01-02-2013 01:29 PM - last edited on 03-25-2019 03:37 PM by ciscomoderator
Hi,
A customer has 2 WAN links.
One is an ADSL link with a high bandwidth, and another leased line with a low bandwitdh but more stable.
These are connected to a router and behind the router there is a firewall that terminates VPN.
Is it possible to have the ADSL line setup as default route (gateway), and use the leased line only for remote access client VPN traffic?
The VPN would originate from different addresses (not a fixed addess). The router would somehow need to know to route this traffic through the leased line and not through the default route (ADSL).
Regards.
01-02-2013 04:39 PM
If the VPN Client traffic flow is coming from the LAN towards the internet, you can use PBR
http://www.cisco.com/en/US/products/ps6599/products_white_paper09186a00800a4409.shtml
If it's in the opposite direction, you will need to configure the VPN Clients to reach the low bandwidth lease line IP address.
Regards,
Edison
01-02-2013 11:10 PM
Hi Edison,
The VPN will be from the internet toward the router.
My question is how will the router know to respond to those clients through the leased line instead of through the default route.
Regards.
01-03-2013 06:39 AM
Hi,
As suggested above u can use the line ip for VPN and for the return traffic u can use PBR.
Thanks
01-03-2013 07:27 AM
Further questions;
Is the router acting as the VPN endpoint?
If Yes, then you need to manually configure the Client VPNs to the IP address under the lease line connection (additional VPN configuration will apply)
If No, then I'm assuming you have a 3rd party device sitting behind this router.
How is the IP address advertised towards the internet? You can alter your routing towards the internet and have the lease line advertise this host IP with better routing metrics. If you are using BGP, you can AS_Prepend this host IP via the ASDL with lesser metrics hence your lease line will be preferred.
As for return traffic, you need to use PBR as I instructed before
Regards,
Edison
01-08-2013 12:51 AM
Hi,
Here is a more detailed explanation:
The router will have 2 WAN ports. One ADSL and another leased line with /30 subnet.
ADSL will be the default route.
Through the leased line the provider also routes other 6 public IP addresses. One of the 6 public addresses will be set to the "LAN" interface of the router and another one of the 6 addresses will be set as a WAN address of the Firewall. Default gateway for the Firewall will be the router.
It's the Firewall that will terminate the VPN.
So when a user connects with a VPN client to the Firewall the packets will come through the Leased line but the traffic going back will use the default route (it will go through the ADSL). My question is how do I tell the router to route the packets comming from the firewall back to the remote client through the leased line instead of through the default route.
Regards.
01-08-2013 01:33 AM
Hi,
As Edison and mahmoodmkl already said you can use PBR (Policy based routing).
You have to match VPN traffic and policy route it through leased line. Is it IPSec VPN?
Suppose your Firewall's WAN IP is 1.1.1.1 and ADSL leased line is 2.2.2.2:
access-list 150 permit udp host 1.1.1.1 any eq isakmp
access-list 150 permit udp host 1.1.1.1 any eq 4500
access-list 150 permit esp host 1.1.1.1 any
route-map VPN_PBR permit 10
match ip address 150
set ip next-hop 2.2.2.2
Hope it will help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide