Need Configuration Assistance - Can't Seem to Get the VPN Working
I have a Hub Router that is configured to be the primary DMVPN that talks to other spoke routers. I was able to get the tunnel working from the Hub to the Spoke and vice versa. The fix was adding a static route to point to the tunnel interface. Would it be possible to make configuration changes on the primary DMVPN router only instead of making changes to all of my spoke routers? Also, from the spoke routers if I change the static route to point to the tunnel interface would they be able to communicate to access the internet as well?
2821 Router (Primary DMVPN)
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname 2821
!
boot-start-marker
boot system flash flash:c2800nm-advipservice
boot-end-marker
!
security authentication failure rate 3 log
logging count
logging buffered 51200 warnings
no logging console
enable secret 5 $1$TFNT$LIV7qzTmwky9.GeFjf
!
aaa new-model
!
!
aaa authentication login VTY local
aaa authentication login CON local
aaa authentication login REMOTE local
aaa authorization network VPNCLIENT local
!
aaa session-id common
clock timezone EST -5
clock summer-time EDT recurring
no ip source-route
ip tcp synwait-time 10
!
!
ip cef
ip dhcp database url timeout 60
!
!
no ip bootp server
no ip domain lookup
ip domain name CCBQ.org
ip name-server 4.2.2.1
ip ssh time-out 60
ip inspect name INET tcp alert off audit-trail on
ip inspect name INET udp alert off audit-trail on
ip inspect name INET icmp alert off audit-trail on
ip urlfilter exclusive-domain deny www.myspace.com
ip urlfilter audit-trail
ip urlfilter server vendor n2h2 www.myspace.com outside
!
!
voice-card 0
no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-2748599135
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
revocation-check none
rsakeypair TP-self-signed-2748599135
!
!
crypto pki certificate chain TP-self-signed-2748599135
certificate self-signed 01
3082024A 308201B3 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32373438 35393931 3335301E 170D3037 30333331 31363430
34395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 37343835
39393133 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100C7F6 60544E09 D756045B 0219ED6B 1DA5EF7C 61370654 E45B5944 94C512A0
E867305A 4D8DF460 C6A25B9E 629739D9 18A96E37 107D0DA5 85E99000 446A87DD
7C6302B0 042A6684 447C69FD 5955D525 F883A063 60373435 2FAD22B4 546E23EE
203757B2 57B409E7 5C272B93 93B4D64E 328B84DD 82363243 0552D646 CB4F3886
A8FD0203 010001A3 72307030 0F060355 1D130101 FF040530 030101FF 301D0603
551D1104 16301482 12434342 515F3238 32312E43 4342512E 6F726730 1F060355
1D230418 30168014 00FF5A04 25652982 46A3B455 9599E646 39BDD6DC 301D0603
551D0E04 16041400 FF5A0425 65298246 A3B45595 99E64639 BDD6DC30 0D06092A
864886F7 0D010104 05000381 8100155C 4477F774 B7BA63F1 0D8A21A1 0C102212
183D664D C3950C5D 0943A1BF 1C7C3919 5AF64F79 C8269247 C1F8B44D BCBB73EC
C3415CB6 8614F81D 4D78A29D D1D5601B 1673930C 739F4858 8AE27AC1 4E1F8DC5
297C7568 67622F5B D5895A02 F7D1FD23 388DAE55 8A02FB7B 541A0530 613FEBD3
2CC600E8 9C15DFFC A4BA12B7 6A6F
quit
username XXXX privilege 15 secret 5 $1$eIfj$wd6o7fYXVrG/vtQFGi
!
crypto keyring XXXXXX
pre-shared-key address 0.0.0.0 0.0.0.0 key XXXXXXX
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 5
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp keepalive 10
!
crypto isakmp client configuration group XXXXX
key XXXXXX
dns 192.168.1.2
domain ccbq.org
pool REMOTE
crypto isakmp profile DMVPN
keyring XXXXXXX
match identity address 0.0.0.0
crypto isakmp profile ccbq-vpn-client
match identity group ccbq-vpn
client authentication list REMOTE
isakmp authorization list VPNCLIENT
client configuration address respond
!
!
crypto ipsec transform-set ccbq-set esp-3des esp-sha-hmac
!
crypto ipsec profile ccbq-profile
set transform-set ccbq-set
set isakmp-profile DMVPN
!
!
crypto dynamic-map ccbq-dyn 10
set transform-set ccbq-set
set isakmp-profile ccbq-vpn-client
!
!
crypto map ccbq-map 10 ipsec-isakmp dynamic ccbq-dyn
!
!
!
!
interface Loopback128
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
shutdown
!
interface Tunnel255
description Connection to Primary DMVPN
bandwidth 4632
ip address 192.168.255.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting access-violations
ip mtu 1416
ip nbar protocol-discovery
ip nat inside
ip nhrp authentication ccbqn#rp
ip nhrp map multicast dynamic
ip nhrp network-id 255
ip nhrp holdtime 300
ip virtual-reassembly
ip route-cache flow
no ip split-horizon eigrp 255
tunnel source Multilink1
tunnel mode gre multipoint
tunnel key 255
tunnel protection ipsec profile ccbq-profile
hold-queue 1024 in
!
interface Null0
no ip unreachables
!
interface Multilink1
description WAN Connection$FW_OUTSIDE$
ip address X.X.X.X 255.255.255.252
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting access-violations
ip nbar protocol-discovery
ip flow ingress
ip nat outside
ip virtual-reassembly
no ip route-cache cef
no ip mroute-cache
no cdp enable
ppp multilink
ppp multilink group 1
crypto map ccbq-map
!
interface GigabitEthernet0/0
description connected to CCBQ Internal LAN$ETH-LAN$$FW_INSIDE$
ip address 192.168.1.19 255.255.254.0
ip access-group 102 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting access-violations
ip nbar protocol-discovery
ip nat inside
ip virtual-reassembly
no ip route-cache cef
no ip route-cache
ip tcp adjust-mss 1350
ip policy route-map clear-df
duplex auto
speed auto
no cdp enable
no mop enabled
!
interface GigabitEthernet0/1
description connect to CCBQ Interal LAN$FW_ETH0/2$
ip address 192.168.192.1 255.255.254.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting access-violations
ip nbar protocol-discovery
ip nat inside
ip virtual-reassembly
no ip route-cache cef
ip route-cache flow
ip policy route-map clear-df
shutdown
duplex full
speed 100
no cdp enable
no mop enabled
!
interface Serial0/0/0
bandwidth 4632
no ip address
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation ppp
ip route-cache flow
no ip mroute-cache
no fair-queue
no cdp enable
ppp multilink
ppp multilink group 1
!
interface Serial0/1/0
bandwidth 4632
no ip address
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation ppp
ip route-cache flow
no ip mroute-cache
no fair-queue
no cdp enable
ppp multilink
ppp multilink group 1
!
interface Serial0/2/0
bandwidth 4632
no ip address
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation ppp
ip route-cache flow
no ip mroute-cache
no fair-queue
no cdp enable
ppp multilink
ppp multilink group 1
!
interface Serial0/3/0
bandwidth 1544
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no ip mroute-cache
shutdown
no fair-queue
service-module t1 timeslots 1-24
no cdp enable
!
router eigrp 255
redistribute static
passive-interface GigabitEthernet0/0
network 172.168.0.0
network 192.168.1.0
network 192.168.0.0 0.0.1.255
network 192.168.255.0
network 192.168.0.0 0.0.255.255
no auto-summary
!
ip local pool REMOTE 192.168.252.1 192.168.252.254
ip forward-protocol udp 5120
ip route 0.0.0.0 0.0.0.0 64.115.135.169
ip route 66.200.154.167 255.255.255.255 64.115.135.169
ip route 67.100.227.128 255.255.255.255 64.115.135.169
ip route 192.168.0.16 255.255.255.255 GigabitEthernet0/0
!
ip flow-capture packet-length
ip flow-capture icmp
ip flow-capture ip-id
ip flow-capture mac-addresses
ip flow-top-talkers
top 10
sort-by packets
!
no ip http server
ip http access-class 3
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source route-map NAT interface Multilink1 overload
!
ip access-list extended TELNET
permit tcp any any eq telnet
!
logging trap debugging
logging 192.168.1.13
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 63.117.181.64 0.0.0.63
access-list 2 permit 0.0.0.0
access-list 3 remark HTTP Access-class list
access-list 3 remark SDM_ACL Category=1
access-list 3 permit 192.168.0.0 0.0.1.255
access-list 3 deny any
access-list 100 permit tcp any any eq telnet
access-list 100 deny ip 64.69.124.128 0.0.0.15 any
access-list 100 deny ip 64.69.124.144 0.0.0.15 any
access-list 100 deny ip 172.16.0.0 0.15.255.255 any
access-list 100 deny ip 10.0.0.0 0.255.255.255 any
access-list 100 permit icmp any any
access-list 100 permit tcp any host 64.69.124.129 established
access-list 100 permit tcp any host 64.69.124.130 established
access-list 100 permit esp any any
access-list 100 permit gre any any
access-list 100 permit udp any any eq isakmp
access-list 100 permit udp any any eq non500-isakmp
access-list 100 permit tcp any host 64.69.124.129 eq 22
access-list 100 permit tcp any host 64.69.124.130 eq 22
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit udp host 128.118.46.3 host 64.69.124.129 eq ntp
access-list 100 permit tcp any any eq 5120
access-list 100 deny tcp any eq www host 64.69.124.129
access-list 100 deny ip any any
access-list 101 deny ip host 192.168.1.255 any
access-list 101 deny ip host 192.168.20.255 any
access-list 101 deny ip any 192.168.0.0 0.0.255.255
access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 101 permit ip host 192.168.1.91 any
access-list 101 permit ip host 192.168.1.177 any
access-list 101 permit ip 192.168.0.0 0.0.255.255 any
access-list 101 permit ip 172.168.1.0 0.0.0.255 any
access-list 102 permit tcp any any eq 25000
access-list 102 permit tcp any eq 25000 any
access-list 102 permit udp any eq 5120 any
access-list 102 permit udp any any eq 5120
access-list 102 permit tcp any any eq 5120
access-list 102 permit tcp any eq 5120 any
access-list 102 permit udp any eq 7766 any
access-list 102 permit udp any any eq 7766
access-list 102 permit tcp any any eq 7766
access-list 102 permit tcp any eq 7766 any
access-list 102 permit udp any eq 4750 any
access-list 102 permit udp any any eq 4750
access-list 102 permit tcp any any eq 4750
access-list 102 permit tcp any eq 4750 any
access-list 102 permit tcp any any eq smtp
access-list 102 permit tcp any eq smtp any
access-list 102 permit tcp any host 64.115.135.170 eq smtp log
access-list 102 permit tcp host 192.168.1.3 host 192.168.0.8 eq smtp
access-list 102 permit tcp host 192.168.0.8 host 192.168.1.3 eq smtp
access-list 102 permit ip 192.168.0.0 0.0.255.255 any
access-list 103 remark VTY Access-class list
access-list 103 remark SDM_ACL Category=1
access-list 103 permit ip 192.168.0.0 0.0.1.255 any
access-list 103 deny ip any any
access-list 199 permit tcp any host 192.168.1.3 eq smtp
snmp-server community <removed> RO
snmp-server community ccbq_ro RO
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps vrrp
snmp-server enable traps ds1
snmp-server enable traps tty
snmp-server enable traps eigrp
snmp-server enable traps xgcp
snmp-server enable traps flash insertion removal
snmp-server enable traps ds3
snmp-server enable traps envmon
snmp-server enable traps icsudsu
snmp-server enable traps isdn call-information
snmp-server enable traps isdn layer2
snmp-server enable traps isdn chan-not-avail
snmp-server enable traps isdn ietf
snmp-server enable traps ds0-busyout
snmp-server enable traps ds1-loopback
snmp-server enable traps atm subif
snmp-server enable traps bgp
snmp-server enable traps bulkstat collection transfer
snmp-server enable traps cnpd
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server enable traps dial
snmp-server enable traps dsp card-status
snmp-server enable traps entity
snmp-server enable traps event-manager
snmp-server enable traps frame-relay
snmp-server enable traps frame-relay subif
snmp-server enable traps hsrp
snmp-server enable traps ipmobile
snmp-server enable traps ipmulticast
snmp-server enable traps mpls ldp
snmp-server enable traps mpls traffic-eng
snmp-server enable traps mpls vpn
snmp-server enable traps msdp
snmp-server enable traps mvpn
snmp-server enable traps ospf state-change
snmp-server enable traps ospf errors
snmp-server enable traps ospf retransmit
snmp-server enable traps ospf lsa
snmp-server enable traps ospf cisco-specific state-change nssa-trans-change
snmp-server enable traps ospf cisco-specific state-change shamlink interface
snmp-server enable traps ospf cisco-specific state-change shamlink neighbor
snmp-server enable traps ospf cisco-specific errors
snmp-server enable traps ospf cisco-specific retransmit
snmp-server enable traps ospf cisco-specific lsa
snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-message
snmp-server enable traps pppoe
snmp-server enable traps cpu threshold
snmp-server enable traps rsvp
snmp-server enable traps rtr
snmp-server enable traps syslog
snmp-server enable traps l2tun session
snmp-server enable traps vsimaster
snmp-server enable traps vtp
snmp-server enable traps isakmp policy add
snmp-server enable traps isakmp policy delete
snmp-server enable traps isakmp tunnel start
snmp-server enable traps isakmp tunnel stop
snmp-server enable traps ipsec cryptomap add
snmp-server enable traps ipsec cryptomap delete
snmp-server enable traps ipsec cryptomap attach
snmp-server enable traps ipsec cryptomap detach
snmp-server enable traps ipsec tunnel start
snmp-server enable traps ipsec tunnel stop
snmp-server enable traps ipsec too-many-sas
snmp-server enable traps voice poor-qov
snmp-server enable traps voice fallback
snmp-server enable traps dnis
snmp-server host 192.168.1.6 <removed>
snmp-server host 192.168.1.6 ccbq_ro
no cdp run
!
route-map static2eigrp permit 10
match ip address 1 2
!
route-map clear-df permit 10
match ip address 102
set ip df 0
!
route-map NAT permit 10
match ip address 101
!
route-map VPNINET permit 10
match ip address 102
set ip next-hop 192.168.1.5
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
login authentication CON
transport output telnet
line aux 0
transport output telnet
line vty 0 4
exec-timeout 60 0
privilege level 15
login authentication VTY
transport input telnet ssh
line vty 5 15
exec-timeout 60 0
privilege level 15
transport input telnet ssh
!
scheduler allocate 20000 1000
ntp authentication-key 100 md5 12181103130807 7
ntp trusted-key 100
ntp clock-period 17180173
ntp source GigabitEthernet0/0
ntp master 6
ntp server 192.168.1.6
ntp server 128.118.46.3
!
end
2821#
Spoke Router
version 12.3
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname XXXXX
!
boot-start-marker
boot-end-marker
!
logging buffered 32565 warnings
no logging console
enable secret XXXXXXXX
!
username XXXX privilege 15 secret XXXXXXXX
clock timezone EST -5
clock summer-time EDT recurring
no aaa new-model
ip subnet-zero
!
!
ip dhcp excluded-address 192.168.130.1 192.168.130.120
!
ip dhcp pool XXXXXX
network 192.168.130.0 255.255.255.0
dns-server 192.168.1.2 4.2.2.1
default-router 192.168.130.1
!
!
ip cef
no ip domain lookup
ip domain name XXXXXXX
ip name-server 64.105.124.254
ip name-server 4.2.2.1
ip inspect name INET udp
ip inspect name INET tcp
ip inspect name INET icmp
ip ips po max-events 100
no ftp-server write-enable
!
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 5
crypto isakmp key XXXXXX address 64.115.135.170 no-xauth
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set ccbq-set esp-3des esp-sha-hmac
!
crypto ipsec profile ccbq-profile
set transform-set ccbq-set
!
!
!
!
interface Tunnel255
description Connection to Primary DMVPN
bandwidth 1536
ip address 192.168.255.130 255.255.255.0
no ip redirects
ip mtu 1416
ip nhrp authentication XXXXXXX
ip nhrp map multicast XXXXXX
ip nhrp map 192.168.255.1 XXXXXXXXX
ip nhrp network-id 255
ip nhrp holdtime 300
ip nhrp nhs 192.168.255.1
ip virtual-reassembly
tunnel source Ethernet1
tunnel mode gre multipoint
tunnel key 255
tunnel protection ipsec profile ccbq-profile
hold-queue 1024 in
!
interface Ethernet0
description connected site LAN
ip dhcp client lease 2 0 0
ip address 192.168.130.1 255.255.255.0
ip access-group 102 in
ip nat inside
ip virtual-reassembly
!
interface Ethernet1
description Internet Interface
ip address XXXXXXX 255.255.255.248
ip access-group 100 in
ip nat outside
ip inspect INET out
ip virtual-reassembly
duplex auto
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
duplex auto
speed auto
!
interface FastEthernet3
no ip address
duplex auto
speed auto
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
router eigrp 255
network 192.168.0.0 0.0.255.255
no auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 64.61.161.57 200
ip route 192.168.0.0 255.255.0.0 tunn255
!
ip http server
no ip http secure-server
!
ip nat inside source route-map NAT interface Ethernet1 overload
!
access-list 100 permit udp any any eq bootpc
access-list 100 permit udp any any eq bootps
access-list 100 permit udp any any eq ntp
access-list 100 permit icmp any any echo
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
access-list 100 permit icmp any any source-quench
access-list 100 permit tcp any any established
access-list 100 permit gre any any
access-list 100 permit esp any any
access-list 100 permit udp any eq isakmp any eq isakmp
access-list 100 permit tcp any any eq 22
access-list 100 permit udp any eq non500-isakmp any eq non500-isakmp
access-list 100 deny ip any any
access-list 101 deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
access-list 101 permit ip 192.168.0.0 0.0.255.255 any
access-list 102 permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
access-list 102 permit ip 192.168.0.0 0.0.255.255 66.200.154.160 0.0.0.15
access-list 102 permit ip 192.168.0.0 0.0.255.255 208.228.154.200 0.0.0.4
access-list 102 permit ip 192.168.0.0 0.0.255.255 64.69.124.128 0.0.0.31
access-list 102 permit ip 192.168.0.0 0.0.255.255 any
access-list 102 permit udp any any eq bootpc
access-list 102 permit udp any any eq bootps
access-list 102 permit ip 192.168.0.0 0.0.255.255 208.228.154.168 0.0.0.4
access-list 102 permit udp any eq 5120 any
access-list 102 permit udp any any eq 5120
access-list 102 permit tcp any any eq 5120
access-list 102 permit tcp any eq 5120 any
access-list 102 permit udp any eq 7766 any
access-list 102 permit udp any any eq 7766
access-list 102 permit tcp any any eq 7766
access-list 102 permit tcp any eq 7766 any
access-list 102 permit udp any eq 4750 any
access-list 102 permit udp any any eq 4750
access-list 102 permit tcp any any eq 4750
access-list 102 permit tcp any eq 4750 any
access-list 102 permit tcp any any eq smtp
access-list 102 permit tcp any eq smtp any
snmp-server community ccbq_ro RO
!
route-map NAT permit 10
match ip address 101
!
!
control-plane
!
!
line con 0
no modem enable
transport preferred all
transport output all
line aux 0
transport preferred all
transport output all
line vty 0 4
privilege level 15
login local
transport preferred ssh
transport input telnet ssh
transport output telnet ssh
!
scheduler max-task-time 5000
ntp clock-period 17179897
ntp server 128.118.46.3
end
831#
2821 Router (Primary DMVPN)
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname 2821
!
boot-start-marker
boot system flash flash:c2800nm-advipservice
boot-end-marker
!
security authentication failure rate 3 log
logging count
logging buffered 51200 warnings
no logging console
enable secret 5 $1$TFNT$LIV7qzTmwky9.GeFjf
!
aaa new-model
!
!
aaa authentication login VTY local
aaa authentication login CON local
aaa authentication login REMOTE local
aaa authorization network VPNCLIENT local
!
aaa session-id common
clock timezone EST -5
clock summer-time EDT recurring
no ip source-route
ip tcp synwait-time 10
!
!
ip cef
ip dhcp database url timeout 60
!
!
no ip bootp server
no ip domain lookup
ip domain name CCBQ.org
ip name-server 4.2.2.1
ip ssh time-out 60
ip inspect name INET tcp alert off audit-trail on
ip inspect name INET udp alert off audit-trail on
ip inspect name INET icmp alert off audit-trail on
ip urlfilter exclusive-domain deny www.myspace.com
ip urlfilter audit-trail
ip urlfilter server vendor n2h2 www.myspace.com outside
!
!
voice-card 0
no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-2748599135
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
revocation-check none
rsakeypair TP-self-signed-2748599135
!
!
crypto pki certificate chain TP-self-signed-2748599135
certificate self-signed 01
3082024A 308201B3 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32373438 35393931 3335301E 170D3037 30333331 31363430
34395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 37343835
39393133 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100C7F6 60544E09 D756045B 0219ED6B 1DA5EF7C 61370654 E45B5944 94C512A0
E867305A 4D8DF460 C6A25B9E 629739D9 18A96E37 107D0DA5 85E99000 446A87DD
7C6302B0 042A6684 447C69FD 5955D525 F883A063 60373435 2FAD22B4 546E23EE
203757B2 57B409E7 5C272B93 93B4D64E 328B84DD 82363243 0552D646 CB4F3886
A8FD0203 010001A3 72307030 0F060355 1D130101 FF040530 030101FF 301D0603
551D1104 16301482 12434342 515F3238 32312E43 4342512E 6F726730 1F060355
1D230418 30168014 00FF5A04 25652982 46A3B455 9599E646 39BDD6DC 301D0603
551D0E04 16041400 FF5A0425 65298246 A3B45595 99E64639 BDD6DC30 0D06092A
864886F7 0D010104 05000381 8100155C 4477F774 B7BA63F1 0D8A21A1 0C102212
183D664D C3950C5D 0943A1BF 1C7C3919 5AF64F79 C8269247 C1F8B44D BCBB73EC
C3415CB6 8614F81D 4D78A29D D1D5601B 1673930C 739F4858 8AE27AC1 4E1F8DC5
297C7568 67622F5B D5895A02 F7D1FD23 388DAE55 8A02FB7B 541A0530 613FEBD3
2CC600E8 9C15DFFC A4BA12B7 6A6F
quit
username XXXX privilege 15 secret 5 $1$eIfj$wd6o7fYXVrG/vtQFGi
!
crypto keyring XXXXXX
pre-shared-key address 0.0.0.0 0.0.0.0 key XXXXXXX
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 5
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp keepalive 10
!
crypto isakmp client configuration group XXXXX
key XXXXXX
dns 192.168.1.2
domain ccbq.org
pool REMOTE
crypto isakmp profile DMVPN
keyring XXXXXXX
match identity address 0.0.0.0
crypto isakmp profile ccbq-vpn-client
match identity group ccbq-vpn
client authentication list REMOTE
isakmp authorization list VPNCLIENT
client configuration address respond
!
!
crypto ipsec transform-set ccbq-set esp-3des esp-sha-hmac
!
crypto ipsec profile ccbq-profile
set transform-set ccbq-set
set isakmp-profile DMVPN
!
!
crypto dynamic-map ccbq-dyn 10
set transform-set ccbq-set
set isakmp-profile ccbq-vpn-client
!
!
crypto map ccbq-map 10 ipsec-isakmp dynamic ccbq-dyn
!
!
!
!
interface Loopback128
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
shutdown
!
interface Tunnel255
description Connection to Primary DMVPN
bandwidth 4632
ip address 192.168.255.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting access-violations
ip mtu 1416
ip nbar protocol-discovery
ip nat inside
ip nhrp authentication ccbqn#rp
ip nhrp map multicast dynamic
ip nhrp network-id 255
ip nhrp holdtime 300
ip virtual-reassembly
ip route-cache flow
no ip split-horizon eigrp 255
tunnel source Multilink1
tunnel mode gre multipoint
tunnel key 255
tunnel protection ipsec profile ccbq-profile
hold-queue 1024 in
!
interface Null0
no ip unreachables
!
interface Multilink1
description WAN Connection$FW_OUTSIDE$
ip address X.X.X.X 255.255.255.252
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting access-violations
ip nbar protocol-discovery
ip flow ingress
ip nat outside
ip virtual-reassembly
no ip route-cache cef
no ip mroute-cache
no cdp enable
ppp multilink
ppp multilink group 1
crypto map ccbq-map
!
interface GigabitEthernet0/0
description connected to CCBQ Internal LAN$ETH-LAN$$FW_INSIDE$
ip address 192.168.1.19 255.255.254.0
ip access-group 102 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting access-violations
ip nbar protocol-discovery
ip nat inside
ip virtual-reassembly
no ip route-cache cef
no ip route-cache
ip tcp adjust-mss 1350
ip policy route-map clear-df
duplex auto
speed auto
no cdp enable
no mop enabled
!
interface GigabitEthernet0/1
description connect to CCBQ Interal LAN$FW_ETH0/2$
ip address 192.168.192.1 255.255.254.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting access-violations
ip nbar protocol-discovery
ip nat inside
ip virtual-reassembly
no ip route-cache cef
ip route-cache flow
ip policy route-map clear-df
shutdown
duplex full
speed 100
no cdp enable
no mop enabled
!
interface Serial0/0/0
bandwidth 4632
no ip address
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation ppp
ip route-cache flow
no ip mroute-cache
no fair-queue
no cdp enable
ppp multilink
ppp multilink group 1
!
interface Serial0/1/0
bandwidth 4632
no ip address
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation ppp
ip route-cache flow
no ip mroute-cache
no fair-queue
no cdp enable
ppp multilink
ppp multilink group 1
!
interface Serial0/2/0
bandwidth 4632
no ip address
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation ppp
ip route-cache flow
no ip mroute-cache
no fair-queue
no cdp enable
ppp multilink
ppp multilink group 1
!
interface Serial0/3/0
bandwidth 1544
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no ip mroute-cache
shutdown
no fair-queue
service-module t1 timeslots 1-24
no cdp enable
!
router eigrp 255
redistribute static
passive-interface GigabitEthernet0/0
network 172.168.0.0
network 192.168.1.0
network 192.168.0.0 0.0.1.255
network 192.168.255.0
network 192.168.0.0 0.0.255.255
no auto-summary
!
ip local pool REMOTE 192.168.252.1 192.168.252.254
ip forward-protocol udp 5120
ip route 0.0.0.0 0.0.0.0 64.115.135.169
ip route 66.200.154.167 255.255.255.255 64.115.135.169
ip route 67.100.227.128 255.255.255.255 64.115.135.169
ip route 192.168.0.16 255.255.255.255 GigabitEthernet0/0
!
ip flow-capture packet-length
ip flow-capture icmp
ip flow-capture ip-id
ip flow-capture mac-addresses
ip flow-top-talkers
top 10
sort-by packets
!
no ip http server
ip http access-class 3
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source route-map NAT interface Multilink1 overload
!
ip access-list extended TELNET
permit tcp any any eq telnet
!
logging trap debugging
logging 192.168.1.13
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 63.117.181.64 0.0.0.63
access-list 2 permit 0.0.0.0
access-list 3 remark HTTP Access-class list
access-list 3 remark SDM_ACL Category=1
access-list 3 permit 192.168.0.0 0.0.1.255
access-list 3 deny any
access-list 100 permit tcp any any eq telnet
access-list 100 deny ip 64.69.124.128 0.0.0.15 any
access-list 100 deny ip 64.69.124.144 0.0.0.15 any
access-list 100 deny ip 172.16.0.0 0.15.255.255 any
access-list 100 deny ip 10.0.0.0 0.255.255.255 any
access-list 100 permit icmp any any
access-list 100 permit tcp any host 64.69.124.129 established
access-list 100 permit tcp any host 64.69.124.130 established
access-list 100 permit esp any any
access-list 100 permit gre any any
access-list 100 permit udp any any eq isakmp
access-list 100 permit udp any any eq non500-isakmp
access-list 100 permit tcp any host 64.69.124.129 eq 22
access-list 100 permit tcp any host 64.69.124.130 eq 22
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit udp host 128.118.46.3 host 64.69.124.129 eq ntp
access-list 100 permit tcp any any eq 5120
access-list 100 deny tcp any eq www host 64.69.124.129
access-list 100 deny ip any any
access-list 101 deny ip host 192.168.1.255 any
access-list 101 deny ip host 192.168.20.255 any
access-list 101 deny ip any 192.168.0.0 0.0.255.255
access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 101 permit ip host 192.168.1.91 any
access-list 101 permit ip host 192.168.1.177 any
access-list 101 permit ip 192.168.0.0 0.0.255.255 any
access-list 101 permit ip 172.168.1.0 0.0.0.255 any
access-list 102 permit tcp any any eq 25000
access-list 102 permit tcp any eq 25000 any
access-list 102 permit udp any eq 5120 any
access-list 102 permit udp any any eq 5120
access-list 102 permit tcp any any eq 5120
access-list 102 permit tcp any eq 5120 any
access-list 102 permit udp any eq 7766 any
access-list 102 permit udp any any eq 7766
access-list 102 permit tcp any any eq 7766
access-list 102 permit tcp any eq 7766 any
access-list 102 permit udp any eq 4750 any
access-list 102 permit udp any any eq 4750
access-list 102 permit tcp any any eq 4750
access-list 102 permit tcp any eq 4750 any
access-list 102 permit tcp any any eq smtp
access-list 102 permit tcp any eq smtp any
access-list 102 permit tcp any host 64.115.135.170 eq smtp log
access-list 102 permit tcp host 192.168.1.3 host 192.168.0.8 eq smtp
access-list 102 permit tcp host 192.168.0.8 host 192.168.1.3 eq smtp
access-list 102 permit ip 192.168.0.0 0.0.255.255 any
access-list 103 remark VTY Access-class list
access-list 103 remark SDM_ACL Category=1
access-list 103 permit ip 192.168.0.0 0.0.1.255 any
access-list 103 deny ip any any
access-list 199 permit tcp any host 192.168.1.3 eq smtp
snmp-server community <removed> RO
snmp-server community ccbq_ro RO
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps vrrp
snmp-server enable traps ds1
snmp-server enable traps tty
snmp-server enable traps eigrp
snmp-server enable traps xgcp
snmp-server enable traps flash insertion removal
snmp-server enable traps ds3
snmp-server enable traps envmon
snmp-server enable traps icsudsu
snmp-server enable traps isdn call-information
snmp-server enable traps isdn layer2
snmp-server enable traps isdn chan-not-avail
snmp-server enable traps isdn ietf
snmp-server enable traps ds0-busyout
snmp-server enable traps ds1-loopback
snmp-server enable traps atm subif
snmp-server enable traps bgp
snmp-server enable traps bulkstat collection transfer
snmp-server enable traps cnpd
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server enable traps dial
snmp-server enable traps dsp card-status
snmp-server enable traps entity
snmp-server enable traps event-manager
snmp-server enable traps frame-relay
snmp-server enable traps frame-relay subif
snmp-server enable traps hsrp
snmp-server enable traps ipmobile
snmp-server enable traps ipmulticast
snmp-server enable traps mpls ldp
snmp-server enable traps mpls traffic-eng
snmp-server enable traps mpls vpn
snmp-server enable traps msdp
snmp-server enable traps mvpn
snmp-server enable traps ospf state-change
snmp-server enable traps ospf errors
snmp-server enable traps ospf retransmit
snmp-server enable traps ospf lsa
snmp-server enable traps ospf cisco-specific state-change nssa-trans-change
snmp-server enable traps ospf cisco-specific state-change shamlink interface
snmp-server enable traps ospf cisco-specific state-change shamlink neighbor
snmp-server enable traps ospf cisco-specific errors
snmp-server enable traps ospf cisco-specific retransmit
snmp-server enable traps ospf cisco-specific lsa
snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-message
snmp-server enable traps pppoe
snmp-server enable traps cpu threshold
snmp-server enable traps rsvp
snmp-server enable traps rtr
snmp-server enable traps syslog
snmp-server enable traps l2tun session
snmp-server enable traps vsimaster
snmp-server enable traps vtp
snmp-server enable traps isakmp policy add
snmp-server enable traps isakmp policy delete
snmp-server enable traps isakmp tunnel start
snmp-server enable traps isakmp tunnel stop
snmp-server enable traps ipsec cryptomap add
snmp-server enable traps ipsec cryptomap delete
snmp-server enable traps ipsec cryptomap attach
snmp-server enable traps ipsec cryptomap detach
snmp-server enable traps ipsec tunnel start
snmp-server enable traps ipsec tunnel stop
snmp-server enable traps ipsec too-many-sas
snmp-server enable traps voice poor-qov
snmp-server enable traps voice fallback
snmp-server enable traps dnis
snmp-server host 192.168.1.6 <removed>
snmp-server host 192.168.1.6 ccbq_ro
no cdp run
!
route-map static2eigrp permit 10
match ip address 1 2
!
route-map clear-df permit 10
match ip address 102
set ip df 0
!
route-map NAT permit 10
match ip address 101
!
route-map VPNINET permit 10
match ip address 102
set ip next-hop 192.168.1.5
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
login authentication CON
transport output telnet
line aux 0
transport output telnet
line vty 0 4
exec-timeout 60 0
privilege level 15
login authentication VTY
transport input telnet ssh
line vty 5 15
exec-timeout 60 0
privilege level 15
transport input telnet ssh
!
scheduler allocate 20000 1000
ntp authentication-key 100 md5 12181103130807 7
ntp trusted-key 100
ntp clock-period 17180173
ntp source GigabitEthernet0/0
ntp master 6
ntp server 192.168.1.6
ntp server 128.118.46.3
!
end
2821#
Spoke Router
version 12.3
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname XXXXX
!
boot-start-marker
boot-end-marker
!
logging buffered 32565 warnings
no logging console
enable secret XXXXXXXX
!
username XXXX privilege 15 secret XXXXXXXX
clock timezone EST -5
clock summer-time EDT recurring
no aaa new-model
ip subnet-zero
!
!
ip dhcp excluded-address 192.168.130.1 192.168.130.120
!
ip dhcp pool XXXXXX
network 192.168.130.0 255.255.255.0
dns-server 192.168.1.2 4.2.2.1
default-router 192.168.130.1
!
!
ip cef
no ip domain lookup
ip domain name XXXXXXX
ip name-server 64.105.124.254
ip name-server 4.2.2.1
ip inspect name INET udp
ip inspect name INET tcp
ip inspect name INET icmp
ip ips po max-events 100
no ftp-server write-enable
!
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 5
crypto isakmp key XXXXXX address 64.115.135.170 no-xauth
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set ccbq-set esp-3des esp-sha-hmac
!
crypto ipsec profile ccbq-profile
set transform-set ccbq-set
!
!
!
!
interface Tunnel255
description Connection to Primary DMVPN
bandwidth 1536
ip address 192.168.255.130 255.255.255.0
no ip redirects
ip mtu 1416
ip nhrp authentication XXXXXXX
ip nhrp map multicast XXXXXX
ip nhrp map 192.168.255.1 XXXXXXXXX
ip nhrp network-id 255
ip nhrp holdtime 300
ip nhrp nhs 192.168.255.1
ip virtual-reassembly
tunnel source Ethernet1
tunnel mode gre multipoint
tunnel key 255
tunnel protection ipsec profile ccbq-profile
hold-queue 1024 in
!
interface Ethernet0
description connected site LAN
ip dhcp client lease 2 0 0
ip address 192.168.130.1 255.255.255.0
ip access-group 102 in
ip nat inside
ip virtual-reassembly
!
interface Ethernet1
description Internet Interface
ip address XXXXXXX 255.255.255.248
ip access-group 100 in
ip nat outside
ip inspect INET out
ip virtual-reassembly
duplex auto
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
duplex auto
speed auto
!
interface FastEthernet3
no ip address
duplex auto
speed auto
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
router eigrp 255
network 192.168.0.0 0.0.255.255
no auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 64.61.161.57 200
ip route 192.168.0.0 255.255.0.0 tunn255
!
ip http server
no ip http secure-server
!
ip nat inside source route-map NAT interface Ethernet1 overload
!
access-list 100 permit udp any any eq bootpc
access-list 100 permit udp any any eq bootps
access-list 100 permit udp any any eq ntp
access-list 100 permit icmp any any echo
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
access-list 100 permit icmp any any source-quench
access-list 100 permit tcp any any established
access-list 100 permit gre any any
access-list 100 permit esp any any
access-list 100 permit udp any eq isakmp any eq isakmp
access-list 100 permit tcp any any eq 22
access-list 100 permit udp any eq non500-isakmp any eq non500-isakmp
access-list 100 deny ip any any
access-list 101 deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
access-list 101 permit ip 192.168.0.0 0.0.255.255 any
access-list 102 permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
access-list 102 permit ip 192.168.0.0 0.0.255.255 66.200.154.160 0.0.0.15
access-list 102 permit ip 192.168.0.0 0.0.255.255 208.228.154.200 0.0.0.4
access-list 102 permit ip 192.168.0.0 0.0.255.255 64.69.124.128 0.0.0.31
access-list 102 permit ip 192.168.0.0 0.0.255.255 any
access-list 102 permit udp any any eq bootpc
access-list 102 permit udp any any eq bootps
access-list 102 permit ip 192.168.0.0 0.0.255.255 208.228.154.168 0.0.0.4
access-list 102 permit udp any eq 5120 any
access-list 102 permit udp any any eq 5120
access-list 102 permit tcp any any eq 5120
access-list 102 permit tcp any eq 5120 any
access-list 102 permit udp any eq 7766 any
access-list 102 permit udp any any eq 7766
access-list 102 permit tcp any any eq 7766
access-list 102 permit tcp any eq 7766 any
access-list 102 permit udp any eq 4750 any
access-list 102 permit udp any any eq 4750
access-list 102 permit tcp any any eq 4750
access-list 102 permit tcp any eq 4750 any
access-list 102 permit tcp any any eq smtp
access-list 102 permit tcp any eq smtp any
snmp-server community ccbq_ro RO
!
route-map NAT permit 10
match ip address 101
!
!
control-plane
!
!
line con 0
no modem enable
transport preferred all
transport output all
line aux 0
transport preferred all
transport output all
line vty 0 4
privilege level 15
login local
transport preferred ssh
transport input telnet ssh
transport output telnet ssh
!
scheduler max-task-time 5000
ntp clock-period 17179897
ntp server 128.118.46.3
end
831#
ASKER
I know if the EIGRP neighbors are established I don't have to add the static route, however I'm still not able to get the Spoke router to communicate to communicate with my inside LAN throught the Hub router. I was told I don't need to add a static route. Still curious why it doesn't work.
It looks like you need to add
access-list 101 deny 192.168.0.0 0.0.0.255 192.168.0.0 0.0.255.255
to your hub router it looks like traffic is being NATed that should be pushed down the tunnel. You have that entry on your spoke so it probably works
access-list 101 deny 192.168.0.0 0.0.0.255 192.168.0.0 0.0.255.255
to your hub router it looks like traffic is being NATed that should be pushed down the tunnel. You have that entry on your spoke so it probably works
nevermind saw this
access-list 101 deny ip any 192.168.0.0 0.0.255.255
I was staring at the screen so long I guess I went a little cross eyed
access-list 101 deny ip any 192.168.0.0 0.0.255.255
I was staring at the screen so long I guess I went a little cross eyed
You have an access list 102 on your internal interface do a "debug ip packet 102" and then try and see if the access-list is denying return traffic
nevermind it is an inside rule that has a permit ip 192.168.0.0 0.0.255.255 any which should allow all traffic going out.
You say your tunnel is coming up from router to router but LAN to LAN you have a problem?
You say your tunnel is coming up from router to router but LAN to LAN you have a problem?
ASKER
I found the issue, I have a ASA5510 that is behind the 2821 router which filters all internet and VPN traffic. I had to added and modify the following:
router eigrp 255
redistribute ospf 100 metric 1000 100 255 1 1500
passive-interface GigabitEthernet0/1
network 192.168.1.0
network 192.168.0.0 0.0.1.255
network 192.168.255.0
network 192.168.0.0 0.0.255.255
no auto-summary
router ospf 100
log-adjacency-changes
network 192.168.192.0 0.0.0.255 area 0
This resolves 95% of the problem. The other 10% now my email server is seems slow. For some reason I can't ping from the spoke router to my email server which is behind ASA5510.
router eigrp 255
redistribute ospf 100 metric 1000 100 255 1 1500
passive-interface GigabitEthernet0/1
network 192.168.1.0
network 192.168.0.0 0.0.1.255
network 192.168.255.0
network 192.168.0.0 0.0.255.255
no auto-summary
router ospf 100
log-adjacency-changes
network 192.168.192.0 0.0.0.255 area 0
This resolves 95% of the problem. The other 10% now my email server is seems slow. For some reason I can't ping from the spoke router to my email server which is behind ASA5510.
ASKER
However, the other 5% (typo) maybe minor issues. I'm able to ping 192.168.1.3 from the spoke's LAN to ASA5510 LAN but not able to ping from the spoke router to 192.168.1.3. Any ideas?
You have specify an interface it is probably using the internet interface of the router try
ping 192.168.1.3 /source Ethernet0
ping 192.168.1.3 /source Ethernet0
ASKER
Thanks that worked, I am able to ping from my spoke sites to 192.168.1.3.
I had to change routing table on the PCs and Servers on my LAN to talk to the spoke sites.
After the implemenation, I now have all my LAN devices access ISP1 for internet and ISP2 for VPN. This is still a problem for me because before the implementation I was sharing 2 gateways to access the internet (connections to ISP1 and ISP2), now I'm only able to connect to ISP1 for internet. With the new setup I'm not able to change the modify gateways because all of the devices have a 192.168.1.5 as their gateway. I know I can't load balance on the ASA. Any suggestions please advise.
Slide2.JPG
I had to change routing table on the PCs and Servers on my LAN to talk to the spoke sites.
After the implemenation, I now have all my LAN devices access ISP1 for internet and ISP2 for VPN. This is still a problem for me because before the implementation I was sharing 2 gateways to access the internet (connections to ISP1 and ISP2), now I'm only able to connect to ISP1 for internet. With the new setup I'm not able to change the modify gateways because all of the devices have a 192.168.1.5 as their gateway. I know I can't load balance on the ASA. Any suggestions please advise.
Slide2.JPG
What kind of ISPs do you have and what interfaces are they handing you (Ethernet or T1)? What did you have to change for the vpn to work? How were you load balancing before?
ASKER
ISP1 is connected to ASA interface fa0/0 which is connected to a T1 connection. ISP2 is connected on the 2821 Router Serial 0/0/0, 0/1/0, 0/2/0 which is multilinked (3) T1.
Before doing the migration, 2821 router was directly connected to my LAN switch and the ASA was also connected to the same LAN switch. They both have their own gateways, thus I was able to physically have PCs and Servers use both gateways which was on a 192.168.0.0 /23.
After the migration, all the devices are behind the ASA and I'm not able to have same network segment on more than 1 interface on the ASA which bring me back to the drawing board. I really need to use some of the ISP2 bandwidth because it's choking the ISP1 connection. Please advise.
Before doing the migration, 2821 router was directly connected to my LAN switch and the ASA was also connected to the same LAN switch. They both have their own gateways, thus I was able to physically have PCs and Servers use both gateways which was on a 192.168.0.0 /23.
After the migration, all the devices are behind the ASA and I'm not able to have same network segment on more than 1 interface on the ASA which bring me back to the drawing board. I really need to use some of the ISP2 bandwidth because it's choking the ISP1 connection. Please advise.
ASKER
Here is the Original Network Topology.
Slide1.jpg
Slide1.jpg
Can you attach ISP1 to the 2821? It should have a spare FastEthernet port. I would then policy route on the 2821. That way you still get the protection of your ASA but it sends all traffic to the router and lets the router decide. In that kind of setup you may want to run the ASA in transparent mode instead of routed.
Here is an example of policy routing
http://www.cisco.com/en/US
Here is an example of policy routing
http://www.cisco.com/en/US
ASKER
Unfortunately, I can't set the ASA as transparent mode because it's natting our servers. Is there a way to redirect traffic to the 2821. If I can redirect VPN traffic to ISP2, then why can't I do the same for internet traffic.
Is it possible to forward internet traffic on VPN_TRAFFIC?
Is it possible to forward internet traffic on VPN_TRAFFIC?
CCBQ-FW(config)# int ethernet 0/2
CCBQ-FW(config-if)# ip address 192.168.192.2 255.255.254.0
CCBQ-FW(config-if)# nameif VPN_TRAFFIC
CCBQ-FW(config-if)# security-level 50
CCBQ-FW(config-if)# no shut
access-list nonat permit ip 192.168.0.0 255.255.0.0
nat (inside) 0 access-l nonat
route VPN_Traffic 192.168.0.0 255.255.0.0 192.168.192.1
same-security-traffic permit inter-interface
CCBQ2821#config t
CCBQ2821(config)#int gi0/0
CCBQ2821(config-if)#ip address 192.168.192.1 255.255.254.0
CCBQ2821(config-if)#exit
CCBQ2821(config)#ip route 192.168.0.0 255.255.254.0 192.168.192.2
I'm not sure what IOS load you have on your router but if you can do a VPN you can do NAT on the 2821 as well
ASKER
Is there a way to perform NAT on the ASA to that will route 192.168.0.0 /23 to 192.168.192.1 (2821 Router). The ASA has a persistant route statement that points all traffic to 69.38.228.97 which is the outside interface of the ASA.
route outside 0.0.0.0 0.0.0.0 69.38.228.97 1
would it be possible to add another route statement:
route outside 192.168.0.0 0.0.255.255 64.115.1135.170 1
I was told this wasn't possible. Is there any other way of performing this?
route outside 0.0.0.0 0.0.0.0 69.38.228.97 1
would it be possible to add another route statement:
route outside 192.168.0.0 0.0.255.255 64.115.1135.170 1
I was told this wasn't possible. Is there any other way of performing this?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I had to to perform following to resolve the issue:
1. Router is in front of the ASA.
2. Configure OSPF on the router and ASA.
3. redistribution EIGRP to OSPF on the router and configure OSPF.
1. Router is in front of the ASA.
2. Configure OSPF on the router and ASA.
3. redistribution EIGRP to OSPF on the router and configure OSPF.
ASKER