Solved: Re: How to backup ADSL connection over Ethernet interface

p.devalck · ‎06-08-2009

Using a Cisco 877 router with ADSL connectivity, a backup connection is needed. A 3G (cellular) device is available, capable of setting up an IPsec VPN, and offering an ethernet port for connecting the (backup) port of the 877 router.

Neither the ADSL (on the 877 router) nor the cellular (on the 3G device) have fixed IP addresses assigned to them by the ADSL/3G service providers.

The main site has a fixed IP address, both on the connection with the internet as for a (dedicated) connection to the 3G provider.

The purpose is

- create an IPsec VPN on the ADSL interface (over the internet) to the main site

- route all traffic over the IPsec VPN on the ADSL interface

- route all traffic over the ethernet port to the 3G (cellular) device if the main site is not acceaccessible via the ADSL interface.

How can I proceed ?

Giuseppe Larosa · ‎06-08-2009

Hello Paul,

let's think about the components:

routing

nat

ipsec

a) routing

you can use a floating static route for the secondary link

ip route 0.0.0.0 0.0.0.0 Vlan2 200

(this is specific of 877 the usage of SVIs like a switch)

200 is the AD.

the primary default route can be tracked using object tracking.

see

http://www.cisco.com/en/US/docs/ios/12_3/12_3x/12_3xe/feature/guide/dbackupx.html

ip route 0.0.0.0 0.0.0.0 dialer1 track 122

you need a probe and the document describes how to configure it depending on your IOS version.

if the probe or IP SLA fails the primary default route is removed from the routing table.

b) NAT

you can use nat overload combined with a route map that checks the outgoing interface

example:

lan interface 10.10.10.0 /24

! deny traffic that will be sent over

! the ipsec tunnel it doesn't need to be NATTED

access-list 111 deny ip 10.10.10.0 0.0.0.255 10.0.0.0 0.255.255.255

access-list 111 permit ip 10.10.10.0 0.0.0.255 any

route-map nat_primary permit 10

match ip address 111

match interface dialer1

route-map nat_secondary permit 10

match ip address 111

match interface Vlan2

you need two statements in global config

ip nat inside source route-map nat_primary overload

ip nat inside source route-map nat_secondary overload

internal lan needs

ip nat inside

external interfaces require

ip nat outside

c)

ipsec you need to configure the crypto map under dialer1

traffic that has to encrypted is the same that is not NATTED

access-list 112 permit ip 10.10.10.0 0.0.0.255 10.0.0.0 0.255.255.255

crypto isakmp policy 10

hash md5

authentication pre-share

!

crypto isakmp key pwd1 address HQ-address1

crypto ipsec transform-set VPN-ADSL esp-3des esp-md5-hmac

!

crypto map VPN_MAP local-address dialer1

crypto map VPN_MAP 10 ipsec-isakmp

set peer HQ-address1

set transform-set VPN-ADSL

match address 112

!

this is only a trace for the ipsec part: notice that you probably need a second crypto map for the backup link.

Hope to help

Giuseppe

View solution in original post

Giuseppe Larosa · ‎06-08-2009

Hello Paul,

let's think about the components:

routing

nat

ipsec

a) routing

you can use a floating static route for the secondary link

ip route 0.0.0.0 0.0.0.0 Vlan2 200

(this is specific of 877 the usage of SVIs like a switch)

200 is the AD.

the primary default route can be tracked using object tracking.

see

http://www.cisco.com/en/US/docs/ios/12_3/12_3x/12_3xe/feature/guide/dbackupx.html

ip route 0.0.0.0 0.0.0.0 dialer1 track 122

you need a probe and the document describes how to configure it depending on your IOS version.

if the probe or IP SLA fails the primary default route is removed from the routing table.

b) NAT

you can use nat overload combined with a route map that checks the outgoing interface

example:

lan interface 10.10.10.0 /24

! deny traffic that will be sent over

! the ipsec tunnel it doesn't need to be NATTED

access-list 111 deny ip 10.10.10.0 0.0.0.255 10.0.0.0 0.255.255.255

access-list 111 permit ip 10.10.10.0 0.0.0.255 any

route-map nat_primary permit 10

match ip address 111

match interface dialer1

route-map nat_secondary permit 10

match ip address 111

match interface Vlan2

you need two statements in global config

ip nat inside source route-map nat_primary overload

ip nat inside source route-map nat_secondary overload

internal lan needs

ip nat inside

external interfaces require

ip nat outside

c)

ipsec you need to configure the crypto map under dialer1

traffic that has to encrypted is the same that is not NATTED

access-list 112 permit ip 10.10.10.0 0.0.0.255 10.0.0.0 0.255.255.255

crypto isakmp policy 10

hash md5

authentication pre-share

!

crypto isakmp key pwd1 address HQ-address1

crypto ipsec transform-set VPN-ADSL esp-3des esp-md5-hmac

!

crypto map VPN_MAP local-address dialer1

crypto map VPN_MAP 10 ipsec-isakmp

set peer HQ-address1

set transform-set VPN-ADSL

match address 112

!

this is only a trace for the ipsec part: notice that you probably need a second crypto map for the backup link.

Hope to help

Giuseppe

p.devalck · ‎06-09-2009

My problem was rather the tracking part as I have never done it.

It'll take some time to adjust the parameters, but i'M confident we'll get there.

Thank you

Paul