Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
743
Views
0
Helpful
0
Replies

Route-map VPN problem

ronald.tuns
Level 1
Level 1

‎07-30-2012 05:20 AM - edited ‎03-04-2019 05:06 PM

Hi everyone,

I was wondering if someone could help me out with the following problem:

I have configured a 1841 ISR for dual wan en divided the traffic per interface through route-maps. I have also configured an easy-vpn server on one of the WAN interfaces which works fine, as long as the other WAN interface is offline. That is, I can create a VPN tunnel with the Cisco VPN client, but there is no traffic going through.

When I disconnect the other WAN interface, VPN traffic reaches the other end and is returned correctly. This is my config (IP adressess are changed of course):

service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 1841
!
!
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
!
!
!
!
!
aaa session-id common
!
clock timezone PCTime 1 0
clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00
dot11 syslog
ip source-route
!
!
!
!
!
ip cef
ip domain name domain.local
!
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-1645527211
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1645527211
revocation-check none
rsakeypair TP-self-signed-1645527211
!
!
crypto pki certificate chain TP-self-signed-1645527211
certificate self-signed 01
  30820254 308201BD A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 31363435 35323732 3131301E 170D3132 30363031 31303037
  2D3C2A16 CFF5CA08 3161960F 83ADDBD2 71D84E0D 53BC6697 A1B471BD DC206810
  05A8D563 D5E49BEA 8F99D82A 7B9EA16A 3DBF8014 3BFC6DC7 CDFE1B55 28801533
  088064E4 86987B8E 346F49F2 1F538C9E 5A1C41CD 5931C5AB CD79F64A 18510B7D
  EC690203 010001A3 7C307A30 0F060355 1D130101 FF040530 030101FF 30270603
  551D1104 20301E82 1C66772D 6C61626F 6A756963 652E6C61 626F6A75 6963652E
  6C6F6361 6C301F06 03551D23 04183016 801416D0 6EE8C69B A7C7972A 31FF2D95
  F82C56C1 2833301D 0603551D 0E041604 1416D06E E8C69BA7 C7972A31 FF2D95F8
  2C56C128 33300D06 092A8648 86F70D01 01040500 03818100 10779C4D 6D01A6CD
  3E5F0D5F B05A0FD2 F31E8216 D62B5C6E DF495A7E 9AAB0CF1 BA5ED98D EECFC1A7
  86055931 85CB6990 4C89574D BD94CD6D 518313B8 629E8518 6C6694DD 9064AF55
  69403345 0BA9EF72 9731EAB9 132045DF 4A98AC0C 2D5C0B3D C80F6A0A 1F6032CB
  227A4D71 B67249BE EDFF96C7 25C74540 747D3660 F54A6206
   quit
!
!
archive
log config
  hidekeys
!
!
redundancy
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group vpn-group
key *******

dns 123.123.123.1
domain domain.local
pool SDM_POOL_1
acl 100
netmask 255.255.255.0
crypto isakmp profile ciscocp-ike-profile-1
   match identity group vpn-group

   client authentication list ciscocp_vpn_xauth_ml_1
   isakmp authorization list ciscocp_vpn_group_ml_1
   client configuration address respond
   virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1
!
!
!
!
!
!
interface FastEthernet0/0
ip address 192.168.176.254 255.255.255.0
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 111.222.111.129 255.255.255.0
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface FastEthernet0/0/0
description LAN
no ip address
!
interface FastEthernet0/0/1
description DMZ
switchport access vlan 2
no ip address
!
interface FastEthernet0/0/2
no ip address
!
interface FastEthernet0/0/3
no ip address
!
interface Virtual-Template1 type tunnel
ip unnumbered FastEthernet0/1
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
interface Vlan1
ip address 192.168.175.252 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip policy route-map LAN
!
interface Vlan2
ip address 192.168.177.252 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip policy route-map DMZ
!
ip local pool SDM_POOL_1 10.10.10.10 10.10.10.30
no ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source static tcp 192.168.175.1 25 interface FastEthernet0/1 25
ip nat inside source static tcp 192.168.175.1 80 interface FastEthernet0/1 80
ip nat inside source static tcp 192.168.175.1 443 interface FastEthernet0/1 443
ip nat inside source static tcp 192.168.175.4 8550 interface FastEthernet0/1 8550
ip nat inside source static tcp 192.168.175.6 876 interface FastEthernet0/1 876
ip nat inside source route-map ISPDMZ interface FastEthernet0/0 overload
ip nat inside source route-map ISPLAN interface FastEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 111.222.111.134
ip route 0.0.0.0 0.0.0.0 192.168.176.1
!
access-list 100 remark CCP_ACL Category=4
access-list 100 permit ip 192.168.175.0 0.0.0.255 any
access-list 101 deny   ip 192.168.177.0 0.0.0.255 any
access-list 101 permit udp any any eq non500-isakmp
access-list 101 permit udp any any eq isakmp
access-list 101 permit esp any any
access-list 101 permit ahp any any
access-list 101 permit tcp any any eq smtp
access-list 101 permit tcp any any eq www
access-list 101 permit tcp any any eq 443
access-list 101 permit tcp any any eq 1723
access-list 101 permit tcp any any eq 876
access-list 101 permit tcp any any eq 8550
access-list 101 deny   ip any any
access-list 102 permit ip 192.168.175.0 0.0.0.255 any
access-list 102 permit tcp any any eq www
access-list 102 permit tcp any any eq 443

access-list 120 permit ip 192.168.175.0 0.0.0.255 any
access-list 121 permit ip any any
!
!
!
route-map ISPLAN permit 10
match ip address 120
match interface FastEthernet0/1
!
route-map LAN permit 10
match ip address 101
set ip next-hop 111.222.111.134
!
route-map ISPDMZ permit 10
match ip address 121
match interface FastEthernet0/0
!
route-map DMZ permit 10
match ip address 102
set ip next-hop 192.168.176.1
!
!
!
!
!
control-plane
!
!

line con 0
line aux 0
line vty 0 4
access-class 23 in
transport input telnet ssh
line vty 5 15
access-class 23 in
transport input telnet ssh
!
scheduler allocate 20000 1000
end

Labels:
0 Helpful
0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card