Link to home
Create AccountLog in
Avatar of SuperiorCabinets
SuperiorCabinets

asked on

Cisco Route Map 2 ISP's

I need to route 1 LAN to 2 different ISP's. Once is ADSL and the other is a T1. I have static IP's for both ISP's. I need to have the VPN use 1 interface and all Internet traffic use the other. I also need the NAT and VPN to failover in case of a communication failure. Basically I need to have 2 default gateways and using route-maps make sure that the traffic that comes in on one Interface goes out the same interface.

This is what I have so far:

IP from ISP 1 = 1.1.1.1, Default Gateway = 1.1.1.2
IP from ISP 2 = 2.2.2.1, Default Gateway = 2.2.2.2

Here is the config that I have tried so far

ip route 0.0.0.0 0.0.0.0 1.1.1.2
ip route 0.0.0.0 0.0.0.0 2.2.2.2

access-list 150 permit ip host 1.1.1.1 any
access-list 151 permit ip host 2.2.2.1 any

route-map WAN permit 10
 match ip address 150
 set ip next-hop 1.1.1.2

route-map WAN permit 20
 match ip address 151
 set ip next-hop 2.2.2.2

ip local policy route-map WAN

I can see that there are matches for the access lists and route-maps, however my VPN will not work through the desired interface unless I add static routes for the VPN IP pool and the IP address of the ASA on the other end.

Have I missed something?

Avatar of Quori
Quori
Flag of Australia image

You would need to better classify your VPN clients then place an ACL or QoS policy into a routemap and set next hop.

Also with your static routes, you should configure each with a metric depending on which you want as a primary or secondary route otherwise it will end up being load balanced between the two.
Avatar of SuperiorCabinets
SuperiorCabinets

ASKER

I need to use both connections at the same time....I don't think that's possible unless the routes have the same metric...
Well, if you're familiar with recursive route selection, the device would be just looking down the table until it sees the first adequate match for its destination. Presently you have two gateway's of last resort configured, and therefore its going to use the first available one so you either need to add another route which sends traffic bound for 1.1.1.2 down one interface/route and 2.2.2.2 down another.

Or you could try changing your route maps to 'set interface' instead of a next-hop.
Will you be doing any kind of NAT on this?
Yes, I will be doing NAT. I am trying to have the VPN connections on ISP 2 and the NAT for Internet on ISP 1.....unless there is a failure, then I need both the NAT and VPN to use the connection that is still operational.
Could use object tracking to maintain a default route to whichever link is up, and route-maps to force VPN traffic down a specific interface.

http://www.cisco.com/en/US/docs/ios/12_3/12_3x/12_3xe/feature/guide/dbackupx.html#wp1051044
Here is an example of configuration that allows you to use both connections and NAT's appropriately based on which interface traffic is routed out of.

ip nat inside source route-map isp1 interface serial0/0 overload                          
ip nat inside source route-map isp2 interface dialer1 overload                          

access-list 1 permit 10.10.10.0 0.0.0.255                                      
access-list 2 permit 10.10.10.0 0.0.0.255  

route-map isp1 permit 10
 match ip address 1
 match interface serial0/0

route-map isp2 permit 10
 match ip address 2
 match interface dialer1

ip route 0.0.0.0 0.0.0.0 serial0/0
ip route 0.0.0.0 0.0.0.0 dialer1
That configuration would require the interface go down before any form of redundancy kicked in - which is quite rare on a T1 line, hence why best practice is for next-hop to be an IP address instead of an interface.
Sorry, didn't read your objective clearly.

Make sure you have a route to the VPN peer out the interface you want VPN traffic to go out.  On the ASA end, make sure your peer address is the interface on the router the VPN traffic is routing out of.  Use the other "non-VPN" interface for the default route so all other traffic routes out this connection.  You can have a weighted/backup default route out the VPN interface, just make sure you have NAT setup appropriately (use my example above with the match interface command in the route-map).  In order for the VPN to failover to the other ISP, you would need to change the peer address or set a "backup peer" in the ASA crypto map.
So my config should look something like this?

ip nat inside source route-map isp1 interface serial0/0 overload                          
ip nat inside source route-map isp2 interface dialer1 overload

access-list 1 permit 10.10.10.0 0.0.0.255 (Internal LAN IP Range)???                                
access-list 2 permit 10.10.10.0 0.0.0.255 (Internal LAN IP Range)???                      
access-list 150 permit ip host 1.1.1.1 any
access-list 151 permit ip host 2.2.2.1 any

route-map isp1 permit 10
 match ip address 1
 match interface serial0/0

route-map isp2 permit 10
 match ip address 2
 match interface dialer1

route-map WAN permit 10
 match ip address 150
 set ip next-hop 1.1.1.2

route-map WAN permit 20
 match ip address 151
 set ip next-hop 2.2.2.2

ip local policy route-map WAN

ip route 0.0.0.0 0.0.0.0 serial0/0
ip route 0.0.0.0 0.0.0.0 dialer1

Nope, scratch the example I posted.  I thought you were simply looking to load share or implement redundancy for your two Internet connections.

It should look something like the following:


access-list 1 permit 10.10.10.0 0.0.0.255 <--yes, use your internal LAN here                          
access-list 2 permit 10.10.10.0 0.0.0.255 <--yes, use your internal LAN here

ip nat inside source route-map isp1 interface serial0/0 overload                          
ip nat inside source route-map isp2 interface dialer1 overload

route-map isp1 permit 10
 match ip address 1
 match interface serial0/0

route-map isp2 permit 10
 match ip address 2
 match interface dialer1

ip route x.x.x.x 255.255.255.255 serial0/0   <--This is your VPN interface and x.x.x.x is the remote VPN peer

ip route 0.0.0.0 0.0.0.0 dialer1   <--Use this ISP for all Internet traffic (except VPN)
ip route 0.0.0.0 0.0.0.0 serial0/0 10  <--Use this ISP as backup for all Internet traffic

Make sure the remote VPN peer uses the serial0/0 IP Address (in this example) as the VPN peer.

VPN traffic will go in and out the serial0/0 interface and all other Internet traffic will go out the dialer1 interface.  If the dialer1 interface goes down, the serial0/0 interface will be used for all traffic (until the dialer1 interface is available again).

In order to provide VPN failover, you would need to have your remote VPN peer use the dialer1 interface IP address as a secondary/backup peer address.
If you want the VPN traffic to go over one interface and all other traffic to go over the other interface just use two static routes.

ip route (what ever the local IP subnet of the VPN IP traffic is) interface DSL
ip route 0.0.0.0 0.0.0.0 interface T1
GOT SAME PROBLEM.
all the traffic goes through the "Gateway of the last Resort", and if you have an external IP mapped to the interface ih the other WAN, doesn't work. How can we pass traffic for an interface that is not a Gateway of last resort ?
ASKER CERTIFIED SOLUTION
Avatar of SuperiorCabinets
SuperiorCabinets

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
PLease let me know what solution you have please
I'm not sure what Cisco did to fix the issue, they connected to the router remotely and made the changes
SuperiorCabinets,
Can you please paste your running-config into this thread? I am having similar problems with one of my sites that is very similar to yours.   Please remember to take out any passwords or sensitive info from your config (*asterisk* out all passwords).  Please help the rest of the community.  
Hi SuperiorCabinets,

I havig the same problem, can you show me your running config please.

Thanks
i got it worked a time ago, please post your config and i can tell you what is missing

thanks
Hello supercato,

i would to use the dialer 1 for the internet connection (default route) andthe serial just for the vpn trafic
this is my actually configuration.

Thanks


access-list 1 permit 192.168.1.1 0.0.0.255 <--yes, use your internal LAN here                          
access-list 2 permit 192.168.1.1 0.0.0.255 <--yes, use your internal LAN here

ip nat inside source route-map isp1 interface serial0/0 overload                          
ip nat inside source route-map isp2 interface dialer1 overload

route-map isp1 permit 10
 match ip address 1
 match interface serial0/0

route-map isp2 permit 10
 match ip address 2
 match interface dialer1


ip route 0.0.0.0 0.0.0.0 dialer1  
ip route 0.0.0.0 0.0.0.0 serial0/0 10