cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Join Customer Connection to register!
644
Views
0
Helpful
2
Replies
david.mijares
Beginner

nat, two isp, vpn connection?

Hello Everyone,

I connected three branch office to HQ with cisco ezvpn(Network Extender, no NAT need it) and until that point I'm fine, but my problem is in HQ's Router a Cisco 1941w has two ISP connection which one is a DSL for outgoing internet services and the other one is a Metro-Ethernet connection for incoming services as VPN and email services. When I use just the metro ethernet everything work smoothly as the VPN services and the internet services as well. But at the moment I decide to swap the outgoing internet services to the DSL connection, the VPN slowdowns and create some lag in the internet services.

Can someone explain me why?

My configuration:

!

interface GigabitEthernet0/0

description DSL Connetion

no ip address

duplex auto

speed auto

pppoe enable group global

pppoe-client dial-pool-number 2

!

!

interface GigabitEthernet0/1

description Metro Ethernet

ip address 10.10.10.1 255.255.255.0

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

!

interface Virtual-Template1 type tunnel

ip unnumbered GigabitEthernet0/1

tunnel mode ipsec ipv4

tunnel protection ipsec profile CiscoCP_Profile1

!

interface Vlan1

ip address 192.168.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

interface Dialer0

ip address negotiated

ip mtu 1452

ip nat outside

ip virtual-reassembly in

encapsulation ppp

dialer pool 2

dialer-group 1

ppp authentication chap pap callin

!

ip nat inside source static tcp 192.168.1.8 80 interface GigabitEthernet0/1 80

ip nat inside source static tcp 192.168.1.8 25 interface GigabitEthernet0/1 25

ip nat inside source list 1 interface Dialer0 overload

ip route 0.0.0.0 0.0.0.0 Dialer0

!

!

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 100 permit ip 192.168.1.0 0.0.0.255 any

dialer-list 1 protocol ip permit

!

thanks in advanced

2 REPLIES 2
lgijssel
Engager

First of all, it is quite likely that the bandwidth over the DSL link is significantly smaller than via the Metro link.

Besides, there a smaller mtu configured on the dialer. This means packets may need to be fragmented in order to take this path. That wil definitely cause things to slowdown as well. The link below describes the potential impact of mtu mismatches and although it discusses mainly GRE, the problem is the same for IPsec tunnels.

http://www.cisco.com/en/US/partner/tech/tk827/tk369/technologies_tech_note09186a0080093f1f.shtml

regards,

Leo

That's correct and I'm aware of that. However, the VPN should work only over the Metro Ethernet connection and this for unknown reason to me is not happening(not exclusive a least).

Sent from Cisco Technical Support iPad App