andersenks
asked on
Routing WWW traffic over aDSL line instead of T1
Trying to route HTTP traffic over our aDSL line instead of our T1. When I add the "ip route 0.0.0.0 0.0.0.0 64.81.37.1" for the DSL line and "clear ip nat trans *" traffic does go over the DSL line but then all my VPN tunnels goes down. I think I'm close but missing something.
Thanks in advance.
Thanks in advance.
<<Current config>>
bridge irb
!
!
!
interface GigabitEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
ip address 192.168.3.1 255.255.255.0 secondary
ip address 192.168.2.1 255.255.255.0 secondary
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address 192.168.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
!
interface Serial0/0/0
mtu 1522
bandwidth 1536
ip address 64.81.86.x 255.255.255.0
ip access-group inbound in
ip nat outside
ip inspect myfw out
ip virtual-reassembly
encapsulation frame-relay IETF
ip route-cache flow
no ip mroute-cache
no fair-queue
frame-relay map ip 64.81.86.1 16 IETF
frame-relay interface-dlci 16
frame-relay lmi-type ansi
frame-relay qos-autosense
crypto map testmap
crypto ipsec df-bit clear
!
interface ATM0/1/0
description Connection to WAN
no ip address
ip virtual-reassembly
ip route-cache flow
no atm ilmi-keepalive
bundle-enable
dsl operating-mode auto
bridge-group 1
pvc 0/35
encapsulation aal5snap
!
!
interface Group-Async0
physical-layer async
no ip address
no group-range
!
interface Group-Async1
physical-layer async
description Network for ERP (Apprise)
no ip address
!
interface BVI1
ip address 64.81.37.x 255.255.255.0
ip access-group inbound in
ip nat outside
ip inspect myfw out
ip virtual-reassembly
crypto map testmap
crypto ipsec df-bit clear
!
ip local pool vpnpool 192.168.40.1 192.168.40.254
ip classless
ip route 0.0.0.0 0.0.0.0 64.81.86.1
ip route 172.14.0.0 255.255.0.0 192.168.1.253
ip route 172.16.0.0 255.255.0.0 192.168.1.253
ip route 172.17.0.0 255.255.0.0 192.168.1.253
!
ip flow-export source GigabitEthernet0/0
ip flow-export version 5
ip flow-export destination 192.168.1.174 9996
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 135 interface Serial0/0/0 overload
ip nat inside source static 192.168.1.8 64.81.94.x
ip nat inside source static 192.168.1.90 64.81.94.x
ip nat inside source static 192.168.1.161 64.81.94.x
ip nat inside source static 192.168.1.12 64.81.94.x
ip nat inside source static 192.168.10.85 64.81.94.x
!
ip access-list extended inbound
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit tcp any host 64.81.94.x eq www
permit icmp any host 64.81.94.x
permit tcp any host 64.81.94.x eq 8080
permit udp any eq domain any
permit tcp any host 64.81.94.x eq 3389
permit gre any any
permit esp any any
permit tcp any host 64.81.94.x eq 3389
permit tcp any host 64.81.94.x eq 1494
permit tcp any host 64.81.94.x eq ftp
permit tcp any host 64.81.94.x eq 3389
permit tcp any host 64.81.86.x eq 22
permit tcp any host 64.81.37.x eq 3389
permit tcp any host 64.81.37.xeq 22
!
access-list 10 permit 192.168.0.0 0.0.255.255
access-list 103 remark VPN for Dallas
access-list 103 permit ip 172.16.0.0 0.0.255.255 10.11.3.0 0.0.0.255
access-list 103 permit ip 192.168.0.0 0.0.255.255 10.11.3.0 0.0.0.255
access-list 104 remark VPN for **
access-list 104 permit ip 172.16.0.0 0.0.255.255 10.11.4.0 0.0.0.255
access-list 104 permit ip 192.168.1.0 0.0.0.255 10.11.4.0 0.0.0.255
access-list 104 permit ip 192.168.10.0 0.0.0.255 10.11.4.0 0.0.0.255
access-list 104 permit ip 192.168.40.0 0.0.0.255 10.11.4.0 0.0.0.255
access-list 105 remark VPN for **
access-list 105 permit ip 172.16.0.0 0.0.255.255 10.11.5.0 0.0.0.255
access-list 105 permit ip 192.168.0.0 0.0.255.255 10.11.5.0 0.0.0.255
access-list 106 remark VPN for **
access-list 106 permit ip 172.16.0.0 0.0.255.255 10.11.6.0 0.0.0.255
access-list 106 permit ip 192.168.0.0 0.0.255.255 10.11.6.0 0.0.0.255
access-list 107 remark VPN for **
access-list 107 permit ip 172.16.0.0 0.0.255.255 10.11.7.0 0.0.0.255
access-list 107 permit ip 192.168.1.0 0.0.0.255 10.11.7.0 0.0.0.255
access-list 107 permit ip 192.168.10.0 0.0.0.255 10.11.7.0 0.0.0.255
access-list 107 permit ip 192.168.40.0 0.0.0.255 10.11.7.0 0.0.0.255
access-list 109 remark VPN for **
access-list 109 permit ip 172.16.0.0 0.0.255.255 10.11.9.0 0.0.0.255
access-list 109 permit ip 192.168.0.0 0.0.255.255 10.11.9.0 0.0.0.255
access-list 111 remark VPN for **
access-list 111 permit ip 192.168.0.0 0.0.255.255 10.11.11.0 0.0.0.255
access-list 111 permit ip 172.16.0.0 0.0.255.255 10.11.11.0 0.0.0.255
access-list 135 deny ip 192.168.0.0 0.0.255.255 192.168.40.0 0.0.0.255
access-list 135 deny ip 172.16.0.0 0.0.255.255 192.168.40.0 0.0.0.255
access-list 135 deny ip 192.168.0.0 0.0.255.255 10.11.0.0 0.0.255.255
access-list 135 deny ip 192.168.0.0 0.0.255.255 172.16.0.0 0.0.255.255
access-list 135 permit ip 192.168.0.0 0.0.255.255 any
access-list 140 permit ip 192.168.1.0 0.0.0.255 192.168.40.0 0.0.0.255
access-list 140 permit ip 192.168.10.0 0.0.0.255 192.168.40.0 0.0.0.255
access-list 140 permit ip 172.16.0.0 0.0.255.255 192.168.40.0 0.0.0.255
access-list 140 permit ip 10.11.0.0 0.0.255.255 192.168.40.0 0.0.0.255
snmp-server ifindex persist
You could achieve it with a simple route-map, so the logic is this;
Check to see if the traffic is web traffic, if so, then set the next-hop as dsl. Otherwise let it go through the default gateway.
This is how you configure it;
route-map webtraffic permit 10
match ip address 200
set ip next-hop 64.81.37.1
access-list 200 permit tcp 192.168.1.0 0.0.0.255 any eq 80
and so on for all the internal networks.....
Cheers,
Rajesh
Check to see if the traffic is web traffic, if so, then set the next-hop as dsl. Otherwise let it go through the default gateway.
This is how you configure it;
route-map webtraffic permit 10
match ip address 200
set ip next-hop 64.81.37.1
access-list 200 permit tcp 192.168.1.0 0.0.0.255 any eq 80
and so on for all the internal networks.....
Cheers,
Rajesh
ASKER
I tried this config but it still won't route over the DSL line...
access-list 160 permit tcp 192.168.1.0 0.0.0.255 any eq www
!
route-map webtraffic permit 10
match ip address 160
set ip next-hop 64.81.37.1
access-list 160 permit tcp 192.168.1.0 0.0.0.255 any eq www
!
route-map webtraffic permit 10
match ip address 160
set ip next-hop 64.81.37.1
Can you post the current config now?
Cheers,
Rajesh
Cheers,
Rajesh
ASKER
Here is the last config I've tried
Domain_2821_Ro#sh run
Building configuration...
Current configuration : 11283 bytes
!
! Last configuration change at 16:18:39 pst Mon Feb 4 2008 by XXX
! NVRAM config last updated at 16:18:42 pst Mon Feb 4 2008 by XXX
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Domain_2821_Ro
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable password *******
!
aaa new-model
!
!
aaa authentication fail-message ^CCLogin Failed Unauthorized access and use of t
his network will be vigorously prosecuted.^C
--More--
aaa authentication login default local
aaa authentication login con local
aaa authentication login user local
aaa authentication login clientauth local
aaa authentication login UserAuth group radius
aaa authorization console
aaa authorization exec default local
aaa authorization exec con local
aaa authorization network groupauthor local
!
aaa session-id common
!
resource policy
!
clock timezone pst -8
ip subnet-zero
!
!
ip cef
!
!
ip flow-cache timeout active 1
ip domain name aldik.com
ip inspect name myfw http java-list 50
ip inspect name myfw tcp
ip inspect name myfw udp
ip inspect name myfw icmp
!
!
voice-card 0
no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-3438045733
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3438045733
revocation-check none
rsakeypair TP-self-signed-3438045733
!
!
crypto pki certificate chain TP-self-signed-3438045733
certificate self-signed 01
username XXXXX privilege 15 password 0 *****!
!
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
!
crypto isakmp policy 20
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key **** address 70.233.15.94
crypto isakmp key **** address 64.169.75.229
crypto isakmp key **** address 65.43.89.70
crypto isakmp key **** address 24.136.100.30
crypto isakmp key **** address 67.76.67.5
crypto isakmp key **** address 64.190.142.2
crypto isakmp key **** address 68.213.10.2
crypto isakmp key **** address 67.116.104.21
!
crypto isakmp client configuration group ALDvpngrp
key ***!
dns 192.168.10.5 192.168.1.5
domain domain.com
pool vpnpool
acl 140
crypto isakmp profile VPNclient
description VPN client profile
match identity group XXX
client authentication list UserAuth
isakmp authorization list groupauthor
client configuration address respond
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA4 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
mode transport
!
crypto dynamic-map dynmap 5
set transform-set ESP-3DES-MD5
set isakmp-profile VPNclient
!
!
crypto map testmap 3 ipsec-isakmp
description Tunnel to Dallas
set peer 64.190.142.x
set transform-set ESP-DES-MD5
match address 103
crypto map testmap 4 ipsec-isakmp
description Tunnel to Atlanta
set peer 68.213.10.x
set transform-set ESP-DES-MD5
match address 104
crypto map testmap 5 ipsec-isakmp
description Tunnel to Van Nuys
set peer 67.116.104.x
set transform-set ESP-DES-MD5
match address 105
crypto map testmap 6 ipsec-isakmp
description Tunnel to Las Vegas
set peer 67.76.67.x
set transform-set ESP-DES-MD5
match address 106
crypto map testmap 7 ipsec-isakmp
description Tunnel to New York
set peer 24.136.100.x
set transform-set ESP-DES-MD5
match address 107
crypto map testmap 9 ipsec-isakmp
description Tunnel to San Franciso
set peer 64.169.75.x
set transform-set ESP-DES-MD5
match address 109
crypto map testmap 11 ipsec-isakmp
description Tunnel to Chicago
set peer 65.43.89.x
set transform-set ESP-DES-MD5
match address 111
crypto map testmap 20 ipsec-isakmp dynamic dynmap
!
bridge irb
!
!
!
interface GigabitEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
ip address 192.168.3.1 255.255.255.0 secondary
ip address 192.168.2.1 255.255.255.0 secondary
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address 192.168.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
!
interface Serial0/0/0
mtu 1522
bandwidth 1536
ip address 64.81.86.x 255.255.255.0
ip access-group inbound in
ip nat outside
ip inspect myfw out
ip virtual-reassembly
encapsulation frame-relay IETF
ip route-cache flow
no ip mroute-cache
no fair-queue
frame-relay map ip 64.81.86.1 16 IETF
frame-relay interface-dlci 16
frame-relay lmi-type ansi
frame-relay qos-autosense
crypto map testmap
crypto ipsec df-bit clear
!
interface ATM0/1/0
description Connection to WAN
no ip address
ip virtual-reassembly
ip route-cache flow
no atm ilmi-keepalive
bundle-enable
dsl operating-mode auto
bridge-group 1
pvc 0/35
encapsulation aal5snap
!
!
interface Group-Async0
physical-layer async
no ip address
no group-range
!
interface Group-Async1
physical-layer async
description Network for ERP
no ip address
!
interface BVI1
ip address 64.81.37.x 255.255.255.0
ip access-group inbound in
ip nat outside
ip inspect myfw out
ip virtual-reassembly
crypto map testmap
crypto ipsec df-bit clear
!
ip local pool vpnpool 192.168.40.1 192.168.40.254
ip classless
ip route 0.0.0.0 0.0.0.0 64.81.86.1
ip route 0.0.0.0 0.0.0.0 64.81.37.1
ip route 172.14.0.0 255.255.0.0 192.168.1.253
ip route 172.16.0.0 255.255.0.0 192.168.1.253
ip route 172.17.0.0 255.255.0.0 192.168.1.253
!
ip flow-export source GigabitEthernet0/0
ip flow-export version 5
ip flow-export destination 192.168.1.174 9996
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 135 interface Serial0/0/0 overload
ip nat inside source static 192.168.10.30 64.81.x.x
ip nat inside source static 192.168.1.8 64.81.x.x
ip nat inside source static 192.168.1.90 64.81.x.x
ip nat inside source static 192.168.1.161 64.81.x.x
ip nat inside source static 192.168.1.12 64.81.x.x
ip nat inside source static 192.168.10.85 64.81.x.x
!
ip access-list extended inbound
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit tcp any host 64.81.x.x eq www
permit icmp any host 64.81.x.x
permit tcp any host 64.81.x.x eq 8080
permit udp any eq domain any
permit tcp any host 64.81.x.x eq 3389
permit gre any any
permit esp any any
permit tcp any host 64.81.x.x eq 3389
permit tcp any host 64.81.x.x eq 1494
permit tcp any host 64.81.x.x eq ftp
permit tcp any host 64.81.x.x1 eq 3389
permit tcp any host 64.81.x.x eq 22
permit tcp any host 64.81.x.x eq 3389
permit tcp any host 64.81.x.x eq 22
permit tcp any host 64.81.x.x eq 443
!
access-list 10 permit 192.168.0.0 0.0.255.255
access-list 103 remark VPN for Dallas
access-list 103 permit ip 172.16.0.0 0.0.255.255 10.11.3.0 0.0.0.255
access-list 103 permit ip 192.168.0.0 0.0.255.255 10.11.3.0 0.0.0.255
access-list 104 remark VPN for ***
access-list 104 permit ip 172.16.0.0 0.0.255.255 10.11.4.0 0.0.0.255
access-list 104 permit ip 192.168.1.0 0.0.0.255 10.11.4.0 0.0.0.255
access-list 104 permit ip 192.168.10.0 0.0.0.255 10.11.4.0 0.0.0.255
access-list 104 permit ip 192.168.40.0 0.0.0.255 10.11.4.0 0.0.0.255
access-list 105 remark VPN for ***
access-list 105 permit ip 172.16.0.0 0.0.255.255 10.11.5.0 0.0.0.255
access-list 105 permit ip 192.168.0.0 0.0.255.255 10.11.5.0 0.0.0.255
access-list 106 remark VPN for Las Vegas
access-list 106 permit ip 172.16.0.0 0.0.255.255 10.11.6.0 0.0.0.255
access-list 106 permit ip 192.168.0.0 0.0.255.255 10.11.6.0 0.0.0.255
access-list 107 remark VPN for ***
access-list 107 permit ip 172.16.0.0 0.0.255.255 10.11.7.0 0.0.0.255
access-list 107 permit ip 192.168.1.0 0.0.0.255 10.11.7.0 0.0.0.255
access-list 107 permit ip 192.168.10.0 0.0.0.255 10.11.7.0 0.0.0.255
access-list 107 permit ip 192.168.40.0 0.0.0.255 10.11.7.0 0.0.0.255
access-list 109 remark VPN for San Francisco
access-list 109 permit ip 172.16.0.0 0.0.255.255 10.11.9.0 0.0.0.255
access-list 109 permit ip 192.168.0.0 0.0.255.255 10.11.9.0 0.0.0.255
access-list 111 remark VPN for ***
access-list 111 permit ip 192.168.0.0 0.0.255.255 10.11.11.0 0.0.0.255
access-list 111 permit ip 172.16.0.0 0.0.255.255 10.11.11.0 0.0.0.255
access-list 135 deny ip 192.168.0.0 0.0.255.255 192.168.40.0 0.0.0.255
access-list 135 deny ip 172.16.0.0 0.0.255.255 192.168.40.0 0.0.0.255
access-list 135 deny ip 192.168.0.0 0.0.255.255 10.11.0.0 0.0.255.255
access-list 135 deny ip 192.168.0.0 0.0.255.255 172.16.0.0 0.0.255.255
access-list 135 permit ip 192.168.0.0 0.0.255.255 any
access-list 140 permit ip 192.168.1.0 0.0.0.255 192.168.40.0 0.0.0.255
access-list 140 permit ip 192.168.10.0 0.0.0.255 192.168.40.0 0.0.0.255
access-list 140 permit ip 172.16.0.0 0.0.255.255 192.168.40.0 0.0.0.255
access-list 140 permit ip 10.11.0.0 0.0.255.255 192.168.40.0 0.0.0.255
access-list 160 permit tcp 192.168.1.0 0.0.0.255 any eq www
snmp-server ifindex persist
!
route-map webtraffic permit 10
match ip address 160
set ip next-hop 64.81.37.1
!
!
!
radius-server host 192.168.1.7 auth-port 1645 acct-port 1646
radius-server host 192.168.1.5 auth-port 1645 acct-port 1646
radius-server key *****!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
privilege level 15
transport input telnet ssh
line vty 5 15
privilege level 15
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end
You access-list 'inbound' applied on BVI interface is blocking the communication coming back is what I think.
Can you remove that from the adsl interface and put the route-maps I suggested before and see if it works.
Also I see that you have applied cryptomap's on both interfaces, as well as there are 2 default routes?
Cheers,
Rajesh
Can you remove that from the adsl interface and put the route-maps I suggested before and see if it works.
Also I see that you have applied cryptomap's on both interfaces, as well as there are 2 default routes?
Cheers,
Rajesh
ASKER
Rajesh,
"Can you remove that from the adsl interface and put the route-maps I suggested before and see if it works." <<<Not sure how to do that...
The Crypto map on the BVI1 interface is just there because once our T1 was down so I re-routed the tunnels over the DSL line... Currently not being used that way.
Thanks for the help
"Can you remove that from the adsl interface and put the route-maps I suggested before and see if it works." <<<Not sure how to do that...
The Crypto map on the BVI1 interface is just there because once our T1 was down so I re-routed the tunnels over the DSL line... Currently not being used that way.
Thanks for the help
Put the route-map command set as I mentioned in the first post.
To remove the access-list do this;
int bvi
no ip access-group inbound
Cheers,
Rajesh
To remove the access-list do this;
int bvi
no ip access-group inbound
Cheers,
Rajesh
ASKER
OK... took the following steps....
int BVI1
no ip access-group inbound
After doing that the BVI1 interface was set to "Shutdown" so I turned it back on "no shutdown"
The changes I made are reflected below.
After doing that the VPN tunnels still show active "sh cry isakmp sa" but I'm unable to ping the remote sites
int BVI1
no ip access-group inbound
After doing that the BVI1 interface was set to "Shutdown" so I turned it back on "no shutdown"
The changes I made are reflected below.
After doing that the VPN tunnels still show active "sh cry isakmp sa" but I'm unable to ping the remote sites
interface BVI1
ip address 64.81.37.x 255.255.255.0
ip nat outside
ip inspect myfw out
ip virtual-reassembly
ip route 0.0.0.0 0.0.0.0 64.81.86.1
ip route 0.0.0.0 0.0.0.0 64.81.37.1
ip route 172.14.0.0 255.255.0.0 192.168.1.253
ip route 172.16.0.0 255.255.0.0 192.168.1.253
ip route 172.17.0.0 255.255.0.0 192.168.1.253
access-list 160 permit tcp 192.168.1.0 0.0.0.255 any eq www
snmp-server ifindex persist
!
route-map webtraffic permit 10
match ip address 160
set ip next-hop 64.81.37.1
I do not understand, now the vpn tunnels are on the original interface or the BVI ?
Cheers,
Rajesh
Cheers,
Rajesh
ASKER
The tunnels are on int s0/0/0
So remove it from the BVI interface.
Cheers,
Rajesh
Cheers,
Rajesh
ASKER
I see, I thought I had but I see I left "ip inspect myfw out" in there. Took that out.
Soon as I add "ip route 0.0.0.0 0.0.0.0 64.81.37.1" back in I can't reach the tunnels
Here is there current config below....
Soon as I add "ip route 0.0.0.0 0.0.0.0 64.81.37.1" back in I can't reach the tunnels
Here is there current config below....
Domain_2821_Ro#sh run
Building configuration...
Current configuration : 11283 bytes
!
! Last configuration change at 16:18:39 pst Mon Feb 4 2008 by XXX
! NVRAM config last updated at 16:18:42 pst Mon Feb 4 2008 by XXX
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Domain_2821_Ro
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable password *******
!
aaa new-model
!
!
aaa authentication fail-message ^CCLogin Failed Unauthorized access and use of t
his network will be vigorously prosecuted.^C
--More--
aaa authentication login default local
aaa authentication login con local
aaa authentication login user local
aaa authentication login clientauth local
aaa authentication login UserAuth group radius
aaa authorization console
aaa authorization exec default local
aaa authorization exec con local
aaa authorization network groupauthor local
!
aaa session-id common
!
resource policy
!
clock timezone pst -8
ip subnet-zero
!
!
ip cef
!
!
ip flow-cache timeout active 1
ip domain name aldik.com
ip inspect name myfw http java-list 50
ip inspect name myfw tcp
ip inspect name myfw udp
ip inspect name myfw icmp
!
!
voice-card 0
no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-3438045733
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3438045733
revocation-check none
rsakeypair TP-self-signed-3438045733
!
!
crypto pki certificate chain TP-self-signed-3438045733
certificate self-signed 01
username XXXXX privilege 15 password 0 *****!
!
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
!
crypto isakmp policy 20
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key **** address 70.233.15.94
crypto isakmp key **** address 64.169.75.229
crypto isakmp key **** address 65.43.89.70
crypto isakmp key **** address 24.136.100.30
crypto isakmp key **** address 67.76.67.5
crypto isakmp key **** address 64.190.142.2
crypto isakmp key **** address 68.213.10.2
crypto isakmp key **** address 67.116.104.21
!
crypto isakmp client configuration group ALDvpngrp
key ***!
dns 192.168.10.5 192.168.1.5
domain domain.com
pool vpnpool
acl 140
crypto isakmp profile VPNclient
description VPN client profile
match identity group XXX
client authentication list UserAuth
isakmp authorization list groupauthor
client configuration address respond
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA4 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
mode transport
!
crypto dynamic-map dynmap 5
set transform-set ESP-3DES-MD5
set isakmp-profile VPNclient
!
!
crypto map testmap 3 ipsec-isakmp
description Tunnel to Dallas
set peer 64.190.142.x
set transform-set ESP-DES-MD5
match address 103
crypto map testmap 4 ipsec-isakmp
description Tunnel to Atlanta
set peer 68.213.10.x
set transform-set ESP-DES-MD5
match address 104
crypto map testmap 5 ipsec-isakmp
description Tunnel to Van Nuys
set peer 67.116.104.x
set transform-set ESP-DES-MD5
match address 105
crypto map testmap 6 ipsec-isakmp
description Tunnel to Las Vegas
set peer 67.76.67.x
set transform-set ESP-DES-MD5
match address 106
crypto map testmap 7 ipsec-isakmp
description Tunnel to New York
set peer 24.136.100.x
set transform-set ESP-DES-MD5
match address 107
crypto map testmap 9 ipsec-isakmp
description Tunnel to San Franciso
set peer 64.169.75.x
set transform-set ESP-DES-MD5
match address 109
crypto map testmap 11 ipsec-isakmp
description Tunnel to Chicago
set peer 65.43.89.x
set transform-set ESP-DES-MD5
match address 111
crypto map testmap 20 ipsec-isakmp dynamic dynmap
!
bridge irb
!
!
!
interface GigabitEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
ip address 192.168.3.1 255.255.255.0 secondary
ip address 192.168.2.1 255.255.255.0 secondary
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address 192.168.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
!
interface Serial0/0/0
mtu 1522
bandwidth 1536
ip address 64.81.86.x 255.255.255.0
ip access-group inbound in
ip nat outside
ip inspect myfw out
ip virtual-reassembly
encapsulation frame-relay IETF
ip route-cache flow
no ip mroute-cache
no fair-queue
frame-relay map ip 64.81.86.1 16 IETF
frame-relay interface-dlci 16
frame-relay lmi-type ansi
frame-relay qos-autosense
crypto map testmap
crypto ipsec df-bit clear
!
interface ATM0/1/0
description Connection to WAN
no ip address
ip virtual-reassembly
ip route-cache flow
no atm ilmi-keepalive
bundle-enable
dsl operating-mode auto
bridge-group 1
pvc 0/35
encapsulation aal5snap
!
!
interface Group-Async0
physical-layer async
no ip address
no group-range
!
interface Group-Async1
physical-layer async
description Network for ERP
no ip address
!
interface BVI1
ip address 64.81.37.x 255.255.255.0
ip nat outside
ip virtual-reassembly
!
ip local pool vpnpool 192.168.40.1 192.168.40.254
ip classless
ip route 0.0.0.0 0.0.0.0 64.81.86.1
ip route 0.0.0.0 0.0.0.0 64.81.37.1
ip route 172.14.0.0 255.255.0.0 192.168.1.253
ip route 172.16.0.0 255.255.0.0 192.168.1.253
ip route 172.17.0.0 255.255.0.0 192.168.1.253
!
ip flow-export source GigabitEthernet0/0
ip flow-export version 5
ip flow-export destination 192.168.1.174 9996
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 135 interface Serial0/0/0 overload
ip nat inside source static 192.168.10.30 64.81.x.x
ip nat inside source static 192.168.1.8 64.81.x.x
ip nat inside source static 192.168.1.90 64.81.x.x
ip nat inside source static 192.168.1.161 64.81.x.x
ip nat inside source static 192.168.1.12 64.81.x.x
ip nat inside source static 192.168.10.85 64.81.x.x
!
ip access-list extended inbound
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit tcp any host 64.81.x.x eq www
permit icmp any host 64.81.x.x
permit tcp any host 64.81.x.x eq 8080
permit udp any eq domain any
permit tcp any host 64.81.x.x eq 3389
permit gre any any
permit esp any any
permit tcp any host 64.81.x.x eq 3389
permit tcp any host 64.81.x.x eq 1494
permit tcp any host 64.81.x.x eq ftp
permit tcp any host 64.81.x.x eq 3389
permit tcp any host 64.81.x.x eq 22
permit tcp any host 64.81.x.x eq 3389
permit tcp any host 64.81.x.x eq 22
permit tcp any host 64.81.x.x eq 443
!
access-list 10 permit 192.168.0.0 0.0.255.255
access-list 103 remark VPN for Dallas
access-list 103 permit ip 172.16.0.0 0.0.255.255 10.11.3.0 0.0.0.255
access-list 103 permit ip 192.168.0.0 0.0.255.255 10.11.3.0 0.0.0.255
access-list 104 remark VPN for ***
access-list 104 permit ip 172.16.0.0 0.0.255.255 10.11.4.0 0.0.0.255
access-list 104 permit ip 192.168.1.0 0.0.0.255 10.11.4.0 0.0.0.255
access-list 104 permit ip 192.168.10.0 0.0.0.255 10.11.4.0 0.0.0.255
access-list 104 permit ip 192.168.40.0 0.0.0.255 10.11.4.0 0.0.0.255
access-list 105 remark VPN for ***
access-list 105 permit ip 172.16.0.0 0.0.255.255 10.11.5.0 0.0.0.255
access-list 105 permit ip 192.168.0.0 0.0.255.255 10.11.5.0 0.0.0.255
access-list 106 remark VPN for Las Vegas
access-list 106 permit ip 172.16.0.0 0.0.255.255 10.11.6.0 0.0.0.255
access-list 106 permit ip 192.168.0.0 0.0.255.255 10.11.6.0 0.0.0.255
access-list 107 remark VPN for ***
access-list 107 permit ip 172.16.0.0 0.0.255.255 10.11.7.0 0.0.0.255
access-list 107 permit ip 192.168.1.0 0.0.0.255 10.11.7.0 0.0.0.255
access-list 107 permit ip 192.168.10.0 0.0.0.255 10.11.7.0 0.0.0.255
access-list 107 permit ip 192.168.40.0 0.0.0.255 10.11.7.0 0.0.0.255
access-list 109 remark VPN for San Francisco
access-list 109 permit ip 172.16.0.0 0.0.255.255 10.11.9.0 0.0.0.255
access-list 109 permit ip 192.168.0.0 0.0.255.255 10.11.9.0 0.0.0.255
access-list 111 remark VPN for ***
access-list 111 permit ip 192.168.0.0 0.0.255.255 10.11.11.0 0.0.0.255
access-list 111 permit ip 172.16.0.0 0.0.255.255 10.11.11.0 0.0.0.255
access-list 135 deny ip 192.168.0.0 0.0.255.255 192.168.40.0 0.0.0.255
access-list 135 deny ip 172.16.0.0 0.0.255.255 192.168.40.0 0.0.0.255
access-list 135 deny ip 192.168.0.0 0.0.255.255 10.11.0.0 0.0.255.255
access-list 135 deny ip 192.168.0.0 0.0.255.255 172.16.0.0 0.0.255.255
access-list 135 permit ip 192.168.0.0 0.0.255.255 any
access-list 140 permit ip 192.168.1.0 0.0.0.255 192.168.40.0 0.0.0.255
access-list 140 permit ip 192.168.10.0 0.0.0.255 192.168.40.0 0.0.0.255
access-list 140 permit ip 172.16.0.0 0.0.255.255 192.168.40.0 0.0.0.255
access-list 140 permit ip 10.11.0.0 0.0.255.255 192.168.40.0 0.0.0.255
access-list 160 permit tcp 192.168.1.0 0.0.0.255 any eq www
snmp-server ifindex persist
!
route-map webtraffic permit 10
match ip address 160
set ip next-hop 64.81.37.1
!
!
!
radius-server host 192.168.1.7 auth-port 1645 acct-port 1646
radius-server host 192.168.1.5 auth-port 1645 acct-port 1646
radius-server key *****!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
privilege level 15
transport input telnet ssh
line vty 5 15
privilege level 15
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end
>>ip route 0.0.0.0 0.0.0.0 64.81.37.1
You don't need that route. All you need is, the regular traffic to go through the other link for which you have a default gateway defined and if the traffic is web then you want it to pass through 64.81.37.1 right?
So at this stage, everything looks good. Now you can put the route-map's to the interface by using the command, this would activate the redirection.
>>ip policy route-map webtraffic
Hope this helps.
Cheers,
Rajesh
You don't need that route. All you need is, the regular traffic to go through the other link for which you have a default gateway defined and if the traffic is web then you want it to pass through 64.81.37.1 right?
So at this stage, everything looks good. Now you can put the route-map's to the interface by using the command, this would activate the redirection.
>>ip policy route-map webtraffic
Hope this helps.
Cheers,
Rajesh
ASKER
Took out the "ip route 0.0.0.0 0.0.0.0 64.81.37.1"
and added "ip policy route-map webtraffic" to the BVI1 interface... looks like web traffic is still going out S0/0/0.
Would it have anything to do with this line? "ip nat inside source list 135 interface Serial0/0/0 overload"
and added "ip policy route-map webtraffic" to the BVI1 interface... looks like web traffic is still going out S0/0/0.
Would it have anything to do with this line? "ip nat inside source list 135 interface Serial0/0/0 overload"
interface BVI1
ip address 64.81.37.x 255.255.255.0
ip nat outside
ip virtual-reassembly
ip policy route-map webtraffic
hmmm. yes I overlooked that. The traffic will go out but I would assume it is coming back to serial interface since that is what it is natted to.
You can change it to this;
ip nat inside source list 135 interface serial0/0/0 overload
ip nat inside source list 136 interface bvi1 overload
access-list 135 deny tcp <Internal Network> <Netmask> any eq 80
access-list 135 permit ip <Internal Network> <Netmask > any any
access-list 136 permit tcp <Internal Network> <Netmask> any eq 80
See if this changes the routing.
Cheers,
Rajesh
You can change it to this;
ip nat inside source list 135 interface serial0/0/0 overload
ip nat inside source list 136 interface bvi1 overload
access-list 135 deny tcp <Internal Network> <Netmask> any eq 80
access-list 135 permit ip <Internal Network> <Netmask > any any
access-list 136 permit tcp <Internal Network> <Netmask> any eq 80
See if this changes the routing.
Cheers,
Rajesh
ASKER
Added "ip nat inside source list 136 interface BVI1 overload"
and the access lists shown below... with "access-list 135 deny tcp 192.168.0.0 0.0.255.255 any eq 80" entry we're not able to access the outside web at all. If I remove it, it goes back out Serial 0/0/0.
is the route-map webtraffic supposed to point to 136 access list?
and the access lists shown below... with "access-list 135 deny tcp 192.168.0.0 0.0.255.255 any eq 80" entry we're not able to access the outside web at all. If I remove it, it goes back out Serial 0/0/0.
is the route-map webtraffic supposed to point to 136 access list?
ip nat inside source list 135 interface Serial0/0/0 overload
ip nat inside source list 136 interface BVI1 overload
access-list 135 deny tcp 192.168.0.0 0.0.255.255 any eq 80
access-list 135 deny ip 192.168.0.0 0.0.255.255 192.168.40.0 0.0.0.255
access-list 135 deny ip 172.16.0.0 0.0.255.255 192.168.40.0 0.0.0.255
access-list 135 deny ip 192.168.0.0 0.0.255.255 10.11.0.0 0.0.255.255
access-list 135 deny ip 192.168.0.0 0.0.255.255 172.16.0.0 0.0.255.255
access-list 135 permit ip 192.168.0.0 0.0.255.255 any
access-list 136 permit tcp 192.168.1.0 0.0.0.255 any eq 80
access-list 140 permit ip 192.168.1.0 0.0.0.255 192.168.40.0 0.0.0.255
access-list 140 permit ip 192.168.10.0 0.0.0.255 192.168.40.0 0.0.0.255
access-list 140 permit ip 172.16.0.0 0.0.255.255 192.168.40.0 0.0.0.255
access-list 140 permit ip 10.11.0.0 0.0.255.255 192.168.40.0 0.0.0.255
!
route-map webtraffic permit 10
match ip address 136
set ip next-hop 64.81.37.1
Yes the route map should point to 136, but don't disturb the existing 135 acl except change it. So with the change, it isn't going to net at all? You had the permit ip any any at the end of 135 right ?
Cheers,
Rajesh
Cheers,
Rajesh
ASKER
Rajesh, That last post has me confused... are you asking me to setup ACL 135 like this?
access-list 135 deny tcp 192.168.0.0 0.0.255.255 any eq 80
access-list 135 deny ip 192.168.0.0 0.0.255.255 192.168.40.0 0.0.0.255
access-list 135 deny ip 172.16.0.0 0.0.255.255 192.168.40.0 0.0.0.255
access-list 135 deny ip 192.168.0.0 0.0.255.255 10.11.0.0 0.0.255.255
access-list 135 deny ip 192.168.0.0 0.0.255.255 172.16.0.0 0.0.255.255
access-list 135 permit ip 192.168.0.0 0.0.255.255 any any
access-list 135 deny tcp 192.168.0.0 0.0.255.255 any eq 80
access-list 135 deny ip 192.168.0.0 0.0.255.255 192.168.40.0 0.0.0.255
access-list 135 deny ip 172.16.0.0 0.0.255.255 192.168.40.0 0.0.0.255
access-list 135 deny ip 192.168.0.0 0.0.255.255 10.11.0.0 0.0.255.255
access-list 135 deny ip 192.168.0.0 0.0.255.255 172.16.0.0 0.0.255.255
access-list 135 permit ip 192.168.0.0 0.0.255.255 any any
no, you can just add the 135 like this (the idea is to deny natting to serial interface if the traffic is web)
access-list 135 deny tcp any any eq 80
access-list 135 permit ip any any
and then the other acl should pick up this traffic + nat it to bvi interface so that it can go out to public internet.
Cheers,
Rajesh
access-list 135 deny tcp any any eq 80
access-list 135 permit ip any any
and then the other acl should pick up this traffic + nat it to bvi interface so that it can go out to public internet.
Cheers,
Rajesh
ASKER
Sorry Rajesh, its still not working. I know the interface is working so it should be anything there. Some how the NAT isn't working.
XXXX_2821_Ro#sh int bvi1
BVI1 is up, line protocol is up
Hardware is BVI, address is 0000.0X28.5fa0 (bia 0007.0X21.3308)
Internet address is 64.81.37.x/24
MTU 4470 bytes, BW 800 Kbit, DLY 5000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
ARP type: ARPA, ARP Timeout 04:00:00
Last input never, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
35904 packets input, 32149649 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
27879 packets output, 3062794 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 output buffer failures, 0 output buffers swapped out
hmm. it should be working and I don't know what is that is missing. Gimme some time, I'm at work now. Will have to look at it a bit closely and see if there is another way to do this.
Cheers,
Rajesh
Cheers,
Rajesh
Can you clear the access-list counters and then try to access web. Then see the counters for acl => can you let me know if any traffic is hitting the acl 136 ?
Also post a fresh config with whatever is in there now?
Cheers,
Rajesh
Also post a fresh config with whatever is in there now?
Cheers,
Rajesh
ASKER
Is this what you're looking for?
Domain_2821_Ro#sh access-list 135
Extended IP access list 135
10 deny tcp any any eq www (3993 matches)
20 deny ip 192.168.0.0 0.0.255.255 192.168.40.0 0.0.0.255 (3993 matches)
30 deny ip 172.16.0.0 0.0.255.255 192.168.40.0 0.0.0.255 (127 matches)
40 deny ip 192.168.0.0 0.0.255.255 10.11.0.0 0.0.255.255 (9474 matches)
50 deny ip 192.168.0.0 0.0.255.255 172.16.0.0 0.0.255.255
60 permit ip any any (881 matches)
Domain_2821_Ro#sh access-list 136
Extended IP access list 136
10 permit tcp 192.168.1.0 0.0.0.255 any eq www (43 matches)
Domain_2821_Ro#sh access-list 135
Extended IP access list 135
10 deny tcp any any eq www (3993 matches)
20 deny ip 192.168.0.0 0.0.255.255 192.168.40.0 0.0.0.255 (3993 matches)
30 deny ip 172.16.0.0 0.0.255.255 192.168.40.0 0.0.0.255 (127 matches)
40 deny ip 192.168.0.0 0.0.255.255 10.11.0.0 0.0.255.255 (9474 matches)
50 deny ip 192.168.0.0 0.0.255.255 172.16.0.0 0.0.255.255
60 permit ip any any (881 matches)
Domain_2821_Ro#sh access-list 136
Extended IP access list 136
10 permit tcp 192.168.1.0 0.0.0.255 any eq www (43 matches)
domain_2821_Ro#sh run
Building configuration...
Current configuration : 11504 bytes
!
! Last configuration change at 11:21:49 pst Mon Feb 11 2008 by Cisc0admin
! NVRAM config last updated at 11:21:50 pst Mon Feb 11 2008 by Cisc0admin
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname domain_2821_Ro
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable password ****
!
aaa new-model
!
!
aaa authentication fail-message ^CCLogin Failed Unauthorized access and use of this network will be vigorously prosecute
d.^C
aaa authentication login default local
aaa authentication login con local
aaa authentication login user local
aaa authentication login clientauth local
aaa authentication login UserAuth group radius
aaa authorization console
aaa authorization exec default local
aaa authorization exec con local
aaa authorization network groupauthor local
!
aaa session-id common
!
resource policy
!
clock timezone pst -8
ip subnet-zero
!
!
ip cef
!
!
ip flow-cache timeout active 1
ip domain name aldik.com
ip inspect name myfw http java-list 50
ip inspect name myfw tcp
ip inspect name myfw udp
ip inspect name myfw icmp
!
!
voice-card 0
no dspfarm
!
!
!
crypto pki trustpoint TP-self-signed-343804533
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-343804573
revocation-check none
rsakeypair TP-self-signed-3438045733
!
!
crypto pki certificate chain TP-self-signed-343804573
certificate self-signed 01
!
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
!
crypto isakmp policy 20
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key *** address 70.233.15.x
crypto isakmp key **** address 64.169.75.x
crypto isakmp key **** address 65.43.89.x
crypto isakmp key **** address 24.136.100.x
crypto isakmp key **** address 67.76.67.x
crypto isakmp key **** address 64.190.142.x
crypto isakmp key **** address 68.213.10.x
crypto isakmp key **** address 67.116.104.x
crypto isakmp invalid-spi-recovery
!
crypto isakmp client configuration group Axxxx
key ******!
dns 192.168.10.5 192.168.1.5
domain xxxx.com
pool vpnpool
acl 140
crypto isakmp profile VPNclient
description VPN client profile
match identity group Axxxx
client authentication list UserAuth
isakmp authorization list groupauthor
client configuration address respond
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA4 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
mode transport
!
crypto dynamic-map dynmap 5
set transform-set ESP-3DES-MD5
set isakmp-profile VPNclient
!
!
crypto map testmap 3 ipsec-isakmp
description Tunnel to xxx
set peer 64.190.142.x
set transform-set ESP-DES-MD5
match address 103
crypto map testmap 4 ipsec-isakmp
description Tunnel to xxx
set peer 68.213.10.x
set transform-set ESP-DES-MD5
match address 104
crypto map testmap 5 ipsec-isakmp
description Tunnel to xxx
set peer 67.116.104.x
set transform-set ESP-DES-MD5
match address 105
crypto map testmap 6 ipsec-isakmp
description Tunnel to xxx
set peer 67.76.67.x
set transform-set ESP-DES-MD5
match address 106
crypto map testmap 7 ipsec-isakmp
description Tunnel to xxx
set peer 24.136.100.x
set transform-set ESP-DES-MD5
match address 107
crypto map testmap 9 ipsec-isakmp
description Tunnel to xxx
set peer 64.169.75.x
set transform-set ESP-DES-MD5
match address 109
crypto map testmap 11 ipsec-isakmp
description Tunnel to xxx
set peer 65.43.89.x
set transform-set ESP-DES-MD5
match address 111
crypto map testmap 20 ipsec-isakmp dynamic dynmap
!
bridge irb
!
!
!
interface GigabitEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
ip address 192.168.3.1 255.255.255.0 secondary
ip address 192.168.2.1 255.255.255.0 secondary
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address 192.168.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
!
interface Serial0/0/0
mtu 1522
bandwidth 1536
ip address 64.81.86.xx 255.255.255.0
ip access-group inbound in
ip nat outside
ip inspect myfw out
ip virtual-reassembly
encapsulation frame-relay IETF
ip route-cache flow
no ip mroute-cache
no fair-queue
frame-relay map ip 64.81.86.1 16 IETF
frame-relay interface-dlci 16
frame-relay lmi-type ansi
frame-relay qos-autosense
crypto map testmap
crypto ipsec df-bit clear
!
interface ATM0/1/0
description Connection to WAN
no ip address
ip virtual-reassembly
ip route-cache flow
no atm ilmi-keepalive
bundle-enable
dsl operating-mode auto
bridge-group 1
pvc 0/35
encapsulation aal5snap
!
!
interface Group-Async0
physical-layer async
no ip address
no group-range
!
interface Group-Async1
physical-layer async
description Network for ERP
no ip address
!
interface BVI1
ip address 64.81.37.x 255.255.255.0
ip nat outside
ip virtual-reassembly
ip policy route-map webtraffic
!
ip local pool vpnpool 192.168.40.1 192.168.40.254
ip classless
ip route 0.0.0.0 0.0.0.0 64.81.86.1
ip route 172.14.0.0 255.255.0.0 192.168.1.253
ip route 172.16.0.0 255.255.0.0 192.168.1.253
ip route 172.17.0.0 255.255.0.0 192.168.1.253
!
ip flow-export source GigabitEthernet0/0
ip flow-export version 5
ip flow-export destination 192.168.1.174 9996
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 135 interface Serial0/0/0 overload
ip nat inside source list 136 interface bvi1 overload
ip nat inside source static 192.168.1.8 64.81.94.xx
ip nat inside source static 192.168.1.90 64.81.94.xx
ip nat inside source static 192.168.1.161 64.81.94.xx
ip nat inside source static 192.168.1.12 64.81.94.xx
ip nat inside source static 192.168.10.85 64.81.94.xx
ip nat inside source static 192.168.10.30 64.81.94.xx
!
ip access-list extended inbound
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit tcp any host 64.81.94.xx eq www
permit icmp any host 64.81.94.xx
permit tcp any host 64.81.94.xx eq 8080
permit udp any eq domain any
permit tcp any host 64.81.94.xx eq 3389
permit gre any any
permit esp any any
permit tcp any host 64.81.94.xx eq 3389
permit tcp any host 64.81.94.xx eq 1494
permit tcp any host 64.81.94.xx eq ftp
permit tcp any host 64.81.94.xx eq 3389
permit tcp any host 64.81.86.xx eq 22
permit tcp any host 64.81.37.xx eq 3389
permit tcp any host 64.81.37.xx eq 22
permit tcp any host 64.81.94.xx eq 443
permit tcp any host 64.81.94.xx eq smtp
permit tcp any host 64.81.94.xx eq www
!
access-list 10 permit 192.168.0.0 0.0.255.255
access-list 103 remark VPN for xxxx
access-list 103 permit ip 172.16.0.0 0.0.255.255 10.11.3.0 0.0.0.255
access-list 103 permit ip 192.168.0.0 0.0.255.255 10.11.3.0 0.0.0.255
access-list 104 remark VPN for xxxx
access-list 104 permit ip 172.16.0.0 0.0.255.255 10.11.4.0 0.0.0.255
access-list 104 permit ip 192.168.1.0 0.0.0.255 10.11.4.0 0.0.0.255
access-list 104 permit ip 192.168.10.0 0.0.0.255 10.11.4.0 0.0.0.255
access-list 104 permit ip 192.168.40.0 0.0.0.255 10.11.4.0 0.0.0.255
access-list 105 remark VPN for xxxx
access-list 105 permit ip 172.16.0.0 0.0.255.255 10.11.5.0 0.0.0.255
access-list 105 permit ip 192.168.0.0 0.0.255.255 10.11.5.0 0.0.0.255
access-list 106 remark VPN for xxxxx
access-list 106 permit ip 172.16.0.0 0.0.255.255 10.11.6.0 0.0.0.255
access-list 106 permit ip 192.168.0.0 0.0.255.255 10.11.6.0 0.0.0.255
access-list 107 remark VPN for xxxx
access-list 107 permit ip 172.16.0.0 0.0.255.255 10.11.7.0 0.0.0.255
access-list 107 permit ip 192.168.1.0 0.0.0.255 10.11.7.0 0.0.0.255
access-list 107 permit ip 192.168.10.0 0.0.0.255 10.11.7.0 0.0.0.255
access-list 107 permit ip 192.168.40.0 0.0.0.255 10.11.7.0 0.0.0.255
access-list 109 remark VPN forxxx
access-list 109 permit ip 172.16.0.0 0.0.255.255 10.11.9.0 0.0.0.255
access-list 109 permit ip 192.168.0.0 0.0.255.255 10.11.9.0 0.0.0.255
access-list 111 remark VPN for Chicago
access-list 111 permit ip 192.168.0.0 0.0.255.255 10.11.11.0 0.0.0.255
access-list 111 permit ip 172.16.0.0 0.0.255.255 10.11.11.0 0.0.0.255
access-list 135 deny tcp any any eq www
access-list 135 deny ip 192.168.0.0 0.0.255.255 192.168.40.0 0.0.0.255
access-list 135 deny ip 172.16.0.0 0.0.255.255 192.168.40.0 0.0.0.255
access-list 135 deny ip 192.168.0.0 0.0.255.255 10.11.0.0 0.0.255.255
access-list 135 deny ip 192.168.0.0 0.0.255.255 172.16.0.0 0.0.255.255
access-list 135 permit ip any any
access-list 136 permit tcp 192.168.1.0 0.0.0.255 any eq www
access-list 140 permit ip 192.168.1.0 0.0.0.255 192.168.40.0 0.0.0.255
access-list 140 permit ip 192.168.10.0 0.0.0.255 192.168.40.0 0.0.0.255
access-list 140 permit ip 172.16.0.0 0.0.255.255 192.168.40.0 0.0.0.255
access-list 140 permit ip 10.11.0.0 0.0.255.255 192.168.40.0 0.0.0.255
snmp-server ifindex persist
!
route-map webtraffic permit 10
match ip address 136
set ip next-hop 64.81.37.1
!
!
!
radius-server host 192.168.1.7 auth-port 1645 acct-port 1646
radius-server host 192.168.1.5 auth-port 1645 acct-port 1646
radius-server key ****!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
privilege level 15
transport input telnet ssh
line vty 5 15
privilege level 15
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
That settles it!
Thanks for hanging in there with me Rajesh!
Much appreciated!
Thanks for hanging in there with me Rajesh!
Much appreciated!
Glad it worked. It should work Period :-) I am bit busy with our project now, so the head spin is too much and hence it took this long. I wasn't looking at the config's carefully.
Cheers,
Rajesh
Cheers,
Rajesh
--> ip route 0.0.0.0 0.0.0.0 64.81.37.1
says to make my default gateway/route 64.81.37.1, so ALL traffic that you do NOT have a specific route to will be passed to 64.81.37.1. And by ALL, I do mean by ALL traffic, not just HTTP. You can't route traffic by type, only by address.
In order for your vpn traffic not be be effected by this, you would need to have a route for the PUBLIC ip address for each of the vpn partners defined that points to the IP address of the router on the T1.
Unless you know the public ip address of all your vpn partners, I don't think you will be able to split the traffic