This document provides a sample configuration for an IOS router that terminates redundant ISP connections. In some cases, a company may require the router to service SSL VPN connections via ISP1 IP and ISP2 IP in an active/active fashion. As the router can only have one default route active at a time, local policy routing can be used to modify the next hop interface for SSL traffic sourced from the ISP2 interface IP.
The sample configuration below satisfies the above requirement for dual active SSL VPN gateways on a single router terminating primary and secondary ISPs. This configuration also addresses the need to automate default route selection using IP SLA and tracking. Policy routing is used to provide for NAT overloading via the primary and secondary ISPs respectively. Local policy routing is used to modify the next hop of the router generated TCP 443 traffic sourced from the ISP2 interface.
interface FastEthernet0/0 description To ISP1 ip address 126.96.36.199 255.255.255.0 ip nat outside ip virtual-reassembly duplex auto speed auto ! interface FastEthernet0/1 description To ISP2 ip address 188.8.131.52 255.255.255.0 ip nat outside ip virtual-reassembly duplex auto speed auto ! interface FastEthernet0/0/0 description Internal LAN ip address 10.10.10.1 255.255.255.0 ip nat inside ip virtual-reassembly duplex auto speed auto
ip local policy route-map SSL-REDIRECT ip local pool webvpn 192.168.100.10 192.168.100.15 ip local pool webvpn2 192.168.200.10 192.168.200.15 ip route 0.0.0.0 0.0.0.0 184.108.40.206 track 1 ip route 0.0.0.0 0.0.0.0 220.127.116.11 240 ip route 192.168.200.0 255.255.255.0 18.104.22.168
ip nat inside source route-map ISP1 interface FastEthernet0/0 overload ip nat inside source route-map ISP2 interface FastEthernet0/1 overload
ip access-list extended SSL permit tcp host 22.214.171.124 eq 443 any
ip sla 1 icmp-echo 126.96.36.199 source-interface FastEthernet0/0 timeout 1000 threshold 40 frequency 5 ip sla schedule 1 life forever start-time now
access-list 101 deny ip 10.10.10.0 0.0.0.255 192.168.100.0 0.0.0.255 access-list 101 deny ip 10.10.10.0 0.0.0.255 192.168.200.0 0.0.0.255 access-list 101 permit ip 10.10.10.0 0.0.0.255 any
route-map SSL-REDIRECT permit 10 match ip address SSL match interface FastEthernet0/1 set ip next-hop 188.8.131.52
route-map ISP1 permit 10 match ip address 101 match interface FastEthernet0/0
route-map ISP2 permit 10 match ip address 101 match interface FastEthernet0/1 !
Hi Guys,I am reaching out for some help in making some configuring changes to a cisco 2901 router.I am looking to make a firewall change to allow SFTP (port 22) access on 184.108.40.206 through to 10.0.80.12 server from WAN IP 220.127.116.11.Would highly app...
HelloWe use Cisco ASA as site-to-site VPN gateway.Now one customer want to connect some mobile devices with site-to-site VPN to our ASA.All these devices should be placed in the same subnet (remote network).How can I connect different mobile devices ...
1. I have one 4431 ISR Router, One ASA 5516, one Ca- Switch.Which must be done:*Need to Access my 3 host server via SSH from internet with my Public IP.*Need to Access my web server from internet with my Public IP via 80 and 443.I done Static na...
Hi all,We’ve deployed FTD HA managed by FMC. Last week the primary unit had failed and we are running with only secondary FTD.And we are now planning to replace the primary unit with new FTD. Are there any ways to replace the unit without breaking the HA ...