Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
628
Views
0
Helpful
6
Replies

Remote access VPN and 2 ISP

Delo Arnautalic
Level 1
Level 1

‎05-18-2013 10:57 AM - edited ‎02-21-2020 06:54 PM

Hi all,

i have an  ISR and i have a  a following scenario:

On fa0/0 i have a static public IP address (ISP1) and on fa0/1 dynamic public ip address (ADSL-ISP2). I would like to use the ISP2 link for users conecting to Internet and the ISP1 link only as a  remote access VPN gateway  and for static NAT-ing  for several inside servers. I created 2 default routes with the same AD, one pointing to ISP1 and one to ISP2, created route-map for "internet" traffic through ISP2 but when i tried to connect with Cisco VPN client to ISP1 link the ISAKMP phase would'nt connect because some response traffic from my router is going back to ISP2 and not ISP1 link from where the ISAKMP traffic was originated. My question is how to force a return ISAKMP traffic to go back using the ISP1 default routes? This also apply to web traffic destined from internet to my internal web server. Policy based routing is working correctly. Remote access VPN is created with crypto-map (ISAKMP-IPSEC). Can someone  help me with this?

Labels:
0 Helpful
6 Replies 6

Delo Arnautalic
Level 1
Level 1

‎05-18-2013 11:47 AM

I think i figured it out using ip local policy route-map that i used for matching ISAKMP and ESP traffic originated from the router itself.

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to Delo Arnautalic

‎05-18-2013 02:33 PM

Thanks for posting back to the forum telling us about how you solved this issue. I agree that Local Policy Based Routing would be the way to solve this.

HTH

Rick

HTH

Rick
0 Helpful

Delo Arnautalic
Level 1
Level 1
In response to Richard Burts

‎05-19-2013 04:01 AM

Now i have a different problem

Remote access VPN works with local PBR but in that example i didnt have the nat configured on that interface where the crypto map is configured. As soon as i put ip nat outside on that interface (because i have some static nating for the internal servers) the isakmp phase is out. I turned on the debug crypto isakmp and nothing is going on, no negotiation of the isakmp policy and therefore no VPN tunnel. I turned on the wireshark to see if the isakmp traffic is reaching the router and it is. I am doing this all in GNS3. What is the reason for this behavior?

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame

‎05-19-2013 11:55 AM

I wonder if this problem is that the router is attempting to do address translation on the ISAKMP traffic ? Perhaps you could post that part of the configuration ?

HTH

Rick

Sent from Cisco Technical Support iPhone App

HTH

Rick
0 Helpful

Delo Arnautalic
Level 1
Level 1
In response to Richard Burts

‎05-19-2013 12:13 PM

Hi Richard,thank you for your interest.I attached the config. I think the the static nat shoud be done using the route-map and i tried that but with no success.


15360416-router.txt.zip
0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to Delo Arnautalic

‎05-19-2013 03:50 PM

Thanks for posting the config. I do have some comments and suggestions.

- I think it is not good to have two default routes with the same administrative distance. In fact I think it is not good to have the static default route pointed at fa0/0. The local PBR and the static nat will send traffic there without needing a default route. Having the second default route will just cause the router to try to send some Internet traffic out that interface.

- If you are trying to do address translation on each interface that is unique to that interface then I suggest that you go back and try again to do address translation using route maps. In the router map you can have two match statements one of which will match the access list or static and have a second match statement that will match the interface.

- in HTTP-PBR-ACL the order of statements is th reverse of what it should be. you have the first statement permitting traffic to any destination followed by a deny to a specific network. But the deny will never execute because the permit to any will have already executed. So reverse the order of these statements.

permit ip 192.168.180.0 0.0.0.255 any
deny   ip 192.168.180.0 0.0.0.255 192.168.100.0 0.0.0.255

Try these changes and let us know the results.

HTH

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents