policy routing and/or NAT with two ISPs, 1 router

jonathan.wilson · ‎11-18-2005

I have a 2610 router with two Internet connections to different ISPs: a T1 which supports a DMZ, an email gateway, and IPsec tunnels to various sites on our (VPN based) WAN, and a shiny-new ADSL connection.

The ADSL is intended to support redundant IPsec tunnels in case of failure of the T1. I set that up without any trouble. However, it would be shame (thinks I) to let all that bandwidth sit idle most of the time.

So I set about using policy routing to make this happen.

I have a VLAN with one host on it, that I would like to use the DSL to get to the Internet. It can get to the ISP's next-hop router, but cannot go any further. What is going on?

The host I'm trying to get packets out from, is 192.168.13.2.

Thanks

Jonathan Wilson

Richard Burts · ‎11-18-2005

Jonathan

There are a couple of things about your question that are not clear to me. In particular I am not clear whether this host is using a VPN tunnel over the ADSL or if it is clear traffic. Especially if it is VPN it would help to see the crypto maps. And I think it would be important to know to which peer the host is trying to get and how that peer is defined relative to the IPSec parameters.

A second point is that the policy routing that you have configured looks about right for managing normal traffic that comes in on that interface and is routed out some other interface. But if you are dealing with IPSec then you need to alter the path of the IPSec packet which is generated on the router. To Policy Base Route traffic which is originated on the router you would need the ip local policy route-map command.

HTH

Rick

HTH

Rick

jonathan.wilson · ‎11-21-2005

I am indeed using a VPN tunnel over the ADSL, and that's working fine. (Using a static route between IPSec endpoints.) What I would like to do is also route non-IPsec traffic from hosts in the 192.168.13.0 LAN out the ADSL. I cannot change the default route for the router because there are email servers in the DMZ LAN that depend on having a default route that goes to the Internet via serial0/0.

Thanks

Jonathan Wilson

Richard Burts · ‎11-21-2005

Jonathan

I am somewhat confused. In your original post you said:

I have a VLAN with one host on it, that I would like to use the DSL to get to the Internet. It can get to the ISP's next-hop router, but cannot go any further.

Now this message seems to be saying that the host over the VPN connection is working and your issue is routing non-IPSec traffic over the ADSL. Perhaps you can clarify?

HTH

Rick

HTH

Rick

jonathan.wilson · ‎11-22-2005

I apologize, I was not clear. I am running IPsec tunnels over both s0/0 and the ADSL - no problem. My problem is getting non-IPsec traffic from 192.168.13.0 to use the ADSL.

Thanks,

Jonathan Wilson

Richard Burts · ‎11-22-2005

Jonathan

Thanks for the clarification. One part of the question I can not answer based on the part of the configuration that you posted: are you sure that traffic going out the ADSL from source 192.168.13.2 is not processed by IPSec?

I am thinking about part of your original post which says that traffic from the host can get to the provider router but not beyond that point. It would help me to know how you are determining that.

Assuming that it is correct that traffic from that host is not processed by IPSec and that it does get to the provider router but not further, then I would tend to assume that the problem is not so much getting out but is a problem with routes for traffic returning. One good way to test this is to do extended ping on the router. In the extended ping specify the source address as the address on dialer0 (which is what you are translating the host traffic to). I would suggest starting with an extended ping to 68.216.204.66 which the config states is the provider router. If that works then I would try an extended ping to some address a bit further into the Internet. If it does not work then we need to investigate and discover why this is not working. It might also be interesting to see the output from:

show ip route 68.216.204.66

HTH

Rick

HTH

Rick