Problems with policy based routing and easy VPN server on a router 2821

Unanswered Question
Feb 26th, 2010

We have a router 2821 with two adsl connections. Also this router is a VPN server, teleworkers can connect to the local lan through one of adsl connections using Cisco VPN client. Now we want one server uses the second adsl connection to connect to the internet. If we configure the policy based routing without the default route to the second interface the server cannot use the second interface; but if we configure the the default route to the second interface (also keeping the default route to the first interface) the lan works as expected (users and most of servers through first adsl interface, and one server through thr ohter adsl interface), but vpn server stops working. I have added some configuration to the polivy based routing but it does not work.

Here the main config of the router:

crypto isakmp policy 1
encr aes
authentication pre-share
group 2
!
crypto isakmp client configuration group VPNClientes
key xxxxxxxxxxxx
pool SDM_POOL_1
acl 101
netmask 255.255.255.224
crypto isakmp profile sdm-ike-profile-1
   match identity group VPNClientes
   client authentication list sdm_vpn_xauth_ml_1
   isakmp authorization list sdm_vpn_group_ml_1
   client configuration address respond
   virtual-template 1
!
crypto ipsec transform-set ESP-AES128-SHA esp-aes esp-sha-hmac
!
crypto ipsec profile SDM_Profile1
set transform-set ESP-AES128-SHA
set isakmp-profile sdm-ike-profile-1
!
interface Null0
no ip unreachables
!
interface GigabitEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$$FW_INSIDE$
ip address 192.168.254.253 255.255.255.248

ip nat inside

ip policy route-map PBR1

!
interface ATM0/0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no atm ilmi-keepalive
!
interface ATM0/0/0.1 point-to-point
description $FW_OUTSIDE$
ip address x.x.x.15 255.255.255.192
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly
snmp trap ip verify drop-rate
pvc 8/32
  encapsulation aal5snap
!
!
interface ATM0/1/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no atm ilmi-keepalive
!
interface ATM0/1/0.1 point-to-point
description $FW_OUTSIDE$
ip address y.y.y.45 255.255.255.128
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly
snmp trap ip verify drop-rate
pvc 8/32
  encapsulation aal5snap
!
!
interface Virtual-Template1 type tunnel
ip unnumbered ATM0/0/0.1
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
!
ip local policy route-map PBR2
ip local pool SDM_POOL_1 192.168.254.1 192.168.254.30
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 x.x.x.1
ip route 0.0.0.0 0.0.0.0 y.y.y.1
ip route 192.168.40.0 255.255.255.0 192.168.254.254
ip route 192.168.41.0 255.255.255.0 192.168.254.254
ip route 192.168.254.244 255.255.255.252 192.168.254.254
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source static tcp 192.168.40.34 143 interface ATM0/0/0.1 143
ip nat inside source static tcp 192.168.40.34 993 interface ATM0/0/0.1 993
ip nat inside source static tcp 192.168.40.34 992 interface ATM0/0/0.1 992
ip nat inside source static tcp 192.168.40.34 110 interface ATM0/0/0.1 110
ip nat inside source static tcp 192.168.41.5 80 interface ATM0/0/0.1 10002
ip nat inside source static tcp 192.168.40.60 443 interface ATM0/0/0.1 443
ip nat inside source static tcp 192.168.40.34 8443 interface ATM0/0/0.1 8443
ip nat inside source static tcp 192.168.40.34 995 interface ATM0/0/0.1 995
ip nat inside source static tcp 192.168.40.120 5900 interface ATM0/0/0.1 5900
ip nat inside source static tcp 192.168.40.34 587 interface ATM0/0/0.1 587
ip nat inside source static tcp 192.168.41.6 80 interface ATM0/0/0.1 80
ip nat inside source static tcp 192.168.41.3 3101 interface ATM0/0/0.1 3101
ip nat inside source static tcp 192.168.40.9 25 interface ATM0/0/0.1 25
ip nat inside source static tcp 192.168.40.9 8000 interface ATM0/0/0.1 8000
ip nat inside source static tcp 192.168.40.65 443 interface ATM0/1/0.1 443
ip nat inside source static tcp 192.168.40.65 80 interface ATM0/1/0.1 80
ip nat inside source route-map NAT_ATM0 interface ATM0/0/0.1 overload
ip nat inside source route-map NAT_ATM1 interface ATM0/1/0.1 overload
!
access-list 100 remark Reglas_NAT
access-list 100 deny   ip 192.168.40.0 0.0.0.255 192.168.254.0 0.0.0.31
access-list 100 deny   ip 192.168.41.0 0.0.0.255 192.168.254.0 0.0.0.31
access-list 100 deny   ip 192.168.254.248 0.0.0.7 192.168.254.0 0.0.0.31
access-list 100 deny   ip 192.168.254.244 0.0.0.3 192.168.254.0 0.0.0.31
access-list 100 permit ip 192.168.40.0 0.0.0.255 any
access-list 100 permit ip 192.168.41.0 0.0.0.255 any
access-list 100 permit ip 192.168.254.248 0.0.0.7 any
access-list 100 permit ip 192.168.254.244 0.0.0.3 any
access-list 101 remark Conexiones_Permitidas_VPN
access-list 101 permit ip 192.168.40.0 0.0.0.255 any
access-list 101 permit ip 192.168.41.0 0.0.0.255 any
access-list 101 permit ip 192.168.254.248 0.0.0.7 any
access-list 101 permit ip 192.168.254.244 0.0.0.3 any
access-list 120 deny   ip 192.168.40.0 0.0.0.255 192.168.254.0 0.0.0.31
access-list 120 deny   ip 192.168.41.0 0.0.0.255 192.168.254.0 0.0.0.31
access-list 120 deny   ip 192.168.254.248 0.0.0.7 192.168.254.0 0.0.0.31
access-list 120 deny   ip 192.168.254.244 0.0.0.3 192.168.254.0 0.0.0.31
access-list 120 deny   ip host 192.168.40.65 any
access-list 120 permit ip any any
access-list 121 deny   ip host 192.168.40.65 192.168.254.0 0.0.0.31
access-list 121 permit ip host 192.168.40.65 any
access-list 122 permit ip 192.168.40.0 0.0.0.255 192.168.254.0 0.0.0.31
access-list 122 permit ip 192.168.41.0 0.0.0.255 192.168.254.0 0.0.0.31
access-list 122 permit ip 192.168.254.248 0.0.0.7 192.168.254.0 0.0.0.31
access-list 122 permit ip 192.168.254.244 0.0.0.3 192.168.254.0 0.0.0.31
access-list 130 permit ip host x.x.x.15 any
access-list 131 permit ip host y.y.y.45 any
no cdp run

!
!
!
route-map NAT_ATM0 permit 1
match ip address 100
match interface ATM0/0/0.1
!
route-map NAT_ATM1 permit 1
match ip address 100
match interface ATM0/1/0.1
!
route-map PBR1 permit 1
match ip address 120
set ip next-hop x.x.x.1
set interface ATM0/0/0.1
!
route-map PBR1 permit 2
match ip address 121
set ip next-hop y.y.y.1
set interface ATM0/1/0.1
!
route-map PBR1 permit 3
match ip address 122
set ip next-hop x.x.x.1
set interface Virtual-Template1
!
route-map PBR2 permit 1
match ip address 130
set ip next-hop x.x.x.1
set interface ATM0/0/0.1
!
route-map PBR2 permit 2
match ip address 131
set ip next-hop y.y.y.1
set interface ATM0/1/0.1

Any ideas?

Thanks in advance.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Actions

This Discussion