Solved: Problems adding routing routes

edgar-quintana · ‎07-09-2007

Hi,

I've a 2821 cisco router. This router has a adsl wic and a lmds connection using the second gigabit port.

Now, there is a default route configured ip route 0.0.0.0 0.0.0.0 83.x.x.x permanent.

With this configuration works fine.

There are several vpn ipsec tunnel running properly, but, is I change the routing route to ip route 192.168.157.0 255.255.255.0 83.x.x.x permanent it does not work.

Then I need to configure the routing for:

using the wic adsl for internet&nat and then the static routes for vpn ipsec tunels

what can I do?

Best regards

Jon Marshall · ‎07-09-2007

Edgar

If they are site-to-site VPN tunnels you do not need static routes for the VPN tunnels. The access-lists you define for use in the crypto map define the local and remote networks ie.

access-list vpntraffic permit ip 10.5.1.0 255.255.255.0 192.168.5.0 255.255.255.0

If the route receives a packet from 10.5.1.x destined for a 192.168.5.x machines it knows it has to send this traffic down the VPN tunnels. It does not need a static route.

HTH

Jon

View solution in original post

Jon Marshall · ‎07-09-2007

Hi Edgar

Could you post a bit more detail on your setup.

If the tunnels are site-to-site VPN tunnels you do not need static routes on the router as the crypto access-list will tell the router whether or not it needs to encrypt the traffic.

Jon

edgar-quintana · ‎07-09-2007

Hi,

Thnks for fast responding.

Yes.. there are site to site vpn ipsec tunnels

Jon Marshall · ‎07-09-2007

Edgar

If they are site-to-site VPN tunnels you do not need static routes for the VPN tunnels. The access-lists you define for use in the crypto map define the local and remote networks ie.

access-list vpntraffic permit ip 10.5.1.0 255.255.255.0 192.168.5.0 255.255.255.0

If the route receives a packet from 10.5.1.x destined for a 192.168.5.x machines it knows it has to send this traffic down the VPN tunnels. It does not need a static route.

HTH

Jon

Jon Marshall · ‎07-09-2007

Edit

If the route receives a packet from 10.5.1.x destined ...

should read

If the router receives a packet from 10.5.1.x destined ...

Jon

edgar-quintana · ‎07-09-2007

OK...

Then there are two questions to respond:

the 2821 has two nic one for line backup if fails and the second one ads wic for internet and nat

1? how to configure the routing for backup (ipsec tunnels are already configured)

2? how to configure the routing for nat and internet browsing

Jon Marshall · ‎07-09-2007

Edgar

1) If you are using a static default route you can use another default route with a higher adminsitrative distance - called a floating static. eg.

If your primary link gateway is 83.10.1.1

your secondary link gateway is 84.10.1.1

ip route 0.0.0.0 0.0.0.0 83.10.1.1

ip route 0.0.0.0 0.0.0.0 84.10.1.1 250

The second route will only be used if the first disappears.

2) Not entirely clear. Are you askign how you would do the NAT in a failover scenario ?

Jon

edgar-quintana · ‎07-09-2007

This is the situation:

a cisco 2821 two gigabit ports and a adsl wic.

The adsl wic is only for backuping the tunnels.

If the tunnels dont need adding routes, backup tunnels would not need too?

edgar-quintana · ‎07-09-2007

This is the configuration.

There are 2 static routes.

The tunels only works is there is a default route configured...

is possible to enable both?

edgar-quintana · ‎07-09-2007

I try to delete the default route but it does not work.