09-20-2008 08:46 PM
Hello Experts,
I have read and read an read...so I appreciate any help. I would like to configure outbound VPN with 2 ISP's since a new HWIC was installed on my 1841.
BGP is not an option because the internet links don't talk to each other.
I understand that this can be accomplished with ip sla and object tracking, but I don't know
if I need some tweaking with the VPN traffic so that it can failover or it this config will actually work.
Would like your input as it is on a live environment and I can't test on a lab.
My requirements are as follows:
1- I only need 1 host computer (172.16.4.20) to exit thru the second (Antena_NEW_Gateway) interface FA0/1/0 via VPN
with gateway 192.168.51.1 and to failover to the "original" default gateway (Rest network is using) in case it fails.
2- All my other VPN network traffic remains the same exiting thru my original default gateway (190.11.1.1)
Interfaces are as follows:
interface FastEthernet0/0
description OUTSIDE
ip address dhcp client-id FastEthernet0/0
crypto map 3desmap
!
interface FastEthernet0/1
description inside
ip address 172.16.4.60 255.255.255.0
!
interface FastEthernet0/1/0
description ANTENA_NEW_Gateway
ip address 192.168.51.2 255.255.255.0
crypto map acts1
ip policy route-map acts
Please let me know if I'm missing something. I created a different crypto map for the 2nd interface, I'm using the same transform-set and interesting traffic acl from before.
interface FastEthernet0/1/0
description ANTENA_NEW_Gateway
ip address 192.168.51.2 255.255.255.0
crypto map acts1
ip policy route-map acts
ip route 0.0.0.0 0.0.0.0 190.11.1.1
ip route host 172.16.4.20 192.168.51.1 track 123
ip route host 172.16.4.20 190.11.1.1 254
ip sla 1
icmp-echo 192.168.51.1
timeout 1000
threshold 2
frequency 3
ip sla schedule 1 life forever start-time now
track 123 rtr 1 reachability
access-list 101 permit icmp any host 192.168.51.1 echo
route-map acts permit 10
Router(config-route-map)# match ip address 101
Router(config-route-map)# set interface FastEthernet0/1/0 Null 0
Router(config-route-map)# exit
I'm also attaching my configuration.
Solved! Go to Solution.
09-20-2008 11:17 PM
the route map should looks like
rout-map acts1 permit 10
match ip address 1
set ip next-hop 192.168.51.1
rout-map acts1 permit 20
set ip next-hop 190.11.1.1
access-list 1 permit host 172.16.4.20
then apply it to the source interface which is in ur case interface FastEthernet0/1
interface FastEthernet0/1
ip policy route-map acts1
remove the old route map from the outside interface!!
good luck
if helpful Rate
09-20-2008 11:17 PM
the route map should looks like
rout-map acts1 permit 10
match ip address 1
set ip next-hop 192.168.51.1
rout-map acts1 permit 20
set ip next-hop 190.11.1.1
access-list 1 permit host 172.16.4.20
then apply it to the source interface which is in ur case interface FastEthernet0/1
interface FastEthernet0/1
ip policy route-map acts1
remove the old route map from the outside interface!!
good luck
if helpful Rate
09-21-2008 11:31 AM
Thank you marwanshawi,
I will test it hopefully in the next couple of days. (By the way, you are a genious!!)
you make it look very easy.
Just to confirm,
1- I remove and the route-map from the outside interface, apply the new
Route map to the inside interface, and leave the rest of the config as is correct?
2- I also assume that the static routing is ok and hopefully vpn will function????
ip route 0.0.0.0 0.0.0.0 190.11.1.1
ip route host 172.16.4.20 192.168.51.1 track 123
ip route host 172.16.4.20 190.11.1.1 254
Appreciate your help and time. I will definetely rate this post after testing!! :-)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide