip mtu 1492, ip mtu idb Dialer1
current outbound spi: 0x44A290C0(1151504576)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xAA278E1E(2854719006)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 5, flow_id: Onboard VPN:5, sibling_flags 80000046, crypto map: qwest
sa timing: remaining key lifetime (k/sec): (4445205/3232)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x44A290C0(1151504576)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 6, flow_id: Onboard VPN:6, sibling_flags 80000046, crypto map: qwest
sa timing: remaining key lifetime (k/sec): (4445205/3232)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
interface: Virtual-Access2
Crypto map tag: qwest, local addr 0.0.0.0
protected vrf: (none)
local ident (addr/mask/prot/port): (10.10.11.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
current_peer xx.xx.xx.24 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 0.0.0.0, remote crypto endpt.: xx.xx.xx.24
path mtu 1492, ip mtu 1492, ip mtu idb Virtual-Access2
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
----------------------------------------------------------------
Extended IP access list nat
10 deny ip 10.10.11.0 0.0.0.255 10.10.10.0 0.0.0.255
20 permit ip 10.10.11.0 0.0.0.255 any (96 matches)
----------------------------------------------------------------
ping 10.10.10.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
----------------------------------------------------------------
host on 10.10.10.4
PING 10.10.11.1 (10.10.11.1): 32 data bytes | |
From 10.10.11.1 icmp_seq=0 timed out | |
From 10.10.11.1 icmp_seq=1 timed out | |
From 10.10.11.1 icmp_seq=2 timed out | |
From 10.10.11.1 icmp_seq=3 timed out | |
--- 10.10.11.1 ping statistics --- | |
5 packets transmitted | |
0 packets received | |
100% packet loss ------------------------------------------- Extended IP access list nat 10 deny ip 10.10.11.0 0.0.0.255 10.10.10.0 0.0.0.255 20 permit ip 10.10.11.0 0.0.0.255 any (96 matches) |
08-29-2012 11:22 AM
Hi,
can you post sh run | s crypto map|access-list
Regards.
Alain
Don't forget to rate helpful posts.
08-29-2012 11:43 AM
sh run | s crypto map|access-list
crypto map qwest 1 ipsec-isakmp
set peer xx.xx.xx.24
set transform-set qwest
match address 100
crypto map roadrunner 1 ipsec-isakmp
set peer xx.xx.xx.153
set transform-set roadrunner
match address 101
crypto map roadrunner
crypto map qwest
ip access-list extended nat
deny ip 10.10.11.0 0.0.0.255 10.10.10.0 0.0.0.255
permit ip 10.10.11.0 0.0.0.255 any
ip access-list extended nat1
deny ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any
access-list 1 permit 10.10.11.0 0.0.0.255
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 100 remark maptest1 category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 10.10.11.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 101 remark maptest1 category=4
access-list 101 remark IPSec Rule
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
08-29-2012 01:47 PM
Hi,
ok can you do this:
repost your new config
then issue following:
logging buff 100000
logging buff 7
no service time debug
do clear log
do debug crypto isa
do debug crypto ipsec
then on a 10.10.11.0 host do ping 10.10.10.x with a high repeat count
then issue do sh log and post here.
Regards.
Alain.
Don't forget to rate helpful posts.
08-29-2012 03:41 PM
sh log
Syslog logging: enabled (0 messages dropped, 2 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)
No Active Message Discriminator.
No Inactive Message Discriminator.
Console logging: disabled
Monitor logging: level debugging, 0 messages logged, xml disabled,
filtering disabled
Buffer logging: level debugging, 153 messages logged, xml disabled,
filtering disabled
Exception Logging: size (4096 bytes)
Count and timestamp logging messages: disabled
Persistent logging: disabled
No active filter modules.
Trap logging: level informational, 78 message lines logged
Log Buffer (4096 bytes):
in) state 1"
ISAKMP:(2007):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
ISAKMP:(2007):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
ISAKMP:(2007):DPD/R_U_THERE received from peer xx.xx.xx.24, sequence 0x7082
ISAKMP: set new node 1311669545 to QM_IDLE
ISAKMP:(2007):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 2246487680, message ID = 1311669545
ISAKMP:(2007): seq. no 0x7082
ISAKMP:(2007): sending packet to xx.xx.xx.24 my_port 500 peer_port 500 (R) QM_IDLE
ISAKMP:(2007):Sending an IKE IPv4 Packet.
ISAKMP:(2007):purging node 1311669545
ISAKMP:(2007):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
ISAKMP:(2007):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
ISAKMP:(2007):purging node 1962558591
ISAKMP (2007): received packet from xx.xx.xx.24 dport 500 sport 500 Global (R) QM_IDLE
ISAKMP: set new node -842448404 to QM_IDLE
ISAKMP:(2007): processing HASH payload. message ID = -842448404
ISAKMP:(2007): processing NOTIFY DPD/R_U_THERE protocol 1
spi 0, message ID = -842448404, sa = 0x86BEAB44
ISAKMP:(2007):deleting node -842448404 error FALSE reason "Informational (in) state 1"
ISAKMP:(2007):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
ISAKMP:(2007):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
ISAKMP:(2007):DPD/R_U_THERE received from peer xx.xx.xx.24, sequence 0x7083
ISAKMP: set new node -1044866510 to QM_IDLE
ISAKMP:(2007):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 2246487680, message ID = -1044866510
ISAKMP:(2007): seq. no 0x7083
ISAKMP:(2007): sending packet to xx.xx.xx.24 my_port 500 peer_port 500 (R) QM_IDLE
ISAKMP:(2007):Sending an IKE IPv4 Packet.
ISAKMP:(2007):purging node -1044866510
ISAKMP:(2007):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
ISAKMP:(2007):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
ISAKMP:(2007):purging node 1534298901
ISAKMP (2007): received packet from xx.xx.xx.24 dport 500 sport 500 Global (R) QM_IDLE
ISAKMP: set new node 1111418898 to QM_IDLE
ISAKMP:(2007): processing HASH payload. message ID = 1111418898
ISAKMP:(2007): processing NOTIFY DPD/R_U_THERE protocol 1
spi 0, message ID = 1111418898, sa = 0x86BEAB44
ISAKMP:(2007):deleting node 1111418898 error FALSE reason "Informational (in) state 1"
ISAKMP:(2007):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
ISAKMP:(2007):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
ISAKMP:(2007):DPD/R_U_THERE received from peer xx.xx.xx.24, sequence 0x7084
ISAKMP: set new node 1321991604 to QM_IDLE
ISAKMP:(2007):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 2246487680, message ID = 1321991604
ISAKMP:(2007): seq. no 0x7084
ISAKMP:(2007): sending packet to xx.xx.xx.24 my_port 500 peer_port 500 (R) QM_IDLE
ISAKMP:(2007):Sending an IKE IPv4 Packet.
ISAKMP:(2007):purging node 1321991604
ISAKMP:(2007):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
ISAKMP:(2007):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
ISAKMP:(2007):purging node -842448404
ISAKMP (2007): received packet from xx.xx.xx.24 dport 500 sport 500 Global (R) QM_IDLE
ISAKMP: set new node 1782352186 to QM_IDLE
ISAKMP:(2007): processing HASH payload. message ID = 1782352186
ISAKMP:(2007): processing NOTIFY DPD/R_U_THERE protocol 1
spi 0, message ID = 1782352186, sa = 0x86BEAB44
ISAKMP:(2007):deleting node 1782352186 error FALSE reason "Informational (in) state 1"
ISAKMP:(2007):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
ISAKMP:(2007):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
ISAKMP:(2007):DPD/R_U_THERE received from peer xx.xx.xx.24, sequence 0x7085
ISAKMP: set new node 1147495273 to QM_IDLE
ISAKMP:(2007):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 2246487680, message ID = 1147495273
ISAKMP:(2007): seq. no 0x7085
ISAKMP:(2007): sending packet to xx.xx.xx.24 my_port 500 peer_port 500 (R) QM_IDLE
ISAKMP:(2007):Sending an IKE IPv4 Packet.
ISAKMP:(2007):purging node 1147495273
ISAKMP:(2007):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
ISAKMP:(2007):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
08-31-2012 11:35 AM
Any suggestions?
08-31-2012 12:04 PM
Hi,
gonna take a closer look at your config and try to lab it on GNS3 and will let you know after the weekend.
Regards.
Alain
Don't forget to rate helpful posts.
09-11-2012 09:10 AM
Any luck on the lab config on GNS3?
09-11-2012 10:44 AM
Hi Manny,
I'm really sorry but I was so busy that I completely forgot to test it.
I'm gonna try to do it this evening.If I find out something I will post here.
Don't forget to rate helpful posts.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: