03-04-2014 10:11 PM - edited 03-04-2019 10:30 PM
Hi There,
I'm trying to setup a 2nd ADSL connection on a Cisco 887 due to some speed/bandwidth issues.
The router currently already has a working ADSL2+ connection using the build in DSL modem.
What I'm trying to achieve is setup the router so all the Internet traffic from the main site uses Internet1 and all the VPN traffic to a branch uses Internet2.
I haven't looked yet at load balancing and there's no immediate need for it.
Internet1 is already setup and working using the built in DSL modem of the 887 router.
Now I have an external modem/router which I've setup in bridge mode, and connected to the Fastethernet 3 interface of the 887.
I've setup a second dialer (Dialer2) for the new Internet connection, I've then assigned it to interface Fastethernet 3 and enable pppoe.
Then I was thinking to use the following ip routes to split the Internet and VPN traffic, would that work? maybe there's a better way?:
ip route 192.168.10.0 255.255.255.0 Dialer2
ip route 0.0.0.0 0.0.0.0 Dialer1
At the moment dialer2 does not seem to dial when I do a "show ip int brief", Dialer2 does not get assigned a public IP address as it should, dialer 1 is OK.
Also do I need to use NAT on dialer2 if it's only being used for the VPN connection?
I found a few configuration for DSL load balancing but all of them are for a Cisco 881, is there something different with the 887 (with built in dsl modem?).
Here are the most relevant parts of the config:
controller VDSL 0
!
crypto isakmp policy 1
authentication pre-share
crypto isakmp key secretpassword address 111.111.111.111
!
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
mode tunnel
!
crypto map Sydney-VPN 10 ipsec-isakmp
set peer 111.111.111.111
set transform-set 3DES-SHA
match address Sydney-Crypto-list
!
!
interface Ethernet0
no ip address
shutdown
!
interface ATM0
description ### DSL 1 ###
no ip address
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
description ### DSL 2 ###
no ip address
pppoe-client dial-pool-number 2
no cdp enable
!
interface Vlan1
description ### Customer LAN ###
ip address 192.168.16.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
interface Dialer1
description ### WAN1 ###
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer idle-timeout 0
dialer persistent
dialer-group 1
ppp chap hostname user1@dsl.net
ppp chap password 7 0000000000000
!
interface Dialer2
description ### WAN2 ###
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 2
dialer idle-timeout 0
dialer persistent
dialer-group 2
ppp chap hostname user2@dsl.net
ppp chap password 7 000000000000
crypto map Sydney-VPN
!
ip nat inside source route-map Route1 interface Dialer1 overload
ip nat inside source route-map Route2 interface Dialer2 overload
ip route 192.168.21.0 255.255.255.0 Dialer2
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip access-list extended Sydney-Crypto-list
permit ip 192.168.16.0 0.0.0.255 192.168.21.0 0.0.0.255
!
route-map Route1 permit 10
match ip address 101
set interface Dialer1
!
route-map Route2 permit 20
match ip address 103
set interface Dialer2
!
access-list 101 deny ip 192.168.16.0 0.0.0.255 192.168.21.0 0.0.0.255
access-list 101 permit ip 192.168.16.0 0.0.0.255 any
access-list 102 permit tcp any any eq 22
access-list 102 permit tcp any any established
access-list 103 deny ip 192.168.16.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 103 permit ip 192.168.16.0 0.0.0.255 any
!
!
Thanks,
Florian
03-04-2014 10:44 PM
I'm trying to setup a 2nd ADSL connection on a Cisco 887 due to some speed/bandwidth issues.
What speed are each of the DSL links?
03-06-2014 04:46 PM
Hi Leo,
Both dsl links are 6Mbps DL and 1Mbps UP. The DSL connections are working fine it is just not enough on 1 link to handle both their Internet traffic and the VPN tunnel traffic from the remote site.
I got the 2nd dialer working now after doing some research I had to assign the dialer group to a vlan interface and not to the physical port.
Here's what I've changed:
interface FastEthernet3
description ### DSL 2 ###
no ip address
no pppoe-client dial-pool-number 2
switchport access vlan2
no cdp enable
interface vlan2
description ### VLAN DSL 2 ###
no ip address
pppoe-client dial-pool-number 2
no cdp enable
Now when I run a show ip int brief I can see that both dialer1 & dialer2 are getting an ip address assigned by the ISP.
The VPN however as it is currently setup still isn't working a sh crypto isakmp sa command reports the tunnel as active but with an MM_SA_SETUP status.
I know need to figure out what I have to change to get the VPN working.
Thanks,
Florian
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide