Link to home
Create AccountLog in
Avatar of SamoletMaj
SamoletMaj

asked on

Two Active Isp's one for WWW one for IPsec VPN ( Cisco 1811 )

Gents, i have a situation.

Let say i have one LAN and two ISP' connected to a Cisco 1811 Router, One on fe0 and the other on fe1.

What i am trying to accomplish is to have all of the LAN traffic to be natted out of fe0 but when sitting on the oustide i want users to vpn trough fe1 and NOT fe0,

Is this even possible?

 I have done some dual isp setups in the past with sla tracking but i have never needed to have both isp's active at the same time.

I tried a bunch of things today to on avail.


In short:

LAN WWW TRAFFIC > FE0  ISP 1
                                      FE1 ISP 2 < VPN FROM OUTSIDE
Avatar of BBRazz
BBRazz
Flag of United Kingdom of Great Britain and Northern Ireland image

Hi,

Your normal nat rules will handle the internet access, and as long as you have an equal cost default route for both the providers the VPN should function.

If it's VPN passthrough then a one to one NAT statement could be used to pass traffic from the 2nd connection direct to your VPN server.

if it's a static L2L then you can add a route specifying the remote IP to go via the default gateway on the 2nd line to ensure the tunnel is built over that link.
Avatar of SamoletMaj
SamoletMaj

ASKER

I will try this today...

By: Your normal nat rules will handle the internet access, and as long as you have an equal cost default route for both the providers the VPN should function

Do you mean:

Ip route 0.0.0.0 0.0.0.0 Isp1 1
Ip route 0.0.0.0 0.0.0.0 Isp2 1

?
That is correct yes.
OK, i tried it and nothing yet...
here is the config, take a looksee..

Building configuration...

Current configuration : 5574 bytes
!
! Last configuration change at 19:22:00 UTC Fri Nov 16 2012 by ssaber
! NVRAM config last updated at 22:43:41 UTC Thu Nov 15 2012 by ssaber
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname c-router001
!
boot-start-marker
warm-reboot
boot-end-marker
!
logging buffered 51200 warnings

!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login vpnAuthList local
aaa authorization network vpnGroupAuthList local
!
aaa session-id common
!
resource policy
!
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 172.16.30.1 172.16.30.200
!
ip dhcp pool pool
   import all
   network 172.16.30.0 255.255.255.0
   default-router 172.16.30.2
   dns-server 172.16.30.2 10.150.83.x 10.150.83.x
   lease 10 23 59
!
!
!
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp client configuration group VpnGroup
 key ********
 dns 172.16.30.2 8.8.8.8
 pool vpnpool
 acl 150
 include-local-lan
 netmask 255.255.255.0
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map ***DynMap 1
 set transform-set ESP-3DES-SHA
 reverse-route
!
!
crypto map CryptoMap client authentication list vpnAuthList
crypto map CryptoMap isakmp authorization list vpnGroupAuthList
crypto map CryptoMap client configuration address respond
crypto map CryptoMap 65535 ipsec-isakmp dynamic DynMap
!
!
interface FastEthernet0
 ip address x.x.x.x 255.255.255.248 (public)
 ip access-group 100 out
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map CryptoMap
!
interface FastEthernet1
 ip address dhcp
 ip access-group 100 in
 ip access-group 100 out
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map CryptoMap
!
interface Vlan1
 description DefaultVlan
 no ip address
 ip tcp adjust-mss 1452
!

interface Vlan30
 description Net3
 ip address 172.16.30.2 255.255.255.0
 ip access-group 100 in
 ip access-group 100 out
 ip nat inside
 ip virtual-reassembly
!

interface Async1
 no ip address
 encapsulation slip
!
ip local pool vpnpool 172.16.50.180 172.16.50.199
ip route 0.0.0.0 0.0.0.0 FastEthernet1
ip route 0.0.0.0 0.0.0.0 x.x.x.x (public)
ip route 10.150.83.0 255.255.255.0 FastEthernet1
ip route 10.150.84.0 255.255.255.0 FastEthernet1
ip route 10.150.86.0 255.255.255.0 FastEthernet1
!
ip nat inside source route-map nonat interface FastEthernet1 overload
ip nat inside source route-map nonat2 interface FastEthernet0 overload
!
access-list 100 permit ip any any

access-list 198 deny   ip 172.16.30.0 0.0.0.255 172.16.50.0 0.0.0.255
access-list 198 permit ip 172.16.30.0 0.0.0.255 x.x.x.x (public)  0.0.0.7
access-list 198 deny   ip 172.16.30.0 0.0.0.255 any

access-list 199 permit ip 172.16.30.0 0.0.0.255 10.150.83.0 0.0.0.255
access-list 199 permit ip 172.16.30.0 0.0.0.255 10.150.86.0 0.0.0.255
access-list 199 permit ip 172.16.30.0 0.0.0.255 10.150.84.0 0.0.0.255
access-list 199 permit ip 172.16.30.0 0.0.0.255 any
!
route-map nonat2 permit 10
 match ip address 198
!
route-map nonat permit 10
 match ip address 199
!
!
I tried a couple of other things and nada...
Anyone have any ideas? I can solve this by putting another hardware device in the equation but i dont want to...
Try using the default route both using next-hop rather than interface.
Well, i tried this:
ip route 0.0.0.0 0.0.0.0 x.x.x.x 1 (this is the public for the vpn)
ip route 0.0.0.0 0.0.0.0 10.x.x.x 1 (this is the internal for the WWW)

and changed my nat route maps to:

access-list 198 deny ip 172.16.30.0 0.0.0.255 any
access-list 199 permit ip 172.16.30.0 0.0.0.255 any

and NADA... not working.

Any suggestions would be greatly appreciated.
You mentioned in your last post that NAT would take care of it before the route but i found this:
If IPSec then check input access list 

decryption - for CET (Cisco Encryption Technology) or IPSec 

check input access list 

check input rate limits
 
 input accounting 

redirect to web cache
 
policy routing
 
routing
 
NAT inside to outside (local to global translation) 

crypto (check map and mark for encryption) 

check output access list 

inspect (Context-based Access Control (CBAC))
 
TCP intercept 

encryption 

 Queueing

Open in new window


http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml
This is the egress order of processing from cisco... im confused.

Based on that, it looks like the routing comes in before the nat rules...
i also found this from Cisco:
If you use multiple ip route 0.0.0.0 0.0.0.0 commands to configure a default route, traffic is load-balanced over the multiple routes.

i dont want to do that...
ASKER CERTIFIED SOLUTION
Avatar of SamoletMaj
SamoletMaj

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
I had to come up with this answer on my own. The comment provided was good and would work for a load sharing, or redundancy scenario but not for my particular requirement.

i posted a working config for future readers.

The order of processing is posted above.