Routing WWW traffic over aDSL line instead of T1

--> ip route 0.0.0.0 0.0.0.0 64.81.37.1

says to make my default gateway/route 64.81.37.1, so ALL traffic that you do NOT have a specific route to will be passed to 64.81.37.1.  And by ALL, I do mean by ALL traffic, not just HTTP.  You can't route traffic by type, only by address.

In order for your vpn traffic not be be effected by this, you would need to have a route for the PUBLIC ip address for each of the vpn partners defined that points to the IP address of the router on the T1.

Unless you know the public ip address of all your vpn partners, I don't think you will be able to split the traffic

You could achieve it with a simple route-map, so the logic is this;

Check to see if the traffic is web traffic, if so, then set the next-hop as dsl. Otherwise let it go through the default gateway.

This is how you configure it;

route-map webtraffic permit 10
match ip address 200
set ip next-hop 64.81.37.1

access-list 200 permit tcp 192.168.1.0 0.0.0.255 any eq 80

and so on for all the internal networks.....

Cheers,
Rajesh

I tried this config but it still won't route over the DSL line...

access-list 160 permit tcp 192.168.1.0 0.0.0.255 any eq www
!
route-map webtraffic permit 10
 match ip address 160
 set ip next-hop 64.81.37.1

Can you post the current config now?

Cheers,
Rajesh

Here is the last config I've tried

Domain_2821_Ro#sh run
Building configuration...
 
Current configuration : 11283 bytes
!
! Last configuration change at 16:18:39 pst Mon Feb 4 2008 by XXX
! NVRAM config last updated at 16:18:42 pst Mon Feb 4 2008 by XXX
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Domain_2821_Ro
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable password *******
!
aaa new-model
!
!
aaa authentication fail-message ^CCLogin Failed Unauthorized access and use of t
his network will be vigorously prosecuted.^C
 --More--
aaa authentication login default local
aaa authentication login con local
aaa authentication login user local
aaa authentication login clientauth local
aaa authentication login UserAuth group radius
aaa authorization console
aaa authorization exec default local
aaa authorization exec con local
aaa authorization network groupauthor local
!
aaa session-id common
!
resource policy
!
clock timezone pst -8
ip subnet-zero
!
!
ip cef
!
!
ip flow-cache timeout active 1
ip domain name aldik.com
ip inspect name myfw http java-list 50
ip inspect name myfw tcp
ip inspect name myfw udp
ip inspect name myfw icmp
!
!
voice-card 0
 no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-3438045733
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3438045733
 revocation-check none
 rsakeypair TP-self-signed-3438045733
!
!
crypto pki certificate chain TP-self-signed-3438045733
 certificate self-signed 01
 
 
username XXXXX privilege 15 password 0 *****!
 
!
!
!
crypto isakmp policy 10
 hash md5
 authentication pre-share
!
crypto isakmp policy 20
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key **** address 70.233.15.94
crypto isakmp key **** address 64.169.75.229
crypto isakmp key **** address 65.43.89.70
crypto isakmp key **** address 24.136.100.30
crypto isakmp key **** address 67.76.67.5
crypto isakmp key **** address 64.190.142.2
crypto isakmp key **** address 68.213.10.2
crypto isakmp key **** address 67.116.104.21
!
crypto isakmp client configuration group ALDvpngrp
 key ***!
 dns 192.168.10.5 192.168.1.5
 domain domain.com
 pool vpnpool
 acl 140
crypto isakmp profile VPNclient
   description VPN client profile
   match identity group XXX
   client authentication list UserAuth
   isakmp authorization list groupauthor
   client configuration address respond
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA4 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
 mode transport
!
crypto dynamic-map dynmap 5
 set transform-set ESP-3DES-MD5
 set isakmp-profile VPNclient
!
!
crypto map testmap 3 ipsec-isakmp
 description Tunnel to Dallas
 set peer 64.190.142.x
 set transform-set ESP-DES-MD5
 match address 103
crypto map testmap 4 ipsec-isakmp
 description Tunnel to Atlanta
 set peer 68.213.10.x
 set transform-set ESP-DES-MD5
 match address 104
crypto map testmap 5 ipsec-isakmp
 description Tunnel to Van Nuys
 set peer 67.116.104.x
 set transform-set ESP-DES-MD5
 match address 105
crypto map testmap 6 ipsec-isakmp
 description Tunnel to Las Vegas
 set peer 67.76.67.x
 set transform-set ESP-DES-MD5
 match address 106
crypto map testmap 7 ipsec-isakmp
 description Tunnel to New York
 set peer 24.136.100.x
 set transform-set ESP-DES-MD5
 match address 107
crypto map testmap 9 ipsec-isakmp
 description Tunnel to San Franciso
 set peer 64.169.75.x
 set transform-set ESP-DES-MD5
 match address 109
crypto map testmap 11 ipsec-isakmp
 description Tunnel to Chicago
 set peer 65.43.89.x
 set transform-set ESP-DES-MD5
 match address 111
crypto map testmap 20 ipsec-isakmp dynamic dynmap
!
bridge irb
!
!
!
interface GigabitEthernet0/0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
 ip address 192.168.3.1 255.255.255.0 secondary
 ip address 192.168.2.1 255.255.255.0 secondary
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 ip address 192.168.10.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
!
interface Serial0/0/0
 mtu 1522
 bandwidth 1536
 ip address 64.81.86.x 255.255.255.0
 ip access-group inbound in
 ip nat outside
 ip inspect myfw out
 ip virtual-reassembly
 encapsulation frame-relay IETF
 ip route-cache flow
 no ip mroute-cache
 no fair-queue
 frame-relay map ip 64.81.86.1 16 IETF
 frame-relay interface-dlci 16
 frame-relay lmi-type ansi
 frame-relay qos-autosense
 crypto map testmap
 crypto ipsec df-bit clear
!
interface ATM0/1/0
 description Connection to WAN
 no ip address
 ip virtual-reassembly
 ip route-cache flow
 no atm ilmi-keepalive
 bundle-enable
 dsl operating-mode auto
 bridge-group 1
 pvc 0/35
  encapsulation aal5snap
 !
!
interface Group-Async0
 physical-layer async
 no ip address
 no group-range
!
interface Group-Async1
 physical-layer async
 description Network for ERP 
 no ip address
!
interface BVI1
 ip address 64.81.37.x 255.255.255.0
 ip access-group inbound in
 ip nat outside
 ip inspect myfw out
 ip virtual-reassembly
 crypto map testmap
 crypto ipsec df-bit clear
!
ip local pool vpnpool 192.168.40.1 192.168.40.254
ip classless
ip route 0.0.0.0 0.0.0.0 64.81.86.1
ip route 0.0.0.0 0.0.0.0 64.81.37.1
ip route 172.14.0.0 255.255.0.0 192.168.1.253
ip route 172.16.0.0 255.255.0.0 192.168.1.253
ip route 172.17.0.0 255.255.0.0 192.168.1.253
!
ip flow-export source GigabitEthernet0/0
ip flow-export version 5
ip flow-export destination 192.168.1.174 9996
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 135 interface Serial0/0/0 overload
ip nat inside source static 192.168.10.30 64.81.x.x
ip nat inside source static 192.168.1.8 64.81.x.x
ip nat inside source static 192.168.1.90 64.81.x.x
ip nat inside source static 192.168.1.161 64.81.x.x
ip nat inside source static 192.168.1.12 64.81.x.x
ip nat inside source static 192.168.10.85 64.81.x.x
!
ip access-list extended inbound
 permit udp any any eq isakmp
 permit udp any any eq non500-isakmp
 permit tcp any host 64.81.x.x eq www
 permit icmp any host 64.81.x.x
 permit tcp any host 64.81.x.x eq 8080
 permit udp any eq domain any
 permit tcp any host 64.81.x.x eq 3389
 permit gre any any
 permit esp any any
 permit tcp any host 64.81.x.x eq 3389
 permit tcp any host 64.81.x.x eq 1494
 permit tcp any host 64.81.x.x eq ftp
 permit tcp any host 64.81.x.x1 eq 3389
 permit tcp any host 64.81.x.x eq 22
 permit tcp any host 64.81.x.x eq 3389
 permit tcp any host 64.81.x.x eq 22
 permit tcp any host 64.81.x.x eq 443
!
access-list 10 permit 192.168.0.0 0.0.255.255
access-list 103 remark VPN for Dallas
access-list 103 permit ip 172.16.0.0 0.0.255.255 10.11.3.0 0.0.0.255
access-list 103 permit ip 192.168.0.0 0.0.255.255 10.11.3.0 0.0.0.255
access-list 104 remark VPN for ***
access-list 104 permit ip 172.16.0.0 0.0.255.255 10.11.4.0 0.0.0.255
access-list 104 permit ip 192.168.1.0 0.0.0.255 10.11.4.0 0.0.0.255
access-list 104 permit ip 192.168.10.0 0.0.0.255 10.11.4.0 0.0.0.255
access-list 104 permit ip 192.168.40.0 0.0.0.255 10.11.4.0 0.0.0.255
access-list 105 remark VPN for ***
access-list 105 permit ip 172.16.0.0 0.0.255.255 10.11.5.0 0.0.0.255
access-list 105 permit ip 192.168.0.0 0.0.255.255 10.11.5.0 0.0.0.255
access-list 106 remark VPN for Las Vegas
access-list 106 permit ip 172.16.0.0 0.0.255.255 10.11.6.0 0.0.0.255
access-list 106 permit ip 192.168.0.0 0.0.255.255 10.11.6.0 0.0.0.255
access-list 107 remark VPN for ***
access-list 107 permit ip 172.16.0.0 0.0.255.255 10.11.7.0 0.0.0.255
access-list 107 permit ip 192.168.1.0 0.0.0.255 10.11.7.0 0.0.0.255
access-list 107 permit ip 192.168.10.0 0.0.0.255 10.11.7.0 0.0.0.255
access-list 107 permit ip 192.168.40.0 0.0.0.255 10.11.7.0 0.0.0.255
access-list 109 remark VPN for San Francisco
access-list 109 permit ip 172.16.0.0 0.0.255.255 10.11.9.0 0.0.0.255
access-list 109 permit ip 192.168.0.0 0.0.255.255 10.11.9.0 0.0.0.255
access-list 111 remark VPN for ***
access-list 111 permit ip 192.168.0.0 0.0.255.255 10.11.11.0 0.0.0.255
access-list 111 permit ip 172.16.0.0 0.0.255.255 10.11.11.0 0.0.0.255
access-list 135 deny   ip 192.168.0.0 0.0.255.255 192.168.40.0 0.0.0.255
access-list 135 deny   ip 172.16.0.0 0.0.255.255 192.168.40.0 0.0.0.255
access-list 135 deny   ip 192.168.0.0 0.0.255.255 10.11.0.0 0.0.255.255
access-list 135 deny   ip 192.168.0.0 0.0.255.255 172.16.0.0 0.0.255.255
access-list 135 permit ip 192.168.0.0 0.0.255.255 any
access-list 140 permit ip 192.168.1.0 0.0.0.255 192.168.40.0 0.0.0.255
access-list 140 permit ip 192.168.10.0 0.0.0.255 192.168.40.0 0.0.0.255
access-list 140 permit ip 172.16.0.0 0.0.255.255 192.168.40.0 0.0.0.255
access-list 140 permit ip 10.11.0.0 0.0.255.255 192.168.40.0 0.0.0.255
access-list 160 permit tcp 192.168.1.0 0.0.0.255 any eq www
snmp-server ifindex persist
!
route-map webtraffic permit 10
 match ip address 160
 set ip next-hop 64.81.37.1
!
!
!
radius-server host 192.168.1.7 auth-port 1645 acct-port 1646
radius-server host 192.168.1.5 auth-port 1645 acct-port 1646
radius-server key *****!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
 privilege level 15
 transport input telnet ssh
line vty 5 15
 privilege level 15
 transport input telnet ssh
!
scheduler allocate 20000 1000
!
end

Select allOpen in new window

You access-list 'inbound' applied on BVI interface is blocking the communication coming back is what I think.

Can you remove that from the adsl interface and put the route-maps I suggested before and see if it works.

Also I see that you have applied cryptomap's on both interfaces, as well as there are 2 default routes?

Cheers,
Rajesh

Rajesh,
"Can you remove that from the adsl interface and put the route-maps I suggested before and see if it works." <<<Not sure how to do that...

The Crypto map on the BVI1 interface is just there because once our T1 was down so I re-routed the tunnels over the DSL line... Currently not being used that way.

Thanks for the help

Put the route-map command set as I mentioned in the first post.

To remove the access-list do this;

int bvi
no ip access-group inbound

Cheers,
Rajesh

OK... took the following steps....

int BVI1
no ip access-group inbound

After doing that the BVI1 interface was set to "Shutdown" so I turned it back on "no shutdown"

The changes I made are reflected below.
After doing that the VPN tunnels still show active "sh cry isakmp sa" but I'm unable to ping the remote sites

interface BVI1
 ip address 64.81.37.x 255.255.255.0
 ip nat outside
 ip inspect myfw out
 ip virtual-reassembly
 
ip route 0.0.0.0 0.0.0.0 64.81.86.1
ip route 0.0.0.0 0.0.0.0 64.81.37.1
ip route 172.14.0.0 255.255.0.0 192.168.1.253
ip route 172.16.0.0 255.255.0.0 192.168.1.253
ip route 172.17.0.0 255.255.0.0 192.168.1.253
 
access-list 160 permit tcp 192.168.1.0 0.0.0.255 any eq www
snmp-server ifindex persist
!
route-map webtraffic permit 10
 match ip address 160
 set ip next-hop 64.81.37.1

Select allOpen in new window

I do not understand, now the vpn tunnels are on the original interface or the BVI ?

Cheers,
Rajesh

The tunnels are on int s0/0/0

So remove it from the BVI interface.

Cheers,
Rajesh

I see, I thought I had but I see I left "ip inspect myfw out" in there. Took that out.

Soon as I add "ip route 0.0.0.0 0.0.0.0 64.81.37.1" back in I can't reach the tunnels

Here is there current config below....

Domain_2821_Ro#sh run
Building configuration...
 
Current configuration : 11283 bytes
!
! Last configuration change at 16:18:39 pst Mon Feb 4 2008 by XXX
! NVRAM config last updated at 16:18:42 pst Mon Feb 4 2008 by XXX
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Domain_2821_Ro
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable password *******
!
aaa new-model
!
!
aaa authentication fail-message ^CCLogin Failed Unauthorized access and use of t
his network will be vigorously prosecuted.^C
 --More--
aaa authentication login default local
aaa authentication login con local
aaa authentication login user local
aaa authentication login clientauth local
aaa authentication login UserAuth group radius
aaa authorization console
aaa authorization exec default local
aaa authorization exec con local
aaa authorization network groupauthor local
!
aaa session-id common
!
resource policy
!
clock timezone pst -8
ip subnet-zero
!
!
ip cef
!
!
ip flow-cache timeout active 1
ip domain name aldik.com
ip inspect name myfw http java-list 50
ip inspect name myfw tcp
ip inspect name myfw udp
ip inspect name myfw icmp
!
!
voice-card 0
 no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-3438045733
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3438045733
 revocation-check none
 rsakeypair TP-self-signed-3438045733
!
!
crypto pki certificate chain TP-self-signed-3438045733
 certificate self-signed 01
 
 
username XXXXX privilege 15 password 0 *****!
 
!
!
!
crypto isakmp policy 10
 hash md5
 authentication pre-share
!
crypto isakmp policy 20
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key **** address 70.233.15.94
crypto isakmp key **** address 64.169.75.229
crypto isakmp key **** address 65.43.89.70
crypto isakmp key **** address 24.136.100.30
crypto isakmp key **** address 67.76.67.5
crypto isakmp key **** address 64.190.142.2
crypto isakmp key **** address 68.213.10.2
crypto isakmp key **** address 67.116.104.21
!
crypto isakmp client configuration group ALDvpngrp
 key ***!
 dns 192.168.10.5 192.168.1.5
 domain domain.com
 pool vpnpool
 acl 140
crypto isakmp profile VPNclient
   description VPN client profile
   match identity group XXX
   client authentication list UserAuth
   isakmp authorization list groupauthor
   client configuration address respond
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA4 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
 mode transport
!
crypto dynamic-map dynmap 5
 set transform-set ESP-3DES-MD5
 set isakmp-profile VPNclient
!
!
crypto map testmap 3 ipsec-isakmp
 description Tunnel to Dallas
 set peer 64.190.142.x
 set transform-set ESP-DES-MD5
 match address 103
crypto map testmap 4 ipsec-isakmp
 description Tunnel to Atlanta
 set peer 68.213.10.x
 set transform-set ESP-DES-MD5
 match address 104
crypto map testmap 5 ipsec-isakmp
 description Tunnel to Van Nuys
 set peer 67.116.104.x
 set transform-set ESP-DES-MD5
 match address 105
crypto map testmap 6 ipsec-isakmp
 description Tunnel to Las Vegas
 set peer 67.76.67.x
 set transform-set ESP-DES-MD5
 match address 106
crypto map testmap 7 ipsec-isakmp
 description Tunnel to New York
 set peer 24.136.100.x
 set transform-set ESP-DES-MD5
 match address 107
crypto map testmap 9 ipsec-isakmp
 description Tunnel to San Franciso
 set peer 64.169.75.x
 set transform-set ESP-DES-MD5
 match address 109
crypto map testmap 11 ipsec-isakmp
 description Tunnel to Chicago
 set peer 65.43.89.x
 set transform-set ESP-DES-MD5
 match address 111
crypto map testmap 20 ipsec-isakmp dynamic dynmap
!
bridge irb
!
!
!
interface GigabitEthernet0/0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
 ip address 192.168.3.1 255.255.255.0 secondary
 ip address 192.168.2.1 255.255.255.0 secondary
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 ip address 192.168.10.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
!
interface Serial0/0/0
 mtu 1522
 bandwidth 1536
 ip address 64.81.86.x 255.255.255.0
 ip access-group inbound in
 ip nat outside
 ip inspect myfw out
 ip virtual-reassembly
 encapsulation frame-relay IETF
 ip route-cache flow
 no ip mroute-cache
 no fair-queue
 frame-relay map ip 64.81.86.1 16 IETF
 frame-relay interface-dlci 16
 frame-relay lmi-type ansi
 frame-relay qos-autosense
 crypto map testmap
 crypto ipsec df-bit clear
!
interface ATM0/1/0
 description Connection to WAN
 no ip address
 ip virtual-reassembly
 ip route-cache flow
 no atm ilmi-keepalive
 bundle-enable
 dsl operating-mode auto
 bridge-group 1
 pvc 0/35
  encapsulation aal5snap
 !
!
interface Group-Async0
 physical-layer async
 no ip address
 no group-range
!
interface Group-Async1
 physical-layer async
 description Network for ERP 
 no ip address
!
interface BVI1
 ip address 64.81.37.x 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 
!
ip local pool vpnpool 192.168.40.1 192.168.40.254
ip classless
ip route 0.0.0.0 0.0.0.0 64.81.86.1
ip route 0.0.0.0 0.0.0.0 64.81.37.1
ip route 172.14.0.0 255.255.0.0 192.168.1.253
ip route 172.16.0.0 255.255.0.0 192.168.1.253
ip route 172.17.0.0 255.255.0.0 192.168.1.253
!
ip flow-export source GigabitEthernet0/0
ip flow-export version 5
ip flow-export destination 192.168.1.174 9996
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 135 interface Serial0/0/0 overload
ip nat inside source static 192.168.10.30 64.81.x.x
ip nat inside source static 192.168.1.8 64.81.x.x
ip nat inside source static 192.168.1.90 64.81.x.x
ip nat inside source static 192.168.1.161 64.81.x.x
ip nat inside source static 192.168.1.12 64.81.x.x
ip nat inside source static 192.168.10.85 64.81.x.x
!
ip access-list extended inbound
 permit udp any any eq isakmp
 permit udp any any eq non500-isakmp
 permit tcp any host 64.81.x.x eq www
 permit icmp any host 64.81.x.x
 permit tcp any host 64.81.x.x eq 8080
 permit udp any eq domain any
 permit tcp any host 64.81.x.x eq 3389
 permit gre any any
 permit esp any any
 permit tcp any host 64.81.x.x eq 3389
 permit tcp any host 64.81.x.x eq 1494
 permit tcp any host 64.81.x.x eq ftp
 permit tcp any host 64.81.x.x eq 3389
 permit tcp any host 64.81.x.x eq 22
 permit tcp any host 64.81.x.x eq 3389
 permit tcp any host 64.81.x.x eq 22
 permit tcp any host 64.81.x.x eq 443
!
access-list 10 permit 192.168.0.0 0.0.255.255
access-list 103 remark VPN for Dallas
access-list 103 permit ip 172.16.0.0 0.0.255.255 10.11.3.0 0.0.0.255
access-list 103 permit ip 192.168.0.0 0.0.255.255 10.11.3.0 0.0.0.255
access-list 104 remark VPN for ***
access-list 104 permit ip 172.16.0.0 0.0.255.255 10.11.4.0 0.0.0.255
access-list 104 permit ip 192.168.1.0 0.0.0.255 10.11.4.0 0.0.0.255
access-list 104 permit ip 192.168.10.0 0.0.0.255 10.11.4.0 0.0.0.255
access-list 104 permit ip 192.168.40.0 0.0.0.255 10.11.4.0 0.0.0.255
access-list 105 remark VPN for ***
access-list 105 permit ip 172.16.0.0 0.0.255.255 10.11.5.0 0.0.0.255
access-list 105 permit ip 192.168.0.0 0.0.255.255 10.11.5.0 0.0.0.255
access-list 106 remark VPN for Las Vegas
access-list 106 permit ip 172.16.0.0 0.0.255.255 10.11.6.0 0.0.0.255
access-list 106 permit ip 192.168.0.0 0.0.255.255 10.11.6.0 0.0.0.255
access-list 107 remark VPN for ***
access-list 107 permit ip 172.16.0.0 0.0.255.255 10.11.7.0 0.0.0.255
access-list 107 permit ip 192.168.1.0 0.0.0.255 10.11.7.0 0.0.0.255
access-list 107 permit ip 192.168.10.0 0.0.0.255 10.11.7.0 0.0.0.255
access-list 107 permit ip 192.168.40.0 0.0.0.255 10.11.7.0 0.0.0.255
access-list 109 remark VPN for San Francisco
access-list 109 permit ip 172.16.0.0 0.0.255.255 10.11.9.0 0.0.0.255
access-list 109 permit ip 192.168.0.0 0.0.255.255 10.11.9.0 0.0.0.255
access-list 111 remark VPN for ***
access-list 111 permit ip 192.168.0.0 0.0.255.255 10.11.11.0 0.0.0.255
access-list 111 permit ip 172.16.0.0 0.0.255.255 10.11.11.0 0.0.0.255
access-list 135 deny   ip 192.168.0.0 0.0.255.255 192.168.40.0 0.0.0.255
access-list 135 deny   ip 172.16.0.0 0.0.255.255 192.168.40.0 0.0.0.255
access-list 135 deny   ip 192.168.0.0 0.0.255.255 10.11.0.0 0.0.255.255
access-list 135 deny   ip 192.168.0.0 0.0.255.255 172.16.0.0 0.0.255.255
access-list 135 permit ip 192.168.0.0 0.0.255.255 any
access-list 140 permit ip 192.168.1.0 0.0.0.255 192.168.40.0 0.0.0.255
access-list 140 permit ip 192.168.10.0 0.0.0.255 192.168.40.0 0.0.0.255
access-list 140 permit ip 172.16.0.0 0.0.255.255 192.168.40.0 0.0.0.255
access-list 140 permit ip 10.11.0.0 0.0.255.255 192.168.40.0 0.0.0.255
access-list 160 permit tcp 192.168.1.0 0.0.0.255 any eq www
snmp-server ifindex persist
!
route-map webtraffic permit 10
 match ip address 160
 set ip next-hop 64.81.37.1
!
!
!
radius-server host 192.168.1.7 auth-port 1645 acct-port 1646
radius-server host 192.168.1.5 auth-port 1645 acct-port 1646
radius-server key *****!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
 privilege level 15
 transport input telnet ssh
line vty 5 15
 privilege level 15
 transport input telnet ssh
!
scheduler allocate 20000 1000
!
end

Select allOpen in new window

>>ip route 0.0.0.0 0.0.0.0 64.81.37.1

You don't need that route. All you need is, the regular traffic to go through the other link for which you have a default gateway defined and if the traffic is web then you want it to pass through 64.81.37.1 right?

So at this stage, everything looks good. Now you can put the route-map's to the interface by using the command, this would activate the redirection.

>>ip policy route-map webtraffic

Hope this helps.

Cheers,
Rajesh

Took out the "ip route 0.0.0.0 0.0.0.0 64.81.37.1"
and added "ip policy route-map webtraffic" to the BVI1 interface... looks like web traffic is still going out S0/0/0.

Would it have anything to do with this line? "ip nat inside source list 135 interface Serial0/0/0 overload"

interface BVI1
 ip address 64.81.37.x 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 ip policy route-map webtraffic

Select allOpen in new window

hmmm. yes I overlooked that. The traffic will go out but I would assume it is coming back to serial interface since that is what it is natted to.

You can change it to this;

ip nat inside source list 135 interface serial0/0/0 overload
ip nat inside source list 136 interface bvi1 overload

access-list 135 deny tcp <Internal Network> <Netmask> any eq 80
access-list 135 permit ip <Internal Network> <Netmask > any any

access-list 136 permit tcp <Internal Network> <Netmask> any eq 80

See if this changes the routing.

Cheers,
Rajesh

Added "ip nat inside source list 136 interface BVI1 overload"
 and the access lists shown below... with "access-list 135 deny   tcp 192.168.0.0 0.0.255.255 any eq 80" entry we're not able to access the outside web at all. If I remove it, it goes back out Serial 0/0/0.

is the route-map webtraffic supposed to point to 136 access list?

ip nat inside source list 135 interface Serial0/0/0 overload
ip nat inside source list 136 interface BVI1 overload
 
access-list 135 deny   tcp 192.168.0.0 0.0.255.255 any eq 80
access-list 135 deny   ip 192.168.0.0 0.0.255.255 192.168.40.0 0.0.0.255
access-list 135 deny   ip 172.16.0.0 0.0.255.255 192.168.40.0 0.0.0.255
access-list 135 deny   ip 192.168.0.0 0.0.255.255 10.11.0.0 0.0.255.255
access-list 135 deny   ip 192.168.0.0 0.0.255.255 172.16.0.0 0.0.255.255
access-list 135 permit ip 192.168.0.0 0.0.255.255 any
access-list 136 permit tcp 192.168.1.0 0.0.0.255 any eq 80
access-list 140 permit ip 192.168.1.0 0.0.0.255 192.168.40.0 0.0.0.255
access-list 140 permit ip 192.168.10.0 0.0.0.255 192.168.40.0 0.0.0.255
access-list 140 permit ip 172.16.0.0 0.0.255.255 192.168.40.0 0.0.0.255
access-list 140 permit ip 10.11.0.0 0.0.255.255 192.168.40.0 0.0.0.255
 
!
route-map webtraffic permit 10
 match ip address 136
 set ip next-hop 64.81.37.1

Select allOpen in new window

Yes the route map should point to 136, but don't disturb the existing 135 acl except change it. So with the change, it isn't going to net at all? You had the permit ip any any at the end of 135 right ?

Cheers,
Rajesh

Rajesh, That last post has me confused... are you asking me to setup ACL 135 like this?

access-list 135 deny   tcp 192.168.0.0 0.0.255.255 any eq 80
access-list 135 deny   ip 192.168.0.0 0.0.255.255 192.168.40.0 0.0.0.255
access-list 135 deny   ip 172.16.0.0 0.0.255.255 192.168.40.0 0.0.0.255
access-list 135 deny   ip 192.168.0.0 0.0.255.255 10.11.0.0 0.0.255.255
access-list 135 deny   ip 192.168.0.0 0.0.255.255 172.16.0.0 0.0.255.255
access-list 135 permit ip 192.168.0.0 0.0.255.255 any any

no, you can just add the 135 like this (the idea is to deny natting to serial interface if the traffic is web)

access-list 135 deny tcp any any eq 80
access-list 135 permit ip any any

and then the other acl should pick up this traffic + nat it to bvi interface so that it can go out to public internet.

Cheers,
Rajesh

Sorry Rajesh, its still not working. I know the interface is working so it should be anything there. Some how the NAT isn't working.

XXXX_2821_Ro#sh int bvi1
BVI1 is up, line protocol is up
  Hardware is BVI, address is 0000.0X28.5fa0 (bia 0007.0X21.3308)
  Internet address is 64.81.37.x/24
  MTU 4470 bytes, BW 800 Kbit, DLY 5000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input never, output never, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/0 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     35904 packets input, 32149649 bytes, 0 no buffer
     Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     27879 packets output, 3062794 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 output buffer failures, 0 output buffers swapped out

Select allOpen in new window

hmm. it should be working and I don't know what is that is missing. Gimme some time, I'm at work now. Will have to look at it a bit closely and see if there is another way to do this.

Cheers,
Rajesh

Can you clear the access-list counters and then try to access web. Then see the counters for acl => can you let me know if any traffic is hitting the acl 136 ?

Also post a fresh config with whatever is in there now?

Cheers,
Rajesh

Is this what you're looking for?

Domain_2821_Ro#sh access-list 135
Extended IP access list 135
    10 deny tcp any any eq www (3993 matches)
    20 deny ip 192.168.0.0 0.0.255.255 192.168.40.0 0.0.0.255 (3993 matches)
    30 deny ip 172.16.0.0 0.0.255.255 192.168.40.0 0.0.0.255 (127 matches)
    40 deny ip 192.168.0.0 0.0.255.255 10.11.0.0 0.0.255.255 (9474 matches)
    50 deny ip 192.168.0.0 0.0.255.255 172.16.0.0 0.0.255.255
    60 permit ip any any (881 matches)
Domain_2821_Ro#sh access-list 136
Extended IP access list 136
    10 permit tcp 192.168.1.0 0.0.0.255 any eq www (43 matches)

domain_2821_Ro#sh run
Building configuration...
 
Current configuration : 11504 bytes
!
! Last configuration change at 11:21:49 pst Mon Feb 11 2008 by Cisc0admin
! NVRAM config last updated at 11:21:50 pst Mon Feb 11 2008 by Cisc0admin
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname domain_2821_Ro
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable password ****
!
aaa new-model
!
!
aaa authentication fail-message ^CCLogin Failed Unauthorized access and use of this network will be vigorously prosecute
d.^C
aaa authentication login default local
aaa authentication login con local
aaa authentication login user local
aaa authentication login clientauth local
aaa authentication login UserAuth group radius
aaa authorization console
aaa authorization exec default local
aaa authorization exec con local
aaa authorization network groupauthor local
!
aaa session-id common
!
resource policy
!
clock timezone pst -8
ip subnet-zero
!
!
ip cef
!
!
ip flow-cache timeout active 1
ip domain name aldik.com
ip inspect name myfw http java-list 50
ip inspect name myfw tcp
ip inspect name myfw udp
ip inspect name myfw icmp
!
!
voice-card 0
 no dspfarm
!
!
 
!
crypto pki trustpoint TP-self-signed-343804533
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-343804573
 revocation-check none
 rsakeypair TP-self-signed-3438045733
!
!
crypto pki certificate chain TP-self-signed-343804573
 certificate self-signed 01
 
!
!
!
crypto isakmp policy 10
 hash md5
 authentication pre-share
!
crypto isakmp policy 20
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key *** address 70.233.15.x
crypto isakmp key **** address 64.169.75.x
crypto isakmp key **** address 65.43.89.x
crypto isakmp key **** address 24.136.100.x
crypto isakmp key **** address 67.76.67.x
crypto isakmp key **** address 64.190.142.x
crypto isakmp key **** address 68.213.10.x
crypto isakmp key **** address 67.116.104.x
crypto isakmp invalid-spi-recovery
!
crypto isakmp client configuration group Axxxx
 key ******!
 dns 192.168.10.5 192.168.1.5
 domain xxxx.com
 pool vpnpool
 acl 140
crypto isakmp profile VPNclient
   description VPN client profile
   match identity group Axxxx
   client authentication list UserAuth
   isakmp authorization list groupauthor
   client configuration address respond
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA4 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
 mode transport
!
crypto dynamic-map dynmap 5
 set transform-set ESP-3DES-MD5
 set isakmp-profile VPNclient
!
!
crypto map testmap 3 ipsec-isakmp
 description Tunnel to xxx
 set peer 64.190.142.x
 set transform-set ESP-DES-MD5
 match address 103
crypto map testmap 4 ipsec-isakmp
 description Tunnel to xxx
 set peer 68.213.10.x
 set transform-set ESP-DES-MD5
 match address 104
crypto map testmap 5 ipsec-isakmp
 description Tunnel to xxx
 set peer 67.116.104.x
 set transform-set ESP-DES-MD5
 match address 105
crypto map testmap 6 ipsec-isakmp
 description Tunnel to xxx
 set peer 67.76.67.x
 set transform-set ESP-DES-MD5
 match address 106
crypto map testmap 7 ipsec-isakmp
 description Tunnel to xxx
 set peer 24.136.100.x
 set transform-set ESP-DES-MD5
 match address 107
crypto map testmap 9 ipsec-isakmp
 description Tunnel to xxx
 set peer 64.169.75.x
 set transform-set ESP-DES-MD5
 match address 109
crypto map testmap 11 ipsec-isakmp
 description Tunnel to xxx
 set peer 65.43.89.x
 set transform-set ESP-DES-MD5
 match address 111
crypto map testmap 20 ipsec-isakmp dynamic dynmap
!
bridge irb
!
!
!
interface GigabitEthernet0/0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
 ip address 192.168.3.1 255.255.255.0 secondary
 ip address 192.168.2.1 255.255.255.0 secondary
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 ip address 192.168.10.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
!
interface Serial0/0/0
 mtu 1522
 bandwidth 1536
 ip address 64.81.86.xx 255.255.255.0
 ip access-group inbound in
 ip nat outside
 ip inspect myfw out
 ip virtual-reassembly
 encapsulation frame-relay IETF
 ip route-cache flow
 no ip mroute-cache
 no fair-queue
 frame-relay map ip 64.81.86.1 16 IETF
 frame-relay interface-dlci 16
 frame-relay lmi-type ansi
 frame-relay qos-autosense
 crypto map testmap
 crypto ipsec df-bit clear
!
interface ATM0/1/0
 description Connection to WAN
 no ip address
 ip virtual-reassembly
 ip route-cache flow
 no atm ilmi-keepalive
 bundle-enable
 dsl operating-mode auto
 bridge-group 1
 pvc 0/35
  encapsulation aal5snap
 !
!
interface Group-Async0
 physical-layer async
 no ip address
 no group-range
!
interface Group-Async1
 physical-layer async
 description Network for ERP
 no ip address
!
interface BVI1
 ip address 64.81.37.x 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 ip policy route-map webtraffic
!
ip local pool vpnpool 192.168.40.1 192.168.40.254
ip classless
ip route 0.0.0.0 0.0.0.0 64.81.86.1
ip route 172.14.0.0 255.255.0.0 192.168.1.253
ip route 172.16.0.0 255.255.0.0 192.168.1.253
ip route 172.17.0.0 255.255.0.0 192.168.1.253
!
ip flow-export source GigabitEthernet0/0
ip flow-export version 5
ip flow-export destination 192.168.1.174 9996
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 135 interface Serial0/0/0 overload
ip nat inside source list 136 interface bvi1 overload
ip nat inside source static 192.168.1.8 64.81.94.xx
ip nat inside source static 192.168.1.90 64.81.94.xx
ip nat inside source static 192.168.1.161 64.81.94.xx
ip nat inside source static 192.168.1.12 64.81.94.xx
ip nat inside source static 192.168.10.85 64.81.94.xx
ip nat inside source static 192.168.10.30 64.81.94.xx
!
ip access-list extended inbound
 permit udp any any eq isakmp
 permit udp any any eq non500-isakmp
 permit tcp any host 64.81.94.xx eq www
 permit icmp any host 64.81.94.xx
 permit tcp any host 64.81.94.xx eq 8080
 permit udp any eq domain any
 permit tcp any host 64.81.94.xx eq 3389
 permit gre any any
 permit esp any any
 permit tcp any host 64.81.94.xx eq 3389
 permit tcp any host 64.81.94.xx eq 1494
 permit tcp any host 64.81.94.xx eq ftp
 permit tcp any host 64.81.94.xx eq 3389
 permit tcp any host 64.81.86.xx eq 22
 permit tcp any host 64.81.37.xx eq 3389
 permit tcp any host 64.81.37.xx eq 22
 permit tcp any host 64.81.94.xx eq 443
 permit tcp any host 64.81.94.xx eq smtp
 permit tcp any host 64.81.94.xx eq www
!
access-list 10 permit 192.168.0.0 0.0.255.255
access-list 103 remark VPN for xxxx
access-list 103 permit ip 172.16.0.0 0.0.255.255 10.11.3.0 0.0.0.255
access-list 103 permit ip 192.168.0.0 0.0.255.255 10.11.3.0 0.0.0.255
access-list 104 remark VPN for xxxx
access-list 104 permit ip 172.16.0.0 0.0.255.255 10.11.4.0 0.0.0.255
access-list 104 permit ip 192.168.1.0 0.0.0.255 10.11.4.0 0.0.0.255
access-list 104 permit ip 192.168.10.0 0.0.0.255 10.11.4.0 0.0.0.255
access-list 104 permit ip 192.168.40.0 0.0.0.255 10.11.4.0 0.0.0.255
access-list 105 remark VPN for xxxx
access-list 105 permit ip 172.16.0.0 0.0.255.255 10.11.5.0 0.0.0.255
access-list 105 permit ip 192.168.0.0 0.0.255.255 10.11.5.0 0.0.0.255
access-list 106 remark VPN for xxxxx
access-list 106 permit ip 172.16.0.0 0.0.255.255 10.11.6.0 0.0.0.255
access-list 106 permit ip 192.168.0.0 0.0.255.255 10.11.6.0 0.0.0.255
access-list 107 remark VPN for xxxx
access-list 107 permit ip 172.16.0.0 0.0.255.255 10.11.7.0 0.0.0.255
access-list 107 permit ip 192.168.1.0 0.0.0.255 10.11.7.0 0.0.0.255
access-list 107 permit ip 192.168.10.0 0.0.0.255 10.11.7.0 0.0.0.255
access-list 107 permit ip 192.168.40.0 0.0.0.255 10.11.7.0 0.0.0.255
access-list 109 remark VPN forxxx
access-list 109 permit ip 172.16.0.0 0.0.255.255 10.11.9.0 0.0.0.255
access-list 109 permit ip 192.168.0.0 0.0.255.255 10.11.9.0 0.0.0.255
access-list 111 remark VPN for Chicago
access-list 111 permit ip 192.168.0.0 0.0.255.255 10.11.11.0 0.0.0.255
access-list 111 permit ip 172.16.0.0 0.0.255.255 10.11.11.0 0.0.0.255
access-list 135 deny   tcp any any eq www
access-list 135 deny   ip 192.168.0.0 0.0.255.255 192.168.40.0 0.0.0.255
access-list 135 deny   ip 172.16.0.0 0.0.255.255 192.168.40.0 0.0.0.255
access-list 135 deny   ip 192.168.0.0 0.0.255.255 10.11.0.0 0.0.255.255
access-list 135 deny   ip 192.168.0.0 0.0.255.255 172.16.0.0 0.0.255.255
access-list 135 permit ip any any
access-list 136 permit tcp 192.168.1.0 0.0.0.255 any eq www
access-list 140 permit ip 192.168.1.0 0.0.0.255 192.168.40.0 0.0.0.255
access-list 140 permit ip 192.168.10.0 0.0.0.255 192.168.40.0 0.0.0.255
access-list 140 permit ip 172.16.0.0 0.0.255.255 192.168.40.0 0.0.0.255
access-list 140 permit ip 10.11.0.0 0.0.255.255 192.168.40.0 0.0.0.255
snmp-server ifindex persist
!
route-map webtraffic permit 10
 match ip address 136
 set ip next-hop 64.81.37.1
!
!
!
radius-server host 192.168.1.7 auth-port 1645 acct-port 1646
radius-server host 192.168.1.5 auth-port 1645 acct-port 1646
radius-server key ****!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
 privilege level 15
 transport input telnet ssh
line vty 5 15
 privilege level 15
 transport input telnet ssh
!
scheduler allocate 20000 1000
!
end

Select allOpen in new window

That settles it!

Thanks for hanging in there with me Rajesh!

Much appreciated!

Glad it worked. It should work Period :-) I am bit busy with our project now, so the head spin is too much and hence it took this long. I wasn't looking at the config's carefully.

Cheers,
Rajesh