2 ISPs, 1 2811 Router, Internet access to LAN, VPN access to VLANs

femi.agboade · ‎06-01-2012

Hello,

I have an issue I would like to seek help with. I have 2 ISPs terminating on 2 FE ports on my 2811 router.

ISP1 had always been here, used for the following:

Internet access to LAN users
Internet access with public IP mapping to servers in different security zones (VLANS)
Site to Site VPN tunnels to 3rd party partners
Remote VPN access to 3rd party partners

We recently got a second ISP, mainly for the following:

Internet access and public IP mapping to servers on seperate security zones (VLANS)
Site to Site VPN tunnels to 3rd party partners as above, but different hosts

So far, ISP1 and all the above service have worked based on the config below. However, having added ISP2, I have not been able to successfully create the site-to-site VPN tunnels. I keep getting some sort of routing error issue. I am already thinking of moving all my VPN access to the new ISP, but that would be after a while as I need to resolve this particular issue urgently.

I would greatly appreciate any feedback and recommendation on this issue.

version 12.4

!

ip source-route

!

ip cef

!

ip name-server 4.2.2.2

ip name-server 137.65.1.1

ip inspect WAAS enable

no ipv6 cef

!

isdn switch-type primary-qsig

!

crypto isakmp policy 4

encr 3des

hash md5

authentication pre-share

group 5

!

crypto isakmp policy 5

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 6

encr 3des

authentication pre-share

group 2

crypto isakmp key xxxxx address 4.190.1.25

crypto isakmp key xxxxx address 4.164.7.170

crypto isakmp key xxxxx address 4.58.130.130

crypto isakmp key xxxxx address 1.46.241.129

!

crypto isakmp client configuration group TR

key xxxxx

pool SDM_POOL_1

acl 101

max-users 2

!

crypto isakmp client configuration group EN

key xxxxx

pool SDM_POOL_2

max-users 2

crypto isakmp profile ciscocp-ike-profile-1

match identity group TR

client authentication list ciscocp_vpn_xauth_ml_1

isakmp authorization list ciscocp_vpn_group_ml_1

client configuration address respond

virtual-template 1

crypto isakmp profile ciscocp-ike-profile-2

match identity group EN

client authentication list ciscocp_vpn_xauth_ml_2

isakmp authorization list ciscocp_vpn_group_ml_2

client configuration address respond

virtual-template 2

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac

crypto ipsec transform-set NI esp-3des esp-md5-hmac

crypto ipsec transform-set ET esp-3des esp-sha-hmac

crypto ipsec transform-set AT esp-3des esp-sha-hmac

!

crypto ipsec profile CiscoCP_Profile1

set security-association idle-time 21600

set transform-set ESP-3DES-SHA

set isakmp-profile ciscocp-ike-profile-1

!

crypto ipsec profile CiscoCP_Profile2

set transform-set ESP-3DES-SHA1

set isakmp-profile ciscocp-ike-profile-2

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description VPN Tunnel to ET on 4.190.1.25

set peer 4.190.1.25

set transform-set ET

match address ET

crypto map SDM_CMAP_1 2 ipsec-isakmp

description VPN Tunnel to AT on 1.46.241.129

set peer 1.46.241.129

set transform-set AT

match address AT

crypto map SDM_CMAP_1 3 ipsec-isakmp

description VPN Tunnel to NI on 4.58.130.130

set peer 4.58.130.130

set transform-set NI

set pfs group5

match address NI

!

crypto map SDM_CMAP_2 1 ipsec-isakmp

description PROD VPN Tunnel to NI

set peer 4.58.130.130

set transform-set NI

set pfs group5

match address NI_PROD

!

interface Loopback1

ip address 2.173.40.203 255.255.255.255

!

interface Loopback3

ip address 2.173.42.81 255.255.255.255

!

interface Loopback10

ip address 2.173.42.91 255.255.255.255

!

interface FastEthernet0/0

description LAN_UAT_INTERFACE

no ip address

ip flow ingress

duplex auto

speed auto

!

interface FastEthernet0/0.100

description VOICE VLAN ZONE$ETH-LAN$

encapsulation dot1Q 100

ip address 10.1.1.1 255.255.255.0

ip helper-address 172.16.0.101

ip flow ingress

ip nat inside

ip virtual-reassembly

!

interface FastEthernet0/0.200

description DATA VLAN ZONE$ETH-LAN$

encapsulation dot1Q 200

ip address 172.16.0.1 255.255.254.0

ip nbar protocol-discovery

ip flow ingress

ip flow egress

ip nat inside

ip virtual-reassembly

!

interface FastEthernet0/0.300

description UAT_DMZ_ZONE

encapsulation dot1Q 300

ip address 192.168.100.1 255.255.255.0

ip flow ingress

ip nat inside

ip virtual-reassembly

!

interface FastEthernet0/0.400

description UAT_SECURE_ZONE

encapsulation dot1Q 400

ip address 10.135.17.1 255.255.255.0

ip flow ingress

ip nat inside

ip virtual-reassembly

!

interface FastEthernet0/0.500

description UAT_INTCON_ZONE

encapsulation dot1Q 500

ip address 172.30.50.1 255.255.255.0

ip flow ingress

ip nat inside

ip virtual-reassembly

!

interface FastEthernet0/1

description ISP1 WAN INTERFACE$ETH-WAN$

ip address 2.173.42.66 255.255.255.252

ip nbar protocol-discovery

ip flow ingress

ip flow egress

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

auto discovery qos

crypto map SDM_CMAP_1

!

interface FastEthernet0/0/0

!

interface FastEthernet0/0/1

!

interface FastEthernet0/0/2

!

interface FastEthernet0/0/3

!

interface FastEthernet0/2/0

description ISP2_WAN_INTERFACE

ip address 8.248.12.94 255.255.255.192

ip nbar protocol-discovery

ip flow ingress

ip flow egress

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

auto discovery qos

crypto map SDM_CMAP_2

!

interface FastEthernet0/2/1

description PROD_INTERFACE

no ip address

ip flow ingress

duplex auto

speed auto

!

interface FastEthernet0/2/1.601

description PROD_DMZ_ZONE

encapsulation dot1Q 601

ip address 192.168.255.1 255.255.255.0

ip flow ingress

ip nat inside

ip virtual-reassembly

!

interface FastEthernet0/2/1.602

description PROD_SECURE_ZONE

encapsulation dot1Q 602

ip address 10.149.57.1 255.255.255.0

ip flow ingress

ip virtual-reassembly

!

interface FastEthernet0/2/1.603

description PROD_INTCON_ZONE

encapsulation dot1Q 603

ip address 172.19.205.1 255.255.255.0

ip flow ingress

ip nat inside

ip virtual-reassembly

!

interface Virtual-Template1 type tunnel

ip unnumbered FastEthernet0/0.500

tunnel mode ipsec ipv4

tunnel protection ipsec profile CiscoCP_Profile1

!

interface Virtual-Template2 type tunnel

ip unnumbered FastEthernet0/0.500

tunnel mode ipsec ipv4

tunnel protection ipsec profile CiscoCP_Profile2

!

interface Vlan1

no ip address

!

ip local pool SDM_POOL_1 172.30.50.11 172.30.50.12

ip local pool SDM_POOL_2 172.30.50.13 172.30.50.14

ip forward-protocol nd

!

ip route 0.0.0.0 0.0.0.0 2.173.42.65

!

ip flow-cache timeout active 1

ip flow-export source FastEthernet0/0

ip flow-export version 5

ip flow-export destination 172.16.1.2 9996

ip flow-top-talkers

top 10

sort-by bytes

cache-timeout 1

!

ip nat inside source static tcp 172.16.0.105 80 interface FastEthernet0/1 80

ip nat inside source static tcp 172.16.0.105 8080 interface FastEthernet0/1 8080

ip nat inside source list 100 interface Loopback10 overload

ip nat inside source static 192.168.100.4 2.173.40.202 route-map NoNAT

ip nat inside source static tcp 192.168.100.2 80 2.173.42.80 80 extendable

ip nat inside source static tcp 192.168.100.2 81 2.173.42.80 81 extendable

ip nat inside source static tcp 192.168.100.2 443 2.173.42.80 443 extendable

ip nat inside source static tcp 192.168.100.2 8080 2.173.42.80 8080 extendable

ip nat inside source static tcp 192.168.100.2 8443 2.173.42.80 8443 extendable

ip nat inside source static 172.30.50.2 2.173.42.81 route-map NoNAT reversible

ip nat inside source static 172.16.0.106 2.173.42.82 extendable

ip nat inside source static 192.168.100.5 2.173.42.83 route-map NoNAT

ip nat inside source static tcp 192.168.255.71 80 8.248.12.95 80 extendable

ip nat inside source static tcp 192.168.255.71 81 8.248.12.95 81 extendable

ip nat inside source static tcp 192.168.255.71 443 8.248.12.95 443 extendable

ip nat inside source static tcp 192.168.255.71 8080 8.248.12.95 8080 extendable

ip nat inside source static tcp 192.168.255.71 8443 8.248.12.95 8443 extendable

!

ip access-list extended AT

permit ip host 2.173.42.83 host 1.46.241.75

permit ip host 2.173.42.83 host 1.46.241.76

permit ip host 2.173.42.83 host 1.46.241.77

permit ip host 2.173.42.83 host 1.46.241.82

permit ip host 2.173.42.83 host 1.46.241.45

permit ip host 2.173.42.83 host 1.46.241.18

ip access-list extended ET

permit ip host 192.168.100.4 host 10.71.128.47

permit ip host 192.168.100.4 host 10.71.128.83

permit ip host 192.168.100.5 host 10.71.128.47

permit ip host 192.168.100.5 host 10.71.128.83

ip access-list extended NI

permit ip host 172.30.50.2 host 41.58.130.138

ip access-list extended NI_PROD

permit ip host 172.19.205.31 host 41.58.130.134

ip access-list extended NoNAT

deny ip host 192.168.100.4 host 10.71.128.47

deny ip host 192.168.100.4 host 10.71.128.83

deny ip host 172.30.50.2 host 4.58.130.138

permit ip host 192.168.100.4 any

permit ip host 172.30.50.2 any

permit ip host 192.168.100.5 any

!

access-list 23 remark Access List Restricting Router's http access to only the IP Phones

access-list 23 permit 10.1.1.0 0.0.0.255

access-list 23 permit 172.16.0.0 0.0.1.255

access-list 100 remark CCP_ACL Category=18

access-list 100 permit ip host 172.16.0.86 any

access-list 100 permit ip 172.16.0.0 0.0.1.255 any

access-list 100 permit tcp 172.16.0.0 0.0.1.255 any

access-list 100 permit udp any host 172.16.0.1 eq non500-isakmp

access-list 100 permit udp any host 172.16.0.1 eq isakmp

access-list 100 permit esp any host 172.16.0.1

access-list 100 permit ahp any host 172.16.0.1

access-list 100 deny ip 127.0.0.0 0.255.255.255 any

access-list 100 permit udp 172.16.0.0 0.0.1.255 any

access-list 100 permit ip 10.1.1.0 0.0.0.255 any

access-list 100 permit tcp 10.1.1.0 0.0.0.255 any

access-list 100 permit udp 10.1.1.0 0.0.0.255 any

access-list 100 permit ip 10.135.17.0 0.0.0.255 any

access-list 101 remark CCP_ACL Category=4

access-list 101 permit ip 172.30.50.0 0.0.0.255 any

access-list 110 permit ip 172.16.0.0 0.0.1.255 any

access-list 111 permit tcp any host 192.168.100.2

access-list 111 permit tcp any host 192.168.255.71

access-list 112 permit tcp any host 192.168.100.4 eq 20010

access-list 112 permit tcp any host 192.168.100.4 eq 22

access-list 119 permit ip any any

!

route-map NoNAT permit 10

match ip address NoNAT

!

Whenver I try to establish a tunnel on SDM_CMAP_2 and run a test using CCP, I get 2 failure reasons:

1. The peer must be routed through the crypto map interface. The following peer(s) are routed through non-crypto map interface - 4.58.130.130

2. The tunnel traffic destination must be routed through the crypto map interface. The following destinations are routed through non-crypto map interface - 4.58.130.134

Please note that the tunnels on SDM_CMAP_1 are all active

Do I need to include a default route for the second ISP on the router? If so, how do I get this done? When I tried it, I had loops on the user LAN segment of the network.

Regards,

Femi

Tagir Temirgaliyev · ‎06-01-2012

Hi

you need BGP to both providers, also provider independent network and AS

femi.agboade · ‎06-01-2012

Hello,

Thanks for the feedback. I am not very strong in routing, do you mind explaining a bit more in detail how to achieve setting up BGP to both ISPs, and all the other suggestions you made?

Regards,

Femi

femi.agboade · ‎06-13-2012

Hello,

So i finally got this to work using IP VRF. Below is the config applied:

ip vrf PROD_INTCON

rd 100:1

route-target export 100:1

route-target import 100:1

!

ip vrf ISP2

rd 101:1

route-target export 101:1

route-target import 101:1

!

crypto keyring NI2-keyring vrf ISP2

pre-shared-key address a.b.130.130 key xxxxx

!

crypto isakmp policy 4

encr 3des

hash md5

authentication pre-share

group 5

!

crypto isakmp policy 5

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 6

encr 3des

authentication pre-share

group 2

!

crypto isakmp profile NI2-profile

vrf PROD_INTCON

keyring NI2-keyring

match identity address a.b.130.130 255.255.255.255 ISP2

isakmp authorization list default

!

crypto ipsec transform-set NI2set esp-3des esp-md5-hmac

!

crypto map SDM_CMAP_2 1 ipsec-isakmp

description PROD VPN Tunnel to NI2

set peer a.b.130.130

set transform-set NI2set

set pfs group5

set isakmp-profile NI2-profile

match address NI2_ACL

reverse-route

!

interface FastEthernet0/2/0

ip vrf forwarding ISP2

ip address z.y.12.94 255.255.255.192

crypto map SDM_CMAP_2

!

interface FastEthernet0/2/1.603

description PROD_INTCON_ZONE

encapsulation dot1Q 603

ip vrf forwarding PROD_INTCON

ip address 172.19.205.1 255.255.255.0

ip flow ingress

ip nat inside

ip virtual-reassembly

!

ip route vrf ISP2 0.0.0.0 0.0.0.0 z.y.12.65

ip route vrf PROD_INTCON a.b.130.134 255.255.255.255 FastEthernet0/2/0 z.y.12.65

!

ip access-list extended NI2_ACL

permit ip host 172.19.205.31 host a.b.130.134

!

Hope it helps someone. More info about IP VRF here:

https://supportforums.cisco.com/docs/DOC-13524

Regards,

Femi

Jean-Luc OURMET · ‎06-19-2012

Hello,

I have a similar config working with specific route to the peers

if you had a command :

ip route 4.58.130.130 255.255.255.255 interface FastEthernet0/2/0

then your tunnel should shows up.

But when I looked to your config, I see this peer linked to the 2 Crypto map. I am not sure you can do load balancng like this between 2 ISP for VPN Connections.

Jean-Luc

femi.agboade · ‎06-23-2012

Hello Jean-Luc,

Thank you for your comment.

The thing is that I have 2 VPNs originiating from my router to that 4.58.130.130 peer IP. The 2 VPNs are for different environments on my network. And both VPNs are going through different ISPs as I had stated. Adding the command you have suggested will force all traffic to that peer IP over the FE0/2/0 interface which isnt what I want.

Also, I do not intend to do load balancing on both ISPs. They are for two different environments like I said and will not be shared between those environments.

Regards,

Femi