First, I apologize for the long question post. I want to make sure I include all relevant info.
I have a Cisco 1720 here at HQ, running IOS 12.1(21), and has two T1s on Serial0 and Serial1 and inside network on FastEthernet0. NAT is set up between FastEthernet0 and Serial0 for Internet. Also have a Cisco 1720 in branch office, also running 12.2(21), has one T1 on Serial0 and inside network on FastEthernet0. NAT is set up the same way. VPN between the two offices using crypto commands. There are no VPN modules in the routers themselves. The "LAN addresses" I was given here by my ISP to use for the NAT pool are 167.x.x.201-206.
What I desire is to "bond" both T1s here at HQ to achieve a 3 Mbps throughput. ISP (Lightpath) says to set up CEF. After some failed attempts, they note that my NAT is set up screwy, and should be in a NAT pool instead. So I do what I have to set up NAT pool and CEF and actually get the 3 Mbps, but now the VPN doesn't work. I can't reach the other office through a 192.168.x.x address anymore and nothing that I do can get it back up. Anyways, here's the relevant info from the configs:
***** HQ Cisco 1720 (Current, non-"bonded" config) *****
crypto isakmp policy 4
hash md5
authentication pre-share
group 2
crypto isakmp key notrealkey address 24.x.x.106
crypto ipsec transform-set trans1 esp-des esp-md5-hmac
crypto map combined 20 ipsec-isakmp
set peer 24.x.x.106
set transform-set trans1
match address 106
interface Loopback0
ip address 192.168.16.1 255.255.255.0
interface Serial0
ip address 167.x.x.230 255.255.255.252
ip access-group 115 in
ip nat outside
ip inspect inetout out
no ip mroute-cache
service-module t1 timeslots 1-24
no cdp enable
crypto map combined
interface Serial1
ip address 167.x.x.242 255.255.255.252
ip access-group 115 in
ip inspect inetout out
no ip mroute-cache
service-module t1 timeslots 1-24
no cdp enable
crypto map combined
interface FastEthernet0
ip address 192.168.10.1 255.255.255.0
ip nat inside
ip policy route-map nostatic
speed auto
half-duplex
no cdp enable
ip nat inside source static tcp 192.168.10.160 80 interface Serial0 80
ip nat inside source static tcp 192.168.10.150 25 interface Serial0 25
ip nat inside source route-map NAT interface Serial0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 167.x.x.229
access-list 102 deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 102 permit ip 192.168.10.0 0.0.0.255 any
access-list 103 permit ip host 192.168.10.150 192.168.20.0 0.0.0.255
access-list 103 permit ip host 192.168.10.151 192.168.20.0 0.0.0.255
access-list 106 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 115 permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 115 permit udp any any eq isakmp
access-list 115 permit esp any any
access-list 115 permit ahp any any
access-list 115 permit tcp any any eq 443
access-list 115 permit udp any any eq 443
access-list 115 permit tcp any host 167.x.x.230 eq www
access-list 115 permit tcp any host 167.x.x.230 eq telnet
access-list 115 permit tcp any host 167.x.x.230 eq smtp
access-list 115 permit icmp 192.168.10.0 0.0.0.255 any
access-list 115 permit icmp any any echo-reply
no cdp run
route-map nostatic permit 10
match ip address 103
set ip next-hop 192.168.16.2
route-map NAT permit 10
match ip address 102
***** END HQ Cisco 1720 (Current, non-"bonded" config) *****
Here are the changes that I made to get the 3 Mbps and non-working VPN:
***** HQ Cisco 1720 ("bonded" config) *****
ip cef
crypto isakmp policy 4
hash md5
authentication pre-share
group 2
crypto isakmp key notrealkey address 24.x.x.106
crypto ipsec transform-set trans1 esp-des esp-md5-hmac
crypto map combined 20 ipsec-isakmp
set peer 24.x.x.106
set transform-set trans1
match address 106
interface Loopback0
ip address 192.168.16.1 255.255.255.0
interface Serial0
ip address 167.x.x.230 255.255.255.252
ip access-group 115 in
ip nat outside
ip inspect inetout out
ip load-sharing per-packet
service-module t1 timeslots 1-24
no cdp enable
crypto map combined
interface Serial1
ip address 167.x.x.242 255.255.255.252
ip access-group 115 in
ip nat outside
ip inspect inetout out
ip load-sharing per-packet
service-module t1 timeslots 1-24
no cdp enable
crypto map combined
interface FastEthernet0
ip address 192.168.10.1 255.255.255.0
ip nat inside
ip policy route-map nostatic
speed auto
half-duplex
no cdp enable
ip nat pool natpool1 167.x.x.201 167.x.x.206 netmask 255.255.255.248
ip nat inside source list 1 pool natpool1 overload
ip nat inside source static tcp 192.168.10.160 80 interface Serial0 80
ip nat inside source static tcp 192.168.10.150 25 interface Serial0 25
ip classless
ip route 0.0.0.0 0.0.0.0 167.x.x.229
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 1 permit 192.168.20.0 0.0.0.255
access-list 102 deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 102 permit ip 192.168.10.0 0.0.0.255 any
access-list 103 permit ip host 192.168.10.150 192.168.20.0 0.0.0.255
access-list 103 permit ip host 192.168.10.151 192.168.20.0 0.0.0.255
access-list 106 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 115 permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 115 permit udp any any eq isakmp
access-list 115 permit esp any any
access-list 115 permit ahp any any
access-list 115 permit tcp any any eq 443
access-list 115 permit udp any any eq 443
access-list 115 permit tcp any host 167.x.x.230 eq www
access-list 115 permit tcp any host 167.x.x.230 eq telnet
access-list 115 permit tcp any host 167.x.x.230 eq smtp
access-list 115 permit icmp 192.168.10.0 0.0.0.255 any
access-list 115 permit icmp any any echo-reply
no cdp run
route-map nostatic permit 10
match ip address 103
set ip next-hop 192.168.16.2
route-map NAT permit 10
match ip address 102
***** END HQ Cisco 1720 ("bonded" config) *****
***** Branch office Cisco 1720 (Current config)*****
crypto isakmp policy 4
hash md5
authentication pre-share
group 2
crypto isakmp key notrealkey address 167.x.x.230
crypto ipsec transform-set trans1 esp-des esp-md5-hmac
crypto map combined 20 ipsec-isakmp
set peer 167.x.x.230
set transform-set trans1
match address 106
interface Loopback0
ip address 192.168.16.1 255.255.255.0
interface FastEthernet0
ip address 192.168.20.1 255.255.255.0
ip nat inside
no ip route-cache
no ip mroute-cache
speed auto
half-duplex
no cdp enable
interface Serial0
ip address 24.x.x.106 255.255.255.252
ip access-group 115 in
ip nat outside
ip inspect inetout out
encapsulation ppp
no ip route-cache
no ip mroute-cache
crypto map combined
ip nat inside source route-map NAT interface Serial0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 24.x.x.105
access-list 102 deny ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 102 permit ip 192.168.20.0 0.0.0.255 any
access-list 103 permit ip host 192.168.10.150 192.168.10.0 0.0.0.255
access-list 106 permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 115 permit tcp any host 24.x.x.106 eq telnet
access-list 115 permit tcp any any eq 443
access-list 115 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 115 permit udp any any eq isakmp
access-list 115 permit esp any any
access-list 115 permit ahp any any
access-list 115 permit icmp host any any
access-list 151 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
route-map nostatic permit 10
match ip address 103
set ip next-hop 192.168.16.2
route-map NAT permit 10
match ip address 102
***** END Branch office Cisco 1720 (Current config)*****
For the updated branch office config, I just changed the following lines:
crypto isakmp key notrealkey address 167.x.x.201
set peer 167.x.x.201
So again, when I change the configs as stated above, the NAT pool seems to work fine, and I get 3 Mbps, but the VPN won't work at all, whether the branch has the changed settings or not. I've spent a good week googling and reading docs to no avail. There seems to be a million different ways to go wrong here, so any pointers would be a plus. If there is any more information desired, let me know. Thanks in advance.
This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.
Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.
If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.
Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.
Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.
Access the answers to your technology questions today.
30-day free trial. Register in 60 seconds.
Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.
Try it out and discover for yourself.
30-day free trial. Register in 60 seconds.
Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.
Any advice on how to set up this GRE tunnel? I read up on it and it seems a bit tough. I don't have too much experience with Cisco stuff and I'm trying to learn as I go. These routers and the VPN weren't set up by me and here I am trying to change it all around, so clues and/or answers would be very helpful. :)
Eric,
Why not assign an IP address from the available nat pool to the loopback interface and use that IP address as the peer for the remote site?
nwru,
You still have to use the route-map for the NAT statement. Use it with the pool:
Change this:
>ip nat inside source list 1 pool natpool1 overload
To this:
ip nat inside source route-map NAT pool natpool1 overload
Well, I finally got it. The only things I did differently is:
1) I left the "ip mroute-cache" command on each of the serial interfaces. Not sure if this mattered at all though.
2) Used the "ip nat inside source route-map NAT pool natpool1 overload" as stated above by lrmoore. Now I know that I've used this exact command in my trial-and-error and by recommendation of a smart friend, and I have the logs to prove it, but it didn't work. Must have been something else messing it up at the time.
3) Have 2 static routes, one for each of my interfaces, i.e.:
ip route 0.0.0.0 0.0.0.0 167.x.x.229
ip route 0.0.0.0 0.0.0.0 167.x.x.241
4) On the remote router, I needed to supply two "crypto isakmp key" commands and two "set peer" commands, i.e.:
crypto isakmp key notrealkey address 167.x.x.230
crypto isakmp key notrealkey address 167.x.x.242
crypto map combined 20 ipsec-isakmp
set peer 167.x.x.230
set peer 167.x.x.242
set transform-set trans1
match address 106
Everything else I left the same. I just kept messing with it and it suddenly worked. Those "LAN addresses" were only used for the "ip nat pool" command and no where else.
Thanks for the help everyone. :)
Eric,
Fair enough. I compensated you here: http://www.experts-exchang
I didn't understand that doing my number #3 and #4 was effectively creating 2 VPN tunnels. I didn't emphasize that this is all pretty new to me. So the GRE tunnel talk threw me off a bit. Not sure what you were talking about, I dismissed your comment and wound up figuring the routes and the crypto commands by myself.
lrmoore's suggestion to use that exact "ip nat inside" command still did help moreso because it helped point me in the right direction and I probably wouldn't have fixed the problem without that command.
I gave you some points because you did actually supply me with help, even if I didn't understand it, and I don't like to rip people off. :)
Thanks.
Business Accounts
Answer for Membership
by: epylkoPosted on 2004-01-21 at 14:13:25ID: 10169288
You'll need to have 2 VPN tunnels established and you need to make sure one goes to each public interface you have. Otherwise, your receiving side is going to get encrypted packets from 2 sources but only be expecting them from 1 source.
I would create a GRE tunnel between the 2 boxes and encrypt GRE traffic. That way you won't have to worry about which way the GRE packet goes.
The other option might be to have 2 VPN connections, one on each interface. You would want to switch back to per destination load balancing though. This will give you a max of 1.5Mbps per session but you could have 2x1.5Mbps sessions going at any given time.
-Eric