Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1315
Views
0
Helpful
0
Replies

Policy Based Routing with VPN Client configuration

spirit.986
Level 1
Level 1

‎11-26-2013 03:57 AM

Hi to all,

We have a Cisco 2800 router in our company that also serves as a VPN server. We use the VPN Client to connect to our corporate network (pls don't laugh, I know that it is very obsolete but I haven't had the time lately to switch to SSL VPN).

The router has two WAN connections. One is the primary wan ("slow wan" link with slower upload 10D/1U mbps) and it is used for the corporate workstations used by the emploees. The other is our backup link. It has higher upload speed - 11D/11U mbps, (fast wan), and thus we also use the high upload link for our webserver (I have done this using PBR just for the http traffic from the webserver). For numerous other reasions we can not use the `fast wan` connection as our primary connection and it is used anly as a failover in case the primary link fails.

The `fast wan` also has a static IP address and we use this static IP for the VPN Client configuration.

Now the thing is that because of the failover, when we connect from the outside using the VPN Client, the traffic comes from the`fast wan` interface, but exits from the `slow wan` interface. And because the `slow wan` has only 1mbps upload the vpn connection is slow.

Is there any way for us to redirect the vpn traffic to always use the `fast wan` interface and to take advantage of the 11mbps upload speed of that connection?

This is our sanitized config

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group dc

key ***

dns 192.168.5.7

domain corp.local

pool SDM_POOL_1

acl 101

max-users 3

netmask 255.255.255.0

crypto isakmp profile sdm-ike-profile-1

   match identity group dc

   isakmp authorization list sdm_vpn_group_ml_1

   client configuration address respond

   virtual-template 1

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto ipsec profile SDM_Profile1

set security-association idle-time 3600

set transform-set ESP-3DES-SHA

set isakmp-profile sdm-ike-profile-1

!

!

!

!

interface Loopback0

ip address 10.10.10.1 255.255.255.0

!

interface FastEthernet0/0

description *WAN*

no ip address

ip mtu 1396

duplex auto

speed auto

!

interface FastEthernet0/0.3

description FAST-WAN-11D-11U

encapsulation dot1Q 3

ip address 88.XX.XX.75 255.255.255.248

ip load-sharing per-packet

ip nat outside

ip virtual-reassembly

!

interface FastEthernet0/0.4

description SLOW-WAN-10D-1U

encapsulation dot1Q 4

ip address dhcp

ip nat outside

ip virtual-reassembly

no cdp enable

!

interface FastEthernet0/1

description *LOCAL*

no ip address

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet0/1.10

description VLAN 10 192-168-5-0

encapsulation dot1Q 10

ip address 192.168.5.1 255.255.255.0

ip nat inside

ip virtual-reassembly max-reassemblies 32

no cdp enable

!

interface FastEthernet0/1.20

description VLAN 20 10-10-0-0

encapsulation dot1Q 20

ip address 10.10.0.254 255.255.255.0

ip access-group PERMIT-MNG out

ip nat inside

ip virtual-reassembly

!

!!! NOTE: This route map is used to PBR the http traffic for our server

ip policy route-map REDIRECT-VIA-FAST-WAN

no cdp enable

!

interface Virtual-Template1 type tunnel

ip unnumbered Loopback0

tunnel mode ipsec ipv4

tunnel protection ipsec profile SDM_Profile1

!

interface Virtual-Template3

no ip address

!

interface Virtual-Template4

no ip address

!

!

ip local pool SDM_POOL_1 192.168.5.150 192.168.5.152

ip forward-protocol nd

!

!

!

!!! SLOW-WAN NEXT HOP DEFAULT ADDRESS

ip route 0.0.0.0 0.0.0.0 89.XX.XX.1 5

!

!!! FAST-WAN NEXT HOP DEFAULT ADDRESS

ip route 0.0.0.0 0.0.0.0 88.XX.XX.73 10

!

!

!

ip nat inside source route-map FAST-WAN-NAT-RMAP interface FastEthernet0/0.3 overload

ip nat inside source route-map SLOW-WAN-NAT-RMAP interface FastEthernet0/0.4 overload

!

!

access-list 101 remark SDM_ACL Category=4

access-list 101 permit ip 192.168.5.0 0.0.0.255 any

access-list 101 permit ip 10.10.0.0 0.0.0.255 any

!

ip access-list extended FAST-WAN-NAT

permit tcp 192.168.5.0 0.0.0.255 range 1025 65535 any

permit udp 192.168.5.0 0.0.0.255 range 1025 65535 any

permit icmp 192.168.5.0 0.0.0.255 any

permit tcp 10.10.0.0 0.0.0.255 range 1025 65535 any

permit udp 10.10.0.0 0.0.0.255 range 1025 65535 any

permit icmp 10.10.0.0 0.0.0.255 any

ip access-list extended REDIRECT-VIA-FAST-WAN

deny   tcp host 10.10.0.43 eq 443 9675 192.168.5.0 0.0.0.255

permit tcp host 10.10.0.43 eq 443 9675 any

ip access-list extended SLOW-WAN-NAT

permit ip 192.168.5.0 0.0.0.255 any

permit ip 10.10.0.0 0.0.0.255 any

!

!

route-map FAST-WAN-NAT-RMAP permit 10

match ip address FAST-WAN-NAT

match interface FastEthernet0/0.3

!

route-map REDIRECT-VIA-FAST-WAN permit 10

match ip address REDIRECT-VIA-FAST-WAN

set ip next-hop 88.XX.XX.73

!

route-map SLOW-WAN-NAT-RMAP permit 10

match ip address SLOW-WAN-NAT

match interface FastEthernet0/0.4

!

!

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents