Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Internet over 3G Failover VPN connection

Good afternoon,

Trying to solve/figure out the best way to solve a problem.  I have several branches connected back to our operations facility via MPLS and 2800 series plaftorms.  I am testing utilizing a 3G Verizon HWIC for failover and have been successful in gaining access to all internal resources over the VPN connection using ip sla and tracking and connecting to our ASAs.

What I would like to do is be able to use our corporate Internet when a branch is on the failover connection.  I would like to stay away from split tunneling.  So the layout is this:

user pc --> switch --> router --> 3g hwic --> ipsec tunnel --> asa --> public internet

Here is the consolidated router config.  Thanks for  any help.

version 12.4
service pad to-xot
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec show-timezone
service timestamps log datetime msec show-timezone
service password-encryption
!
hostname 14th_Street
!
boot-start-marker
boot-end-marker
!
card type t1 0 1
logging message-counter syslog
logging buffered 4096
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp network local-case
aaa authorization console
aaa authorization exec default local
!
!
aaa session-id common
clock timezone EST -5
clock summer-time EDT recurring
network-clock-participate wic 1
network-clock-select 1 T1 0/1/0
!
dot11 syslog
no ip source-route
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.121.1 192.168.121.99
ip dhcp excluded-address 192.168.121.200 192.168.121.254
ip dhcp excluded-address 192.168.221.1 192.168.221.99
ip dhcp excluded-address 192.168.221.200 192.168.221.254
!
ip dhcp pool Voice
   network 192.168.121.0 255.255.255.0
   option 150 ip 10.101.90.6
   default-router 192.168.121.254
!
ip dhcp pool Data
   network 192.168.221.0 255.255.255.0
   default-router 192.168.221.254
   dns-server 10.1.90.189 10.5.100.30
!
!
no ip bootp server
no ip domain lookup
ip domain name XXXXXXXXXX
ip multicast-routing
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
chat-script cdma "" "ATDT#777" TIMEOUT 60 "CONNECT"
!
!        
voice service voip
allow-connections h323 to h323
allow-connections h323 to sip
allow-connections sip to h323
allow-connections sip to sip
no supplementary-service sip moved-temporarily
fax protocol pass-through g711ulaw
no fax-relay sg3-to-g3
h323
modem passthrough nse codec g711ulaw
sip
  header-passing error-passthru
   outbound-proxy ipv4:XXX.XXX.XXX.XXX
  early-offer forced
  midcall-signaling passthru
!
!
voice class codec 1
codec preference 1 g711ulaw
codec preference 2 g729r8
!
!
!        
voice class h323 1
h225 timeout tcp establish 3
!
!
!
!
!
!
!
!
!
!
!
voice translation-rule 1
rule 1 // // type any international
!
voice translation-rule 3
rule 1 /^8/ //
!
!
voice translation-profile International
translate called 1
!        
voice translation-profile OutboundRedirecting
translate called 3
!
!
voice-card 0
no dspfarm
dsp services dspfarm
!
!
!
!
!
username
archive
log config
  hidekeys
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key XXXXXXXXXXX address XXX.XXX.XXX.XXX
!
!
crypto ipsec transform-set CellFOSet esp-3des esp-sha-hmac
!
crypto map CellFOMap 1 ipsec-isakmp
set peer version 12.4
service pad to-xot
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec show-timezone
service timestamps log datetime msec show-timezone
service password-encryption
!
hostname 14th_Street
!
boot-start-marker
boot-end-marker
!
card type t1 0 1
logging message-counter syslog
logging buffered 4096
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp network local-case
aaa authorization console
aaa authorization exec default local
!
!
aaa session-id common
clock timezone EST -5
clock summer-time EDT recurring
network-clock-participate wic 1
network-clock-select 1 T1 0/1/0
!
dot11 syslog
no ip source-route
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.121.1 192.168.121.99
ip dhcp excluded-address 192.168.121.200 192.168.121.254
ip dhcp excluded-address 192.168.221.1 192.168.221.99
ip dhcp excluded-address 192.168.221.200 192.168.221.254
!
ip dhcp pool Voice
   network 192.168.121.0 255.255.255.0
   option 150 ip 10.101.90.6
   default-router 192.168.121.254
!
ip dhcp pool Data
   network 192.168.221.0 255.255.255.0
   default-router 192.168.221.254
   dns-server 10.1.90.189 10.5.100.30
!
!
no ip bootp server
no ip domain lookup
ip domain name candfbank.local
ip multicast-routing
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
chat-script cdma "" "ATDT#777" TIMEOUT 60 "CONNECT"
!
!        
voice service voip
allow-connections h323 to h323
allow-connections h323 to sip
allow-connections sip to h323
allow-connections sip to sip
no supplementary-service sip moved-temporarily
fax protocol pass-through g711ulaw
no fax-relay sg3-to-g3
h323
modem passthrough nse codec g711ulaw
sip
  header-passing error-passthru
   outbound-proxy ipv4:XXX.XXX.XXX.XXX
  early-offer forced
  midcall-signaling passthru
!
!
voice class codec 1
codec preference 1 g711ulaw
codec preference 2 g729r8
!
!
!        
voice class h323 1
h225 timeout tcp establish 3
!
!
!
!
!
!
!
!
!
!
!
voice translation-rule 1
rule 1 // // type any international
!
voice translation-rule 3
rule 1 /^8/ //
!
!
voice translation-profile International
translate called 1
!        
voice translation-profile OutboundRedirecting
translate called 3
!
!
voice-card 0
no dspfarm
dsp services dspfarm
!
!
!
!
!
username
archive
log config
  hidekeys
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key XXXXXXXXXX address XXX.XXX.XXX.XXX
!
!
crypto ipsec transform-set CellFOSet esp-3des esp-sha-hmac
!
crypto map CellFOMap 1 ipsec-isakmp
set peer XXX.XXX.XXX.XXX
set security-association lifetime seconds 86400
set transform-set CellFOSet
match address 100
!
!
!
controller T1 0/1/0
framing esf
linecode b8zs
cablelength long 0db
channel-group 0 timeslots 1-24
!
ip tftp source-interface FastEthernet0/0.1
!
track 1 ip sla 1 reachability
!
class-map match-all VOICE
match ip dscp ef
class-map match-any VOICE-CTRL
match ip dscp af31
match ip dscp cs3
!
!
policy-map WAN-EDGE
class VOICE
    priority 384
  set ip dscp ef
class VOICE-CTRL
  set ip dscp af21
    bandwidth 32
class class-default
    fair-queue
  set ip dscp default
!
!
!
!
!
interface Loopback0
ip address 192.168.222.21 255.255.255.255
h323-gateway voip interface
h323-gateway voip bind srcaddr 192.168.222.21
!
interface FastEthernet0/0
description Physical Interface for Data VLAN 10 and Voice VLAN 20
no ip address
ip flow ingress
ip pim sparse-dense-mode
no ip route-cache cef
duplex auto
speed auto
!
interface FastEthernet0/0.1
description Interface to Data VLAN 10
encapsulation dot1Q 10
ip address 192.168.221.254 255.255.255.0
no ip redirects
no ip unreachables
ip flow ingress
ip flow egress
ip pim sparse-dense-mode
ip nat inside
ip virtual-reassembly
no cdp enable
!
interface FastEthernet0/0.2
description Interface to Voice VLAN 20
encapsulation dot1Q 20
ip address 192.168.121.254 255.255.255.0
no ip redirects
no ip unreachables
ip flow ingress
ip flow egress
ip pim sparse-dense-mode
no cdp enable
!
interface FastEthernet0/1
description Unused port
no ip address
shutdown
duplex auto
speed auto
no cdp enable
!
interface Cellular0/0/0
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer in-band
dialer idle-timeout 0
dialer string cdma
dialer-group 1
async mode interactive
ppp chap hostname XXXXXXXXXXXX.com
ppp chap password
ppp ipcp dns request
crypto map CellFOMap
!
interface Serial0/1/0:0
ip address XXX.XXX.XXX.XXX 255.255.255.252
ip flow ingress
ip flow egress
encapsulation ppp
service-policy output WAN-EDGE
!
router bgp
no synchronization
bgp log-neighbor-changes
bgp suppress-inactive
network XXX.XXX.XXX.XXX
network XXX.XXX.XXX.XXX
network XXX.XXX.XXX.XXX
network 192.168.222.21 mask 255.255.255.255
neighbor XXX.XXX.XXX.XXX remote-as
default-information originate
no auto-summary
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Serial0/1/0:0 track 1
ip route 0.0.0.0 0.0.0.0 Cellular0/0/0 20
no ip http server
no ip http secure-server
!
ip flow-export source FastEthernet0/0.1
ip flow-export version 5
ip flow-export destination 10.1.90.25 2055
!
ip nat inside source list 110 interface Cellular0/0/0 overload
!
ip access-list standard MON_SNMP_RO
permit XXX.XXX.XXX.XXX
permit XXX.XXX.XXX.XXX
permit XXX.XXX.XXX.XXX
permit XXX.XXX.XXX.XXX
!
ip radius source-interface FastEthernet0/0.1
ip sla 1
icmp-echo 169.130.27.81
timeout 1000
threshold 2
frequency 3
ip sla schedule 1 life forever start-time now
logging trap notifications
logging 10.1.90.167
access-list 100 permit ip 192.168.221.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 100 permit ip 192.168.221.0 0.0.0.255 10.5.0.0 0.0.255.255
access-list 100 permit ip 192.168.221.0 0.0.0.255 10.7.0.0 0.0.255.255
access-list 100 permit ip 192.168.221.0 0.0.0.255 10.6.0.0 0.0.255.255
access-list 110 deny   ip 192.168.221.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 110 deny   ip 192.168.221.0 0.0.0.255 10.5.0.0 0.0.255.255
access-list 110 deny   ip 192.168.221.0 0.0.0.255 10.7.0.0 0.0.255.255
access-list 110 deny   ip 192.168.221.0 0.0.0.255 10.6.0.0 0.0.255.255
dialer-list 1 protocol ip list 100
snmp-server community Rtr1927 RO
snmp-server enable traps tty
!
!
!
!
<<<<<<<=========== Truncated VoIP Info ===========>>>>>>>>>>
!
!

!
line con 0
line aux 0
line 0/0/0
script dialer cdma
modem InOut
no exec
transport input all
transport output all
rxspeed 3100000
txspeed 1800000
line vty 0 4
transport input telnet
line vty 5 15
transport input telnet
!
scheduler allocate 20000 1000
ntp server 10.1.99.5
end

Everyone's tags (3)
638
Views
0
Helpful
0
Replies