Routing certain traffic through a non default interface

kasper123 · ‎01-02-2013

Hi,

A customer has 2 WAN links.

One is an ADSL link with a high bandwidth, and another leased line with a low bandwitdh but more stable.

These are connected to a router and behind the router there is a firewall that terminates VPN.

Is it possible to have the ADSL line setup as default route (gateway), and use the leased line only for remote access client VPN traffic?

The VPN would originate from different addresses (not a fixed addess). The router would somehow need to know to route this traffic through the leased line and not through the default route (ADSL).

Regards.

Edison Ortiz · ‎01-02-2013

If the VPN Client traffic flow is coming from the LAN towards the internet, you can use PBR

http://www.cisco.com/en/US/products/ps6599/products_white_paper09186a00800a4409.shtml

If it's in the opposite direction, you will need to configure the VPN Clients to reach the low bandwidth lease line IP address.

Regards,

Edison

kasper123 · ‎01-02-2013

Hi Edison,

The VPN will be from the internet toward the router.

My question is how will the router know to respond to those clients through the leased line instead of through the default route.

Regards.

mahmoodmkl · ‎01-03-2013

Hi,

As suggested above u can use the line ip for VPN and for the return traffic u can use PBR.

Thanks

Edison Ortiz · ‎01-03-2013

Further questions;

Is the router acting as the VPN endpoint?

If Yes, then you need to manually configure the Client VPNs to the IP address under the lease line connection (additional VPN configuration will apply)

If No, then I'm assuming you have a 3rd party device sitting behind this router.

How is the IP address advertised towards the internet? You can alter your routing towards the internet and have the lease line advertise this host IP with better routing metrics. If you are using BGP, you can AS_Prepend this host IP via the ASDL with lesser metrics hence your lease line will be preferred.

As for return traffic, you need to use PBR as I instructed before

Regards,

Edison

kasper123 · ‎01-08-2013

Hi,

Here is a more detailed explanation:

The router will have 2 WAN ports. One ADSL and another leased line with /30 subnet.

ADSL will be the default route.

Through the leased line the provider also routes other 6 public IP addresses. One of the 6 public addresses will be set to the "LAN" interface of the router and another one of the 6 addresses will be set as a WAN address of the Firewall. Default gateway for the Firewall will be the router.

It's the Firewall that will terminate the VPN.

So when a user connects with a VPN client to the Firewall the packets will come through the Leased line but the traffic going back will use the default route (it will go through the ADSL). My question is how do I tell the router to route the packets comming from the firewall back to the remote client through the leased line instead of through the default route.

Regards.

Abzal · ‎01-08-2013

Hi,

As Edison and mahmoodmkl already said you can use PBR (Policy based routing).

http://www.cisco.com/en/US/docs/ios/12_2/qos/configuration/guide/qcfpbr_ps1835_TSD_Products_Configuration_Guide_Chapter.html

You have to match VPN traffic and policy route it through leased line. Is it IPSec VPN?

Suppose your Firewall's WAN IP is 1.1.1.1 and ADSL leased line is 2.2.2.2:

access-list 150 permit udp host 1.1.1.1 any eq isakmp

access-list 150 permit udp host 1.1.1.1 any eq 4500

access-list 150 permit esp host 1.1.1.1 any

route-map VPN_PBR permit 10

match ip address 150

set ip next-hop 2.2.2.2

Hope it will help.

Best regards,
Abzal