EZVPN Server on Dual WAN Interfaces

Unanswered Question
Jul 14th, 2009


I've configure EasyVPN on both of my WAN interfaces. The problem I'm having is that the traffic is leaving via xxx.xxx.xxx.60 and not on the interface that the Remote site connects to.

What can I do to get the traffic to leave via the interface on which the remote side connects to?



ip cef


crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group ezvpn-spoke-pta

key *****vpn-key*****

acl 106

!

crypto isakmp client configuration group ezvpn-spoke-pta-backup

key *****vpn-key*****

acl 106

crypto isakmp profile sdm-ike-profile-1

match identity group ezvpn-spoke-pta

isakmp authorization list sdm_vpn_group_ml_3

client configuration address respond

keepalive 60 retry 2

virtual-template 1

crypto isakmp profile sdm-ike-profile-2

match identity group ezvpn-spoke-pta

isakmp authorization list sdm_vpn_group_ml_4

client configuration address respond

keepalive 60 retry 2

virtual-template 2

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac

!

crypto ipsec profile SDM_Profile1

set transform-set ESP-3DES-SHA

set isakmp-profile sdm-ike-profile-1

!

crypto ipsec profile SDM_Profile2

set transform-set ESP-3DES-SHA1

set isakmp-profile sdm-ike-profile-2

!

interface Null0

no ip unreachables

!

interface FastEthernet0/0

description Inside Network$ETH-LAN$$FW_INSIDE$

ip address xxx.xxx.0.1 255.255.255.0

ip access-group 102 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nbar protocol-discovery

ip flow ingress

ip flow egress

ip nat inside

ip virtual-reassembly

ip policy route-map RouteMapPBR

duplex auto

speed auto

no mop enabled

!

interface FastEthernet0/1

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

duplex auto

speed auto

no mop enabled

!

interface FastEthernet0/1.310

encapsulation dot1Q 310

ip address xxx.xxx.xxx.227 255.255.255.248

ip access-group 101 in

ip verify unicast reverse-path

no ip redirects

no ip unreachables

no ip proxy-arp

ip nbar protocol-discovery

ip flow ingress

ip flow egress

ip inspect SDM_LOW in

ip inspect SDM_LOW out

ip nat outside

ip virtual-reassembly

snmp trap ip verify drop-rate

no cdp enable

!

interface FastEthernet0/1.320

encapsulation dot1Q 320

ip address xxx.xxx.xxx.60 255.255.255.248

ip access-group 104 in

ip verify unicast reverse-path

no ip redirects

no ip unreachables

no ip proxy-arp

ip nbar protocol-discovery

ip flow ingress

ip flow egress

ip inspect SDM_LOW in

ip inspect SDM_LOW out

ip nat outside

ip virtual-reassembly

snmp trap ip verify drop-rate

no cdp enable

!

interface Virtual-Template1 type tunnel

ip unnumbered FastEthernet0/1.320

tunnel mode ipsec ipv4

tunnel protection ipsec profile SDM_Profile1

!

interface Virtual-Template2 type tunnel

ip unnumbered FastEthernet0/1.310

tunnel mode ipsec ipv4

tunnel protection ipsec profile SDM_Profile2

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.225 track 310

ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.57 track 320

!

ip flow-cache entries 4000

ip flow-cache timeout inactive 100

!

ip nat inside source route-map Nat320 interface FastEthernet0/1.320 overload

ip nat inside source route-map Nat310 interface FastEthernet0/1.310 overload

!

access-list 106 remark SDM_ACL Category=4

access-list 106 permit ip xxx.xxx.0.0 0.0.255.255 any


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Todd Pula Tue, 07/14/2009 - 10:26

What is the overall requirement of your design? Are you looking to use the FastEthernet0/1.310 path as the primary and the FastEthernet0/1.320 for failover? If this is the case, you can track the default route to .225 and use a floating static route for .57 with a higher AD.

johanhanekom Tue, 07/14/2009 - 23:52

That's correct, FE0/1.310 as the primary path and FE0/1.320 as the fail over path.

I've added a higher AD to .57 but that cause my inbound port forwarding to stop working.


ip nat inside source static tcp xxx.xxx.xxx.10 25 xxx.xxx.xxx.227 25 extendable

ip nat inside source static tcp xxx.xxx.xxx.11 25 xxx.xxx.xxx.60 25 extendable


Actions

This Discussion