wan failover with vpn

Unanswered Question
Aug 15th, 2010

Hello all,

I have a question about a merged configuration which I attempted to get working recently with no luck. Our organization has a 1841 router which is it's primary router to ISP#1. This was a T1 connection which was being overworked by all of our Internet traffic. We bought a 1941 with an Ethernet card giving it 3 Ethernet interfaces. This 1941 router is connected to ISP#2 (Comcast). The 1841 has WebVPN config and a L2L VPN to another office. We want to retire the 1841 and just use the 1941 connected to both networks. When I tried to paste in the parts of the 1841 config into the 1941 all was ok from the Internet access perspective, but the VPNs do not function anymore. I also used a zone based firewall config on the 1941. Which traffic do I need to allow in for the L2L and SSL VPNs to work? I also set up a floating static route for the router to failover to ISP#1 (Comcast link is the primary) if the Comcast link goes down. The VPN traffic was setup to go out ISP#1, how do I make the VPN traffic go out to ISP#1 but keep the default route set to Comcast(ISP#2)? Sorry for the long post.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
richardboldy Sun, 08/15/2010 - 13:20

If you post your configs (minus any passwords) you'll probably get someone to help you.

tjd2112pcca Sun, 08/15/2010 - 18:21

Here is the config of the 1941:



!

! Last configuration change at 20:51:24 UTC Fri Aug 13 2010 by user

!

version 15.0

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname cisco

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication login external-vpn-users local group radius

aaa authentication login webvpn local

aaa authorization exec default local

aaa authorization network external-vpn-groups local

aaa authorization network external-vpn-users group radius local

!

!

!

!

!

aaa session-id common

!

!

!

!

no ipv6 cef

ip source-route

ip cef

!

!

!

!

ip domain name domain.com

ip name-server 68.87.64.150

!

multilink bundle-name authenticated

!

!

crypto pki trustpoint TP-self-signed-3735527223

enrollment selfsigned

ip-address 199.72.119.2

subject-name cn=IOS-Self-Signed-Certificate-3735527223

revocation-check none

rsakeypair TP-self-signed-3735527223

!

!

crypto pki certificate chain TP-self-signed-3735527223

certificate self-signed 01


  quit

license udi pid CISCO1941/K9 sn serial #

!

!

username user privilege 15 secret 5 passwd

!

redundancy

!

!

!

class-map type inspect match-any CMAP-1

match protocol tcp

match protocol icmp

match protocol udp

class-map type inspect match-all pptp-passthru

match access-group name PPTP-PASS-THROUGH

!

!

policy-map type inspect PMAP-1

class type inspect CMAP-1

  inspect

class type inspect pptp-passthru

  pass

class class-default

  drop

policy-map type inspect PMAP-2

class type inspect pptp-passthru

  pass

class class-default

  drop

!

zone security inside

zone security outside

zone-pair security inside-to-outside source inside destination outside

service-policy type inspect PMAP-1

zone-pair security outside-to-inside source outside destination inside

service-policy type inspect PMAP-2

!

!

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key key address 64.32.253.138 no-xauth

!

crypto isakmp client configuration group vpn-group-1

key key

dns 10.1.9.254

wins 10.1.9.254

domain fesnakllp.com

pool vpn_users1

acl 151

netmask 255.255.255.0

crypto isakmp profile VPNclient

   match identity group vpn-group-1

!

!

crypto ipsec transform-set sonicwall esp-3des esp-md5-hmac

crypto ipsec transform-set client-tsset esp-3des esp-sha-hmac

!

crypto dynamic-map client-map 1

set transform-set client-tsset

set isakmp-profile VPNclient

reverse-route

!

!

crypto map external-crypto client authentication list external-vpn-users

crypto map external-crypto isakmp authorization list external-vpn-groups

crypto map external-crypto client configuration address respond

crypto map external-crypto 10 ipsec-isakmp

description Tunnel to Sonicwall / 64.32.253.138

set peer 64.32.253.138

set security-association lifetime seconds 86400

set transform-set sonicwall

match address 150

crypto map external-crypto 65535 ipsec-isakmp dynamic client-map

!

!

!

!

!

interface Loopback2

description This is needed for WebVPN address pool

ip address 10.3.1.126 255.255.255.0

ip nat inside

ip virtual-reassembly

!

!

interface GigabitEthernet0/0

description Internal LAN

ip address 10.1.9.251 255.255.255.0

ip mask-reply

ip nat inside

ip virtual-reassembly

zone-member security inside

duplex auto

speed auto

no cdp enable

no mop enabled

!

!

interface GigabitEthernet0/1

description Internet via Comcast

ip address 75.151.154.178 255.255.255.248

ip nat outside

ip virtual-reassembly

zone-member security outside

duplex auto

speed auto

no cdp enable

no mop enabled

!

!

interface FastEthernet0/0/0

description Internet via Paetec

ip address 199.72.119.2 255.255.255.248

ip nat outside

ip virtual-reassembly

zone-member security outside

shutdown

duplex auto

speed auto

no cdp enable

no mop enabled

!

!

ip local pool vpn_users1 10.2.1.1 10.2.1.100

ip local pool webvpn_users 10.3.1.1 10.3.1.100

ip forward-protocol nd

!

ip http server

ip http authentication local

ip http secure-server

!

ip nat inside source list 105 interface GigabitEthernet0/1 overload

ip nat inside source route-map nonat-vpn interface FastEthernet0/0/0 overload

ip route 0.0.0.0 0.0.0.0 75.151.154.182

ip route 0.0.0.0 0.0.0.0 199.72.119.1 250

ip route 10.2.1.0 255.255.255.0 199.72.119.1 permanent

ip route 10.3.1.0 255.255.255.0 199.72.119.1 permanent

!

ip access-list extended PPTP-PASS-THROUGH

permit gre any any

!

access-list 100 remark NAT policy for this router

access-list 100 remark Deny NAT for packets via VPN

access-list 100 deny   ip 10.1.9.0 0.0.0.255 10.1.10.0 0.0.0.255

access-list 100 remark Deny NAT for packets to VPN clients (ippool)

access-list 100 deny   ip any host 10.2.1.1

access-list 100 deny   ip any host 10.2.1.2

access-list 100 deny   ip any host 10.2.1.3

access-list 100 deny   ip any host 10.2.1.4

access-list 100 deny   ip any host 10.2.1.5

access-list 100 deny   ip any host 10.2.1.6

access-list 100 deny   ip any host 10.2.1.7

access-list 100 deny   ip any host 10.2.1.8

access-list 100 deny   ip any host 10.2.1.9

access-list 100 deny   ip any host 10.2.1.10

access-list 100 deny   ip any host 10.2.1.11

access-list 100 deny   ip any host 10.2.1.12

access-list 100 deny   ip any host 10.2.1.13

access-list 100 deny   ip any host 10.2.1.14

access-list 100 deny   ip any host 10.2.1.15

access-list 100 deny   ip any host 10.2.1.16

access-list 100 deny   ip any host 10.2.1.17

access-list 100 deny   ip any host 10.2.1.18

access-list 100 deny   ip any host 10.2.1.19

access-list 100 deny   ip any host 10.2.1.20

access-list 100 deny   ip any host 10.2.1.21

access-list 100 deny   ip any host 10.2.1.22

access-list 100 deny   ip any host 10.2.1.23

access-list 100 deny   ip any host 10.2.1.24

access-list 100 deny   ip any host 10.2.1.25

access-list 100 deny   ip any host 10.2.1.26

access-list 100 deny   ip any host 10.2.1.27

access-list 100 deny   ip any host 10.2.1.28

access-list 100 deny   ip any host 10.2.1.29

access-list 100 deny   ip any host 10.2.1.30

access-list 100 deny   ip any host 10.2.1.31

access-list 100 deny   ip any host 10.2.1.32

access-list 100 deny   ip any host 10.2.1.33

access-list 100 deny   ip any host 10.2.1.34

access-list 100 deny   ip any host 10.2.1.35

access-list 100 deny   ip any host 10.2.1.36

access-list 100 deny   ip any host 10.2.1.37

access-list 100 deny   ip any host 10.2.1.38

access-list 100 deny   ip any host 10.2.1.39

access-list 100 deny   ip any host 10.2.1.40

access-list 100 deny   ip any host 10.2.1.41

access-list 100 deny   ip any host 10.2.1.42

access-list 100 deny   ip any host 10.2.1.43

access-list 100 deny   ip any host 10.2.1.44

access-list 100 deny   ip any host 10.2.1.45

access-list 100 deny   ip any host 10.2.1.46

access-list 100 deny   ip any host 10.2.1.47

access-list 100 deny   ip any host 10.2.1.48

access-list 100 deny   ip any host 10.2.1.49

access-list 100 deny   ip any host 10.2.1.50

access-list 100 deny   ip any host 10.2.1.51

access-list 100 deny   ip any host 10.2.1.52

access-list 100 deny   ip any host 10.2.1.53

access-list 100 deny   ip any host 10.2.1.54

access-list 100 deny   ip any host 10.2.1.55

access-list 100 deny   ip any host 10.2.1.56

access-list 100 deny   ip any host 10.2.1.57

access-list 100 deny   ip any host 10.2.1.58

access-list 100 deny   ip any host 10.2.1.59

access-list 100 deny   ip any host 10.2.1.60

access-list 100 deny   ip any host 10.2.1.61

access-list 100 deny   ip any host 10.2.1.62

access-list 100 deny   ip any host 10.2.1.63

access-list 100 deny   ip any host 10.2.1.64

access-list 100 deny   ip any host 10.2.1.65

access-list 100 deny   ip any host 10.2.1.66

access-list 100 deny   ip any host 10.2.1.67

access-list 100 deny   ip any host 10.2.1.68

access-list 100 deny   ip any host 10.2.1.69

access-list 100 deny   ip any host 10.2.1.70

access-list 100 deny   ip any host 10.2.1.71

access-list 100 deny   ip any host 10.2.1.72

access-list 100 deny   ip any host 10.2.1.73

access-list 100 deny   ip any host 10.2.1.74

access-list 100 deny   ip any host 10.2.1.75

access-list 100 deny   ip any host 10.2.1.76

access-list 100 deny   ip any host 10.2.1.77

access-list 100 deny   ip any host 10.2.1.78

access-list 100 deny   ip any host 10.2.1.79

access-list 100 deny   ip any host 10.2.1.80

access-list 100 deny   ip any host 10.2.1.81

access-list 100 deny   ip any host 10.2.1.82

access-list 100 deny   ip any host 10.2.1.83

access-list 100 deny   ip any host 10.2.1.84

access-list 100 deny   ip any host 10.2.1.85

access-list 100 deny   ip any host 10.2.1.86

access-list 100 deny   ip any host 10.2.1.87

access-list 100 deny   ip any host 10.2.1.88

access-list 100 deny   ip any host 10.2.1.89

access-list 100 deny   ip any host 10.2.1.90

access-list 100 deny   ip any host 10.2.1.91

access-list 100 deny   ip any host 10.2.1.92

access-list 100 deny   ip any host 10.2.1.93

access-list 100 deny   ip any host 10.2.1.94

access-list 100 deny   ip any host 10.2.1.95

access-list 100 deny   ip any host 10.2.1.96

access-list 100 deny   ip any host 10.2.1.97

access-list 100 deny   ip any host 10.2.1.98

access-list 100 deny   ip any host 10.2.1.99

access-list 100 deny   ip any host 10.2.1.100

access-list 100 deny   ip any host 10.3.1.1

access-list 100 deny   ip any host 10.3.1.2

access-list 100 deny   ip any host 10.3.1.3

access-list 100 deny   ip any host 10.3.1.4

access-list 100 deny   ip any host 10.3.1.5

access-list 100 deny   ip any host 10.3.1.6

access-list 100 deny   ip any host 10.3.1.7

access-list 100 deny   ip any host 10.3.1.8

access-list 100 deny   ip any host 10.3.1.9

access-list 100 deny   ip any host 10.3.1.10

access-list 100 deny   ip any host 10.3.1.11

access-list 100 deny   ip any host 10.3.1.12

access-list 100 deny   ip any host 10.3.1.13

access-list 100 deny   ip any host 10.3.1.14

access-list 100 deny   ip any host 10.3.1.15

access-list 100 deny   ip any host 10.3.1.16

access-list 100 deny   ip any host 10.3.1.17

access-list 100 deny   ip any host 10.3.1.18

access-list 100 deny   ip any host 10.3.1.19

access-list 100 deny   ip any host 10.3.1.20

access-list 100 deny   ip any host 10.3.1.21

access-list 100 deny   ip any host 10.3.1.22

access-list 100 deny   ip any host 10.3.1.23

access-list 100 deny   ip any host 10.3.1.24

access-list 100 deny   ip any host 10.3.1.25

access-list 100 deny   ip any host 10.3.1.26

access-list 100 deny   ip any host 10.3.1.27

access-list 100 deny   ip any host 10.3.1.28

access-list 100 deny   ip any host 10.3.1.29

access-list 100 deny   ip any host 10.3.1.30

access-list 100 deny   ip any host 10.3.1.31

access-list 100 deny   ip any host 10.3.1.32

access-list 100 deny   ip any host 10.3.1.33

access-list 100 deny   ip any host 10.3.1.34

access-list 100 deny   ip any host 10.3.1.35

access-list 100 deny   ip any host 10.3.1.36

access-list 100 deny   ip any host 10.3.1.37

access-list 100 deny   ip any host 10.3.1.38

access-list 100 deny   ip any host 10.3.1.39

access-list 100 deny   ip any host 10.3.1.40

access-list 100 deny   ip any host 10.3.1.41

access-list 100 deny   ip any host 10.3.1.42

access-list 100 deny   ip any host 10.3.1.43

access-list 100 deny   ip any host 10.3.1.44

access-list 100 deny   ip any host 10.3.1.45

access-list 100 deny   ip any host 10.3.1.46

access-list 100 deny   ip any host 10.3.1.47

access-list 100 deny   ip any host 10.3.1.48

access-list 100 deny   ip any host 10.3.1.49

access-list 100 deny   ip any host 10.3.1.50

access-list 100 deny   ip any host 10.3.1.51

access-list 100 deny   ip any host 10.3.1.52

access-list 100 deny   ip any host 10.3.1.53

access-list 100 deny   ip any host 10.3.1.54

access-list 100 deny   ip any host 10.3.1.55

access-list 100 deny   ip any host 10.3.1.56

access-list 100 deny   ip any host 10.3.1.57

access-list 100 deny   ip any host 10.3.1.58

access-list 100 deny   ip any host 10.3.1.59

access-list 100 deny   ip any host 10.3.1.60

access-list 100 deny   ip any host 10.3.1.61

access-list 100 deny   ip any host 10.3.1.62

access-list 100 deny   ip any host 10.3.1.63

access-list 100 deny   ip any host 10.3.1.64

access-list 100 deny   ip any host 10.3.1.65

access-list 100 deny   ip any host 10.3.1.66

access-list 100 deny   ip any host 10.3.1.67

access-list 100 deny   ip any host 10.3.1.68

access-list 100 deny   ip any host 10.3.1.69

access-list 100 deny   ip any host 10.3.1.70

access-list 100 deny   ip any host 10.3.1.71

access-list 100 deny   ip any host 10.3.1.72

access-list 100 deny   ip any host 10.3.1.73

access-list 100 deny   ip any host 10.3.1.74

access-list 100 deny   ip any host 10.3.1.75

access-list 100 deny   ip any host 10.3.1.76

access-list 100 deny   ip any host 10.3.1.77

access-list 100 deny   ip any host 10.3.1.78

access-list 100 deny   ip any host 10.3.1.79

access-list 100 deny   ip any host 10.3.1.80

access-list 100 deny   ip any host 10.3.1.81

access-list 100 deny   ip any host 10.3.1.82

access-list 100 deny   ip any host 10.3.1.83

access-list 100 deny   ip any host 10.3.1.84

access-list 100 deny   ip any host 10.3.1.85

access-list 100 deny   ip any host 10.3.1.86

access-list 100 deny   ip any host 10.3.1.87

access-list 100 deny   ip any host 10.3.1.88

access-list 100 deny   ip any host 10.3.1.89

access-list 100 deny   ip any host 10.3.1.90

access-list 100 deny   ip any host 10.3.1.91

access-list 100 deny   ip any host 10.3.1.92

access-list 100 deny   ip any host 10.3.1.93

access-list 100 deny   ip any host 10.3.1.94

access-list 100 deny   ip any host 10.3.1.95

access-list 100 deny   ip any host 10.3.1.96

access-list 100 deny   ip any host 10.3.1.97

access-list 100 deny   ip any host 10.3.1.98

access-list 100 deny   ip any host 10.3.1.99

access-list 100 deny   ip any host 10.3.1.100

access-list 100 remark NAT everything else

access-list 100 permit ip 10.1.9.0 0.0.0.255 any

access-list 105 remark CCP_ACL Category=2

access-list 105 permit ip 10.0.0.0 0.255.255.255 any

access-list 110 deny   ip 10.1.9.0 0.0.0.255 10.1.10.0 0.0.0.255

access-list 120 permit ip 10.1.9.0 0.0.0.255 10.1.10.0 0.0.0.255

access-list 150 remark Permit traffic between here and remote LAN via IPSEC

access-list 150 permit ip 10.1.9.0 0.0.0.255 10.1.10.0 0.0.0.255

access-list 151 remark ACL for VPN Client Split Tunneling

access-list 151 permit ip 10.1.9.0 0.0.0.255 any

!

no cdp run


!

!

!

route-map nonat-vpn permit 1

match ip address 100

!

!

radius-server host 10.1.9.254 auth-port 1645 acct-port 1646 key 12345

!

control-plane

!

!

!

line con 0

line aux 0

line vty 0 4

privilege level 15

transport input ssh

line vty 5 15

privilege level 15

transport input ssh

!

scheduler allocate 20000 1000

!

webvpn gateway WebVPNGateway

ip address 199.72.119.2 port 443 

ssl encryption 3des-sha1

ssl trustpoint TP-self-signed-3735527223

inservice

!

webvpn context Default_context

ssl authenticate verify all

!

nbns-list "Windows_Servers"

   nbns-server 10.1.9.254 master

!

port-forward "WebVPN_Ports"

   local-port 3001 remote-server "10.1.9.254" remote-port 2029 description "MSSQLPROFXENGAGEMENT"

   local-port 3002 remote-server "10.1.9.254" remote-port 6735 description "PFXEngDesktopService"

   local-port 3003 remote-server "10.1.9.254" remote-port 6736 description "PFXSYNPFTService"

   local-port 3004 remote-server "10.1.9.254" remote-port 1434 description "SQL Listening Service"

!

policy group WebVPN_Policy

   port-forward "WebVPN_Ports"

   nbns-list "Windows_Servers"

   functions file-access

   functions file-browse

   functions file-entry

   functions svc-required

   svc address-pool "webvpn_users"

   svc default-domain "fesnakllp.com"

   svc keep-client-installed

   svc dpd-interval gateway 30

   svc rekey method new-tunnel

   svc split include 10.1.9.0 255.255.255.0

   svc dns-server primary 10.1.9.254

   svc wins-server primary 10.1.9.254

default-group-policy WebVPN_Policy

aaa authentication list external-vpn-users

inservice

!

end


tjd2112pcca Mon, 08/16/2010 - 19:32

I think it's that there are no ports open for the incoming VPN traffic. I can't bring this down alot to test. Can anyone tell me if i'm on the right track?


Thanks.

Actions

This Discussion