Problems adding routing routes

Answered Question
Jul 9th, 2007

Hi,

I've a 2821 cisco router. This router has a adsl wic and a lmds connection using the second gigabit port.

Now, there is a default route configured ip route 0.0.0.0 0.0.0.0 83.x.x.x permanent.

With this configuration works fine.

There are several vpn ipsec tunnel running properly, but, is I change the routing route to ip route 192.168.157.0 255.255.255.0 83.x.x.x permanent it does not work.

Then I need to configure the routing for:

using the wic adsl for internet&nat and then the static routes for vpn ipsec tunels

what can I do?

Best regards

I have this problem too.
0 votes
Correct Answer by Jon Marshall about 9 years 5 months ago

Edgar

If they are site-to-site VPN tunnels you do not need static routes for the VPN tunnels. The access-lists you define for use in the crypto map define the local and remote networks ie.

access-list vpntraffic permit ip 10.5.1.0 255.255.255.0 192.168.5.0 255.255.255.0

If the route receives a packet from 10.5.1.x destined for a 192.168.5.x machines it knows it has to send this traffic down the VPN tunnels. It does not need a static route.

HTH

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Jon Marshall Mon, 07/09/2007 - 05:10

Hi Edgar

Could you post a bit more detail on your setup.

If the tunnels are site-to-site VPN tunnels you do not need static routes on the router as the crypto access-list will tell the router whether or not it needs to encrypt the traffic.

Jon

Correct Answer
Jon Marshall Mon, 07/09/2007 - 05:28

Edgar

If they are site-to-site VPN tunnels you do not need static routes for the VPN tunnels. The access-lists you define for use in the crypto map define the local and remote networks ie.

access-list vpntraffic permit ip 10.5.1.0 255.255.255.0 192.168.5.0 255.255.255.0

If the route receives a packet from 10.5.1.x destined for a 192.168.5.x machines it knows it has to send this traffic down the VPN tunnels. It does not need a static route.

HTH

Jon

Jon Marshall Mon, 07/09/2007 - 05:33

Edit

If the route receives a packet from 10.5.1.x destined ...

should read

If the router receives a packet from 10.5.1.x destined ...

Jon

edgar-quintana Mon, 07/09/2007 - 05:35

OK...

Then there are two questions to respond:

the 2821 has two nic one for line backup if fails and the second one ads wic for internet and nat

1? how to configure the routing for backup (ipsec tunnels are already configured)

2? how to configure the routing for nat and internet browsing

Jon Marshall Mon, 07/09/2007 - 05:54

Edgar

1) If you are using a static default route you can use another default route with a higher adminsitrative distance - called a floating static. eg.

If your primary link gateway is 83.10.1.1

your secondary link gateway is 84.10.1.1

ip route 0.0.0.0 0.0.0.0 83.10.1.1

ip route 0.0.0.0 0.0.0.0 84.10.1.1 250

The second route will only be used if the first disappears.

2) Not entirely clear. Are you askign how you would do the NAT in a failover scenario ?

Jon

edgar-quintana Mon, 07/09/2007 - 07:20

This is the situation:

a cisco 2821 two gigabit ports and a adsl wic.

The adsl wic is only for backuping the tunnels.

If the tunnels dont need adding routes, backup tunnels would not need too?

edgar-quintana Mon, 07/09/2007 - 13:47

This is the configuration.

There are 2 static routes.

The tunels only works is there is a default route configured...

is possible to enable both?

Attachment: 

Actions

This Discussion