Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
755
Views
0
Helpful
2
Replies

nat, two isp, vpn connection?

david.mijares
Level 1
Level 1

‎08-30-2011 04:57 PM - edited ‎03-04-2019 01:27 PM

Hello Everyone,

I connected three branch office to HQ with cisco ezvpn(Network Extender, no NAT need it) and until that point I'm fine, but my problem is in HQ's Router a Cisco 1941w has two ISP connection which one is a DSL for outgoing internet services and the other one is a Metro-Ethernet connection for incoming services as VPN and email services. When I use just the metro ethernet everything work smoothly as the VPN services and the internet services as well. But at the moment I decide to swap the outgoing internet services to the DSL connection, the VPN slowdowns and create some lag in the internet services.

Can someone explain me why?

My configuration:

!

interface GigabitEthernet0/0

description DSL Connetion

no ip address

duplex auto

speed auto

pppoe enable group global

pppoe-client dial-pool-number 2

!

!

interface GigabitEthernet0/1

description Metro Ethernet

ip address 10.10.10.1 255.255.255.0

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

!

interface Virtual-Template1 type tunnel

ip unnumbered GigabitEthernet0/1

tunnel mode ipsec ipv4

tunnel protection ipsec profile CiscoCP_Profile1

!

interface Vlan1

ip address 192.168.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

interface Dialer0

ip address negotiated

ip mtu 1452

ip nat outside

ip virtual-reassembly in

encapsulation ppp

dialer pool 2

dialer-group 1

ppp authentication chap pap callin

!

ip nat inside source static tcp 192.168.1.8 80 interface GigabitEthernet0/1 80

ip nat inside source static tcp 192.168.1.8 25 interface GigabitEthernet0/1 25

ip nat inside source list 1 interface Dialer0 overload

ip route 0.0.0.0 0.0.0.0 Dialer0

!

!

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 100 permit ip 192.168.1.0 0.0.0.255 any

dialer-list 1 protocol ip permit

!

thanks in advanced

Labels:
0 Helpful
2 Replies 2

lgijssel
Level 9
Level 9

‎08-30-2011 10:37 PM

First of all, it is quite likely that the bandwidth over the DSL link is significantly smaller than via the Metro link.

Besides, there a smaller mtu configured on the dialer. This means packets may need to be fragmented in order to take this path. That wil definitely cause things to slowdown as well. The link below describes the potential impact of mtu mismatches and although it discusses mainly GRE, the problem is the same for IPsec tunnels.

http://www.cisco.com/en/US/partner/tech/tk827/tk369/technologies_tech_note09186a0080093f1f.shtml

regards,

Leo

0 Helpful

david.mijares
Level 1
Level 1
In response to lgijssel

‎08-31-2011 01:28 PM

That's correct and I'm aware of that. However, the VPN should work only over the Metro Ethernet connection and this for unknown reason to me is not happening(not exclusive a least).

Sent from Cisco Technical Support iPad App

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card