09-24-2013 11:24 AM
Hi Everyone,
Ive searched this topic trying to find a solution and havent been able to so Im posting here. I have attached a diagram of our setup. I am trying to allow traffic to pass through the 1921 router then to the firewall and across he VPNs to the other networks and vice versa. So if a packet needs to go from the 10.1.97.0 network to the 10.1.96.0 network it would travel across the first VPN to the router then to the ASA5512X across the next VPN tunnel to the final ASA5505 and the 10.1.96.0 network.
The reason I am trying to accomplish this is due to pings time ranging from 130ms to 170ms when a VPN is connected from the 10.1.97.0 network to the 10.1.96.0 network. The higher ping times are due to crossing from one internet provider to another. One being Centurylink bonded dsl to Charter cable internet. I am trying to decrease the ping times by creating a more direct route from the Centurylink connected sites to the Charter connected sites. The ping time between our sites on charter are around 30ms so Im hoping i can achieve average ping time of 100ms doing it this way.
The main reason for the ping time concern is that Voice traffic is traveling between these sites and we are having problems with dropped calls and access to voicemail which resides on the 10.1.99.0 network. The main protocol for the Avaya phone system we are using is H323 for the calls between sites and the voicemail access. This problem is ongoing and very frustrating as Ive spoken with Cisco VPN support and they have concluded that VPN tunnel is not the issue. I recently setup QoS with Cisco and we are still seeing the dropped calls. Any ideas on that matter are much appreciated.
Questions:
1. What VPN settings do I need to apply to allow traffic from multiple subnets to travel through the VPNs?
2. What routing do I need to apply to allow the traffic to go from one subnet to another on the Cisco 1921?
3. Is there another method that I should be trying to implement to improve connection between site?
4. Should I be using a GRE tunnel?
Cisco 1921 Router config
Current configuration : 6634 bytes
!
! Last configuration change at 21:02:27 PCTime Mon Sep 23 2013 by ITDept
! NVRAM config last updated at 21:07:34 PCTime Mon Sep 23 2013 by ITDept
! NVRAM config last updated at 21:07:34 PCTime Mon Sep 23 2013 by ITDept
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname AdminR2
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
enable secret 4 1iDzygew6/ax5OYs4NTIrsu0OBZbQFWgLxSntkX7yiw
enable password
!
!
!
aaa new-model
!
!
!
!
!
!
!
aaa session-id common
clock timezone PCTime -7 0
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
ip cef
!
!
!
ip dhcp excluded-address 10.10.10.1
!
ip dhcp pool ccp-pool
import all
network 10.10.10.0 255.255.255.248
default-router 10.10.10.1
lease 0 2
!
!
!
ip domain name corp.centermh.org
ip name-server 10.1.99.20
ip name-server 8.8.8.8
no ipv6 cef
!
multilink bundle-name authenticated
!
!
crypto pki trustpoint TP-self-signed-2777336015
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2777336015
revocation-check none
rsakeypair TP-self-signed-2777336015
!
!
crypto pki certificate chain TP-self-signed-2777336015
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32373737 33333630 3135301E 170D3133 30333135 30383235
33345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 37373733
33363031 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100ADB1 8CC59417 83314C49 5CEC39C7 7AEFF7E5 EE9A859A 1BD75D51 EB14DE26
304B00A9 8F9A6D76 2CF398DC 3635992C 730FB33D E3143DF4 AC4E8D74 C2F6876D
57095E6E F4C45A00 48D62AC6 450C4530 1D6B4912 B6E55AE3 F8626087 49BA4359
425D8AE1 E696B820 ADA92532 127DD49B B1920897 E8042CA3 93365100 D16E9B4F
22B90203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 1454CFA9 6B96D0E0 24FE836E 8CC956C7 8A9946D9 9F301D06
03551D0E 04160414 54CFA96B 96D0E024 FE836E8C C956C78A 9946D99F 300D0609
2A864886 F70D0101 05050003 8181008A 2C1C6549 E0022F8C 7AAEDD14 867F7C5F
5709A81F C3170D09 04E923DF 4D25F763 5CF7BAAE E6F13C49 6CFF503C 60B3263A
4C8504B3 6E5754E3 6037E941 354C2215 FBF624FF AFC70F77 8318922A 720B08B6
C43B0498 710FF66C 54033B40 0870BC50 EC1FB020 B7CB73EA 0B7F9E63 0D59B9DB
9111B03C C087467F 5AE0502F 011BD8
quit
license udi pid CISCO1921/K9 sn FGL1711252C
!
!
username IT privilege 15 secret 4 /n3BsS8syn34LtKyXZMxqpNtiHliLrlO6pXShykxR3o
!
redundancy
!
!
!
!
!
ip ssh time-out 60
ip ssh version 2
!
class-map match-any VOICE
match protocol rtp
!
policy-map sdm-qos-test-123
class class-default
policy-map CCP-QoS-Policy-1
class VOICE
set dscp ef
!
csdb tcp synwait-time 30
csdb tcp idle-time 3600
csdb tcp finwait-time 5
csdb tcp reassembly max-memory 1024
csdb tcp reassembly max-queue-length 16
csdb udp idle-time 30
csdb icmp idle-time 10
csdb session max-session 65535
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
encr aes 256
authentication pre-share
group 2
crypto isakmp key
! address 63.225.235.153
crypto isakmp key
!fghjfhfrghfgh
! address 67.230.252.120
!
!
crypto ipsec transform-set ESP-AES-256-SHA esp-aes 256 esp-sha-hmac
mode tunnel
crypto ipsec transform-set ESP-AES-256-SHA-2 esp-aes 256 esp-sha-hmac
mode tunnel
!
!
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to63.225.235.153
set peer 63.225.235.153
set transform-set ESP-AES-256-SHA
match address 100
crypto map SDM_CMAP_1 2 ipsec-isakmp
description Tunnel to67.230.252.120
set peer 67.230.252.120
set transform-set ESP-AES-256-SHA-2
match address 102
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description $ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$$ETH-WAN$
bandwidth 896
bandwidth receive 5120
no ip address
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface GigabitEthernet0/1
description $ETH-LAN$
ip address 10.2.99.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface Dialer1
ip address 63.227.19.220 255.255.255.0
ip nbar protocol-discovery
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
ppp authentication pap callback
ppp chap hostname
middlewest576@qwest.commidwesterncol739@qwest.net
ppp chap password 0 hgjkghkjgh
ppp pap sent-username
password 0 hgjkghkjgh
crypto map SDM_CMAP_1
service-policy output CCP-QoS-Policy-1
!
ip forward-protocol nd
!
no ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip route 0.0.0.0 0.0.0.0 207.225.112.2 5
ip route 10.1.95.0 255.255.255.0 207.220.115.5 2
ip route 10.1.96.0 255.255.255.0 10.2.99.2
ip route 10.1.97.0 255.255.255.0 207.220.115.5
ip route 10.1.99.0 255.255.255.0 10.2.99.2
!
ip sla auto discovery
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.2.99.0 0.0.0.255
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 10.1.99.0 0.0.0.255 10.1.97.0 0.0.0.255
access-list 101 remark CCP_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny ip 10.1.99.0 0.0.0.255 10.1.95.0 0.0.0.255
access-list 101 remark IPSec Rule
access-list 101 deny ip 10.1.99.0 0.0.0.255 10.1.97.0 0.0.0.255
access-list 101 permit ip 10.2.99.0 0.0.0.255 any
access-list 102 remark CCP_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 10.1.99.0 0.0.0.255 10.1.95.0 0.0.0.255
access-list 150 remark acl for delta
access-list 150 remark CCP_ACL Category=1
access-list 150 permit ip 10.1.97.0 0.0.0.255 10.1.95.0 0.0.0.255
!
route-map SDM_RMAP_1 permit 1
match ip address 101
!
!
!
!
!
control-plane
!
!
alias exec traffic show ip nbar protocol-discovery stats bit-rate top-n 10
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
privilege level 15
transport input telnet ssh
transport output telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
transport input telnet ssh
transport output telnet ssh
!
scheduler allocate 20000 1000
ntp update-calendar
ntp server 128.138.140.44 prefer source Dialer1
!
end
09-27-2013 01:40 PM
Jason,
It looks like your on the right track. If your going to use a route map, I suggest you use an extended ACL and then add all the subnet you want to go through the VPN Tunnel.
10-08-2013 04:14 AM
I went down the ACL route and this worked for me
i used the ASDM gui for Site A ASA 5510, went into the ACL "outside cryptomap_1" this connected site A to a remote VPN site B (cisco 1921)
i added ACL source for subnet in Site C and destination site B
added similar ACLs on other routers and i have connectivity between site B and C through site A.
10-08-2013 07:21 AM
Hi Colm,
Can you send me some command line example of what you did or a screen shot of the asdm gui showing the ACL?
10-08-2013 07:45 AM
pic is ACL from ASA (asdm)
10.2.10.0 is site C and Saudi/16 is Site B (10.200.x.x is Saudi office too, 9/10/11/12/13 + 14 - over complicated setup - not done by me)
these are the ACLs on the Saudi (site B router)
101 is internet, so this restricts networks from access the VPN networks over internet ACL
102 is VPN which allows
access-list 101 deny ip 10.200.9.0 0.0.0.255 10.2.10.0 0.0.0.255
access-list 101 deny ip 10.200.10.0 0.0.0.255 10.2.10.0 0.0.0.255
access-list 101 deny ip 10.200.11.0 0.0.0.255 10.2.10.0 0.0.0.255
access-list 101 deny ip 10.200.12.0 0.0.0.255 10.2.10.0 0.0.0.255
access-list 101 deny ip 10.200.13.0 0.0.0.255 10.2.10.0 0.0.0.255
access-list 101 deny ip 10.200.9.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 101 deny ip 10.200.10.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 101 deny ip 10.200.11.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 101 deny ip 10.200.12.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 101 deny ip 10.200.13.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 101 deny ip 10.200.14.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 101 permit ip any any
access-list 102 permit ip 10.200.9.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 102 permit ip 10.200.10.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 102 permit ip 10.200.11.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 102 permit ip 10.200.12.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 102 permit ip 10.200.9.0 0.0.0.255 10.2.10.0 0.0.0.255
access-list 102 permit ip 10.200.10.0 0.0.0.255 10.2.10.0 0.0.0.255
access-list 102 permit ip 10.200.11.0 0.0.0.255 10.2.10.0 0.0.0.255
access-list 102 permit ip 10.200.12.0 0.0.0.255 10.2.10.0 0.0.0.255
access-list 102 permit ip 10.200.13.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 102 permit ip 10.200.13.0 0.0.0.255 10.2.10.0 0.0.0.255
10-08-2013 07:55 AM
10-08-2013 08:12 AM
Colm,
Thank you very much Colm. Ill make these changes and see if everything start working.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide