05-18-2013 10:57 AM - edited 02-21-2020 06:54 PM
Hi all,
i have an ISR and i have a a following scenario:
On fa0/0 i have a static public IP address (ISP1) and on fa0/1 dynamic public ip address (ADSL-ISP2). I would like to use the ISP2 link for users conecting to Internet and the ISP1 link only as a remote access VPN gateway and for static NAT-ing for several inside servers. I created 2 default routes with the same AD, one pointing to ISP1 and one to ISP2, created route-map for "internet" traffic through ISP2 but when i tried to connect with Cisco VPN client to ISP1 link the ISAKMP phase would'nt connect because some response traffic from my router is going back to ISP2 and not ISP1 link from where the ISAKMP traffic was originated. My question is how to force a return ISAKMP traffic to go back using the ISP1 default routes? This also apply to web traffic destined from internet to my internal web server. Policy based routing is working correctly. Remote access VPN is created with crypto-map (ISAKMP-IPSEC). Can someone help me with this?
05-18-2013 11:47 AM
I think i figured it out using ip local policy route-map that i used for matching ISAKMP and ESP traffic originated from the router itself.
05-18-2013 02:33 PM
Thanks for posting back to the forum telling us about how you solved this issue. I agree that Local Policy Based Routing would be the way to solve this.
HTH
Rick
05-19-2013 04:01 AM
Now i have a different problem
Remote access VPN works with local PBR but in that example i didnt have the nat configured on that interface where the crypto map is configured. As soon as i put ip nat outside on that interface (because i have some static nating for the internal servers) the isakmp phase is out. I turned on the debug crypto isakmp and nothing is going on, no negotiation of the isakmp policy and therefore no VPN tunnel. I turned on the wireshark to see if the isakmp traffic is reaching the router and it is. I am doing this all in GNS3. What is the reason for this behavior?
05-19-2013 11:55 AM
I wonder if this problem is that the router is attempting to do address translation on the ISAKMP traffic ? Perhaps you could post that part of the configuration ?
HTH
Rick
Sent from Cisco Technical Support iPhone App
05-19-2013 12:13 PM
05-19-2013 03:50 PM
Thanks for posting the config. I do have some comments and suggestions.
- I think it is not good to have two default routes with the same administrative distance. In fact I think it is not good to have the static default route pointed at fa0/0. The local PBR and the static nat will send traffic there without needing a default route. Having the second default route will just cause the router to try to send some Internet traffic out that interface.
- If you are trying to do address translation on each interface that is unique to that interface then I suggest that you go back and try again to do address translation using route maps. In the router map you can have two match statements one of which will match the access list or static and have a second match statement that will match the interface.
- in HTTP-PBR-ACL the order of statements is th reverse of what it should be. you have the first statement permitting traffic to any destination followed by a deny to a specific network. But the deny will never execute because the permit to any will have already executed. So reverse the order of these statements.
permit ip 192.168.180.0 0.0.0.255 any
deny ip 192.168.180.0 0.0.0.255 192.168.100.0 0.0.0.255
Try these changes and let us know the results.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide