06-02-2007 09:17 PM - edited 03-03-2019 05:16 PM
Hi all,
Wondering if someone can assist with a config I need to put together in the next few weeks.
Situation is this:
Cisco 2851 Router with 3 x ADSL interfaces
Reason behind the 3 x ADSL's is the following:
1 x ADSL (512k/512k) to be used for VoIP traffic
1 x ADSL (512k/512k) to be used for MS SQL traffic
1 x ADSL (8000k/384k) to be used for everything else
Each of these ADSL's will need a site-to-site IPSEC connection back to our main site (terminating on a 3rd party firewall). My question is how should I go about configuring the ADSL interfaces so that only the specified traffic types travels down the correct link?
And if you were wondering why we are looking at doing this on a 2851 it's because the 4th interface is a VIC2-2BRI, and the router is going to be doing SRST (supporting approx 60 VoIP phones).
Any suggestions/comments/example configs would be greatly apreciated.
06-03-2007 02:30 AM
Hi,
This might be a start?
!
interface fastethernet 3/1
desc ** LAN interface ***
ip policy route-map Texas
ip nbar...
!
route-map Texas permit 10
match protocol XXX
set ip next-hop 3.3.3.3
!
route-map Texas permit 20
match ip protocol XX
set ip next-hop 4.3.3.5
or set interface XXX
route-map Texas permit 30
Then you have 3 different crypto-maps for
you ipsec connecitons, each applied to one ADSL interface.
HTH
BR,
Bjornarsb
06-03-2007 02:50 PM
Thanks for your reply. I'll give this a go once I get my hands on the hardware
06-06-2007 05:11 PM
Hi,
I've started building a config for this and have struck a potential problem.
When you define each of the three crypto-map's you need to define a 'match' statement which points to an ACL. If the route-map's are matching based on protocol, how should I look at matching the crypto-map's?
Also is it possible to have a different pre-shared key for each ipsec tunnel?
Thanks
06-06-2007 05:43 PM
Also, I actually don't see 'match protocol' or 'match ip protocol' as available selections in the route-map. Do I need to turn something on like nbar or cef?
06-07-2007 08:45 AM
I'd suggest for your mapping on the crypto-maps for your router, match via protocol/ports. You know your SQL is bound to port 1433 or something like that, and it's a TCP protocol. Your VoIP will fall on certain ports and use UDP. . .make sure and include your skinny protocol in there as well.
After that, I think you can gather all the traffic that's left. . .you'd just deny the other two from the access-list you're using for your bulk traffic.
And I do believe you can have a different pre-shared key since you'll have 3 different crypto-maps. I think, but don't quote me on that.
HTH
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: