08-15-2010 12:49 PM - edited 03-04-2019 09:25 AM
Hello all,
I have a question about a merged configuration which I attempted to get working recently with no luck. Our organization has a 1841 router which is it's primary router to ISP#1. This was a T1 connection which was being overworked by all of our Internet traffic. We bought a 1941 with an Ethernet card giving it 3 Ethernet interfaces. This 1941 router is connected to ISP#2 (Comcast). The 1841 has WebVPN config and a L2L VPN to another office. We want to retire the 1841 and just use the 1941 connected to both networks. When I tried to paste in the parts of the 1841 config into the 1941 all was ok from the Internet access perspective, but the VPNs do not function anymore. I also used a zone based firewall config on the 1941. Which traffic do I need to allow in for the L2L and SSL VPNs to work? I also set up a floating static route for the router to failover to ISP#1 (Comcast link is the primary) if the Comcast link goes down. The VPN traffic was setup to go out ISP#1, how do I make the VPN traffic go out to ISP#1 but keep the default route set to Comcast(ISP#2)? Sorry for the long post.
08-15-2010 01:20 PM
If you post your configs (minus any passwords) you'll probably get someone to help you.
08-15-2010 06:21 PM
Here is the config of the 1941:
!
! Last configuration change at 20:51:24 UTC Fri Aug 13 2010 by user
!
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname cisco
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login external-vpn-users local group radius
aaa authentication login webvpn local
aaa authorization exec default local
aaa authorization network external-vpn-groups local
aaa authorization network external-vpn-users group radius local
!
!
!
!
!
aaa session-id common
!
!
!
!
no ipv6 cef
ip source-route
ip cef
!
!
!
!
ip domain name domain.com
ip name-server 68.87.64.150
!
multilink bundle-name authenticated
!
!
crypto pki trustpoint TP-self-signed-3735527223
enrollment selfsigned
ip-address 199.72.119.2
subject-name cn=IOS-Self-Signed-Certificate-3735527223
revocation-check none
rsakeypair TP-self-signed-3735527223
!
!
crypto pki certificate chain TP-self-signed-3735527223
certificate self-signed 01
quit
license udi pid CISCO1941/K9 sn serial #
!
!
username user privilege 15 secret 5 passwd
!
redundancy
!
!
!
class-map type inspect match-any CMAP-1
match protocol tcp
match protocol icmp
match protocol udp
class-map type inspect match-all pptp-passthru
match access-group name PPTP-PASS-THROUGH
!
!
policy-map type inspect PMAP-1
class type inspect CMAP-1
inspect
class type inspect pptp-passthru
pass
class class-default
drop
policy-map type inspect PMAP-2
class type inspect pptp-passthru
pass
class class-default
drop
!
zone security inside
zone security outside
zone-pair security inside-to-outside source inside destination outside
service-policy type inspect PMAP-1
zone-pair security outside-to-inside source outside destination inside
service-policy type inspect PMAP-2
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key key address 64.32.253.138 no-xauth
!
crypto isakmp client configuration group vpn-group-1
key key
dns 10.1.9.254
wins 10.1.9.254
domain fesnakllp.com
pool vpn_users1
acl 151
netmask 255.255.255.0
crypto isakmp profile VPNclient
match identity group vpn-group-1
!
!
crypto ipsec transform-set sonicwall esp-3des esp-md5-hmac
crypto ipsec transform-set client-tsset esp-3des esp-sha-hmac
!
crypto dynamic-map client-map 1
set transform-set client-tsset
set isakmp-profile VPNclient
reverse-route
!
!
crypto map external-crypto client authentication list external-vpn-users
crypto map external-crypto isakmp authorization list external-vpn-groups
crypto map external-crypto client configuration address respond
crypto map external-crypto 10 ipsec-isakmp
description Tunnel to Sonicwall / 64.32.253.138
set peer 64.32.253.138
set security-association lifetime seconds 86400
set transform-set sonicwall
match address 150
crypto map external-crypto 65535 ipsec-isakmp dynamic client-map
!
!
!
!
!
interface Loopback2
description This is needed for WebVPN address pool
ip address 10.3.1.126 255.255.255.0
ip nat inside
ip virtual-reassembly
!
!
interface GigabitEthernet0/0
description Internal LAN
ip address 10.1.9.251 255.255.255.0
ip mask-reply
ip nat inside
ip virtual-reassembly
zone-member security inside
duplex auto
speed auto
no cdp enable
no mop enabled
!
!
interface GigabitEthernet0/1
description Internet via Comcast
ip address 75.151.154.178 255.255.255.248
ip nat outside
ip virtual-reassembly
zone-member security outside
duplex auto
speed auto
no cdp enable
no mop enabled
!
!
interface FastEthernet0/0/0
description Internet via Paetec
ip address 199.72.119.2 255.255.255.248
ip nat outside
ip virtual-reassembly
zone-member security outside
shutdown
duplex auto
speed auto
no cdp enable
no mop enabled
!
!
ip local pool vpn_users1 10.2.1.1 10.2.1.100
ip local pool webvpn_users 10.3.1.1 10.3.1.100
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
!
ip nat inside source list 105 interface GigabitEthernet0/1 overload
ip nat inside source route-map nonat-vpn interface FastEthernet0/0/0 overload
ip route 0.0.0.0 0.0.0.0 75.151.154.182
ip route 0.0.0.0 0.0.0.0 199.72.119.1 250
ip route 10.2.1.0 255.255.255.0 199.72.119.1 permanent
ip route 10.3.1.0 255.255.255.0 199.72.119.1 permanent
!
ip access-list extended PPTP-PASS-THROUGH
permit gre any any
!
access-list 100 remark NAT policy for this router
access-list 100 remark Deny NAT for packets via VPN
access-list 100 deny ip 10.1.9.0 0.0.0.255 10.1.10.0 0.0.0.255
access-list 100 remark Deny NAT for packets to VPN clients (ippool)
access-list 100 deny ip any host 10.2.1.1
access-list 100 deny ip any host 10.2.1.2
access-list 100 deny ip any host 10.2.1.3
access-list 100 deny ip any host 10.2.1.4
access-list 100 deny ip any host 10.2.1.5
access-list 100 deny ip any host 10.2.1.6
access-list 100 deny ip any host 10.2.1.7
access-list 100 deny ip any host 10.2.1.8
access-list 100 deny ip any host 10.2.1.9
access-list 100 deny ip any host 10.2.1.10
access-list 100 deny ip any host 10.2.1.11
access-list 100 deny ip any host 10.2.1.12
access-list 100 deny ip any host 10.2.1.13
access-list 100 deny ip any host 10.2.1.14
access-list 100 deny ip any host 10.2.1.15
access-list 100 deny ip any host 10.2.1.16
access-list 100 deny ip any host 10.2.1.17
access-list 100 deny ip any host 10.2.1.18
access-list 100 deny ip any host 10.2.1.19
access-list 100 deny ip any host 10.2.1.20
access-list 100 deny ip any host 10.2.1.21
access-list 100 deny ip any host 10.2.1.22
access-list 100 deny ip any host 10.2.1.23
access-list 100 deny ip any host 10.2.1.24
access-list 100 deny ip any host 10.2.1.25
access-list 100 deny ip any host 10.2.1.26
access-list 100 deny ip any host 10.2.1.27
access-list 100 deny ip any host 10.2.1.28
access-list 100 deny ip any host 10.2.1.29
access-list 100 deny ip any host 10.2.1.30
access-list 100 deny ip any host 10.2.1.31
access-list 100 deny ip any host 10.2.1.32
access-list 100 deny ip any host 10.2.1.33
access-list 100 deny ip any host 10.2.1.34
access-list 100 deny ip any host 10.2.1.35
access-list 100 deny ip any host 10.2.1.36
access-list 100 deny ip any host 10.2.1.37
access-list 100 deny ip any host 10.2.1.38
access-list 100 deny ip any host 10.2.1.39
access-list 100 deny ip any host 10.2.1.40
access-list 100 deny ip any host 10.2.1.41
access-list 100 deny ip any host 10.2.1.42
access-list 100 deny ip any host 10.2.1.43
access-list 100 deny ip any host 10.2.1.44
access-list 100 deny ip any host 10.2.1.45
access-list 100 deny ip any host 10.2.1.46
access-list 100 deny ip any host 10.2.1.47
access-list 100 deny ip any host 10.2.1.48
access-list 100 deny ip any host 10.2.1.49
access-list 100 deny ip any host 10.2.1.50
access-list 100 deny ip any host 10.2.1.51
access-list 100 deny ip any host 10.2.1.52
access-list 100 deny ip any host 10.2.1.53
access-list 100 deny ip any host 10.2.1.54
access-list 100 deny ip any host 10.2.1.55
access-list 100 deny ip any host 10.2.1.56
access-list 100 deny ip any host 10.2.1.57
access-list 100 deny ip any host 10.2.1.58
access-list 100 deny ip any host 10.2.1.59
access-list 100 deny ip any host 10.2.1.60
access-list 100 deny ip any host 10.2.1.61
access-list 100 deny ip any host 10.2.1.62
access-list 100 deny ip any host 10.2.1.63
access-list 100 deny ip any host 10.2.1.64
access-list 100 deny ip any host 10.2.1.65
access-list 100 deny ip any host 10.2.1.66
access-list 100 deny ip any host 10.2.1.67
access-list 100 deny ip any host 10.2.1.68
access-list 100 deny ip any host 10.2.1.69
access-list 100 deny ip any host 10.2.1.70
access-list 100 deny ip any host 10.2.1.71
access-list 100 deny ip any host 10.2.1.72
access-list 100 deny ip any host 10.2.1.73
access-list 100 deny ip any host 10.2.1.74
access-list 100 deny ip any host 10.2.1.75
access-list 100 deny ip any host 10.2.1.76
access-list 100 deny ip any host 10.2.1.77
access-list 100 deny ip any host 10.2.1.78
access-list 100 deny ip any host 10.2.1.79
access-list 100 deny ip any host 10.2.1.80
access-list 100 deny ip any host 10.2.1.81
access-list 100 deny ip any host 10.2.1.82
access-list 100 deny ip any host 10.2.1.83
access-list 100 deny ip any host 10.2.1.84
access-list 100 deny ip any host 10.2.1.85
access-list 100 deny ip any host 10.2.1.86
access-list 100 deny ip any host 10.2.1.87
access-list 100 deny ip any host 10.2.1.88
access-list 100 deny ip any host 10.2.1.89
access-list 100 deny ip any host 10.2.1.90
access-list 100 deny ip any host 10.2.1.91
access-list 100 deny ip any host 10.2.1.92
access-list 100 deny ip any host 10.2.1.93
access-list 100 deny ip any host 10.2.1.94
access-list 100 deny ip any host 10.2.1.95
access-list 100 deny ip any host 10.2.1.96
access-list 100 deny ip any host 10.2.1.97
access-list 100 deny ip any host 10.2.1.98
access-list 100 deny ip any host 10.2.1.99
access-list 100 deny ip any host 10.2.1.100
access-list 100 deny ip any host 10.3.1.1
access-list 100 deny ip any host 10.3.1.2
access-list 100 deny ip any host 10.3.1.3
access-list 100 deny ip any host 10.3.1.4
access-list 100 deny ip any host 10.3.1.5
access-list 100 deny ip any host 10.3.1.6
access-list 100 deny ip any host 10.3.1.7
access-list 100 deny ip any host 10.3.1.8
access-list 100 deny ip any host 10.3.1.9
access-list 100 deny ip any host 10.3.1.10
access-list 100 deny ip any host 10.3.1.11
access-list 100 deny ip any host 10.3.1.12
access-list 100 deny ip any host 10.3.1.13
access-list 100 deny ip any host 10.3.1.14
access-list 100 deny ip any host 10.3.1.15
access-list 100 deny ip any host 10.3.1.16
access-list 100 deny ip any host 10.3.1.17
access-list 100 deny ip any host 10.3.1.18
access-list 100 deny ip any host 10.3.1.19
access-list 100 deny ip any host 10.3.1.20
access-list 100 deny ip any host 10.3.1.21
access-list 100 deny ip any host 10.3.1.22
access-list 100 deny ip any host 10.3.1.23
access-list 100 deny ip any host 10.3.1.24
access-list 100 deny ip any host 10.3.1.25
access-list 100 deny ip any host 10.3.1.26
access-list 100 deny ip any host 10.3.1.27
access-list 100 deny ip any host 10.3.1.28
access-list 100 deny ip any host 10.3.1.29
access-list 100 deny ip any host 10.3.1.30
access-list 100 deny ip any host 10.3.1.31
access-list 100 deny ip any host 10.3.1.32
access-list 100 deny ip any host 10.3.1.33
access-list 100 deny ip any host 10.3.1.34
access-list 100 deny ip any host 10.3.1.35
access-list 100 deny ip any host 10.3.1.36
access-list 100 deny ip any host 10.3.1.37
access-list 100 deny ip any host 10.3.1.38
access-list 100 deny ip any host 10.3.1.39
access-list 100 deny ip any host 10.3.1.40
access-list 100 deny ip any host 10.3.1.41
access-list 100 deny ip any host 10.3.1.42
access-list 100 deny ip any host 10.3.1.43
access-list 100 deny ip any host 10.3.1.44
access-list 100 deny ip any host 10.3.1.45
access-list 100 deny ip any host 10.3.1.46
access-list 100 deny ip any host 10.3.1.47
access-list 100 deny ip any host 10.3.1.48
access-list 100 deny ip any host 10.3.1.49
access-list 100 deny ip any host 10.3.1.50
access-list 100 deny ip any host 10.3.1.51
access-list 100 deny ip any host 10.3.1.52
access-list 100 deny ip any host 10.3.1.53
access-list 100 deny ip any host 10.3.1.54
access-list 100 deny ip any host 10.3.1.55
access-list 100 deny ip any host 10.3.1.56
access-list 100 deny ip any host 10.3.1.57
access-list 100 deny ip any host 10.3.1.58
access-list 100 deny ip any host 10.3.1.59
access-list 100 deny ip any host 10.3.1.60
access-list 100 deny ip any host 10.3.1.61
access-list 100 deny ip any host 10.3.1.62
access-list 100 deny ip any host 10.3.1.63
access-list 100 deny ip any host 10.3.1.64
access-list 100 deny ip any host 10.3.1.65
access-list 100 deny ip any host 10.3.1.66
access-list 100 deny ip any host 10.3.1.67
access-list 100 deny ip any host 10.3.1.68
access-list 100 deny ip any host 10.3.1.69
access-list 100 deny ip any host 10.3.1.70
access-list 100 deny ip any host 10.3.1.71
access-list 100 deny ip any host 10.3.1.72
access-list 100 deny ip any host 10.3.1.73
access-list 100 deny ip any host 10.3.1.74
access-list 100 deny ip any host 10.3.1.75
access-list 100 deny ip any host 10.3.1.76
access-list 100 deny ip any host 10.3.1.77
access-list 100 deny ip any host 10.3.1.78
access-list 100 deny ip any host 10.3.1.79
access-list 100 deny ip any host 10.3.1.80
access-list 100 deny ip any host 10.3.1.81
access-list 100 deny ip any host 10.3.1.82
access-list 100 deny ip any host 10.3.1.83
access-list 100 deny ip any host 10.3.1.84
access-list 100 deny ip any host 10.3.1.85
access-list 100 deny ip any host 10.3.1.86
access-list 100 deny ip any host 10.3.1.87
access-list 100 deny ip any host 10.3.1.88
access-list 100 deny ip any host 10.3.1.89
access-list 100 deny ip any host 10.3.1.90
access-list 100 deny ip any host 10.3.1.91
access-list 100 deny ip any host 10.3.1.92
access-list 100 deny ip any host 10.3.1.93
access-list 100 deny ip any host 10.3.1.94
access-list 100 deny ip any host 10.3.1.95
access-list 100 deny ip any host 10.3.1.96
access-list 100 deny ip any host 10.3.1.97
access-list 100 deny ip any host 10.3.1.98
access-list 100 deny ip any host 10.3.1.99
access-list 100 deny ip any host 10.3.1.100
access-list 100 remark NAT everything else
access-list 100 permit ip 10.1.9.0 0.0.0.255 any
access-list 105 remark CCP_ACL Category=2
access-list 105 permit ip 10.0.0.0 0.255.255.255 any
access-list 110 deny ip 10.1.9.0 0.0.0.255 10.1.10.0 0.0.0.255
access-list 120 permit ip 10.1.9.0 0.0.0.255 10.1.10.0 0.0.0.255
access-list 150 remark Permit traffic between here and remote LAN via IPSEC
access-list 150 permit ip 10.1.9.0 0.0.0.255 10.1.10.0 0.0.0.255
access-list 151 remark ACL for VPN Client Split Tunneling
access-list 151 permit ip 10.1.9.0 0.0.0.255 any
!
no cdp run
!
!
!
route-map nonat-vpn permit 1
match ip address 100
!
!
radius-server host 10.1.9.254 auth-port 1645 acct-port 1646 key 12345
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
privilege level 15
transport input ssh
line vty 5 15
privilege level 15
transport input ssh
!
scheduler allocate 20000 1000
!
webvpn gateway WebVPNGateway
ip address 199.72.119.2 port 443
ssl encryption 3des-sha1
ssl trustpoint TP-self-signed-3735527223
inservice
!
webvpn context Default_context
ssl authenticate verify all
!
nbns-list "Windows_Servers"
nbns-server 10.1.9.254 master
!
port-forward "WebVPN_Ports"
local-port 3001 remote-server "10.1.9.254" remote-port 2029 description "MSSQLPROFXENGAGEMENT"
local-port 3002 remote-server "10.1.9.254" remote-port 6735 description "PFXEngDesktopService"
local-port 3003 remote-server "10.1.9.254" remote-port 6736 description "PFXSYNPFTService"
local-port 3004 remote-server "10.1.9.254" remote-port 1434 description "SQL Listening Service"
!
policy group WebVPN_Policy
port-forward "WebVPN_Ports"
nbns-list "Windows_Servers"
functions file-access
functions file-browse
functions file-entry
functions svc-required
svc address-pool "webvpn_users"
svc default-domain "fesnakllp.com"
svc keep-client-installed
svc dpd-interval gateway 30
svc rekey method new-tunnel
svc split include 10.1.9.0 255.255.255.0
svc dns-server primary 10.1.9.254
svc wins-server primary 10.1.9.254
default-group-policy WebVPN_Policy
aaa authentication list external-vpn-users
inservice
!
end
08-16-2010 07:32 PM
I think it's that there are no ports open for the incoming VPN traffic. I can't bring this down alot to test. Can anyone tell me if i'm on the right track?
Thanks.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: