In one of our remote location, we have a dsl connection that is not really good (slow bandwidth and goes down a few times). We would like to purchase some other dsl lines and to find a way to load-balance those lines. This loadbalancing will support the ipsec tunnel to our headquarters.
Please consider that we are setting up the ipsec tunnel into a gre tunnel.
I'm wondering if I can setup the following configuration.
I would like that the gre tunnel will be defined in source as a fake adress that will be nated in the outside interface in a load balanced way to the two or more internet gateway.
Here the configuration I would like to implement. I just write it and not run it in a device so there will be probably some syntax errors. Please don't take that into account. I just would like to know if this configuration globally makes sense and will provide us a good reliability in our tunnel traffic.
track timer interface 5
track 123 rtr 1 reachability delay down 15 up 10
track 124 rtr 1 reachability delay down 15 up 10
crypto isakmp key KEY address Remote_IP
crypto map WAN 1 ipsec-isakmp description GRE Tunnel set peer Remote_IP set transform-set WANSET set pfs group2 match address 11
desc first isp
ip address A ip nat outside ip virtual-reassembly ! interface FastEthernet0/0.2
desc second isp ip address B ip nat outside ip virtual-reassembly
interface FastEthernet1 description LAN Interface ip address 192.168.254.1 255.255.255.0 ip nat inside ip virtual-reassembly ip tcp adjust-mss 1452 !
interface Tunnel1 description GRE tunnel ip address 192.168.1.1 255.255.255.252 ip mtu 1400 ip tcp adjust-mss 1350 keepalive 10 3 tunnel source 184.108.40.206 !! Fake IP that will be nated tunnel destination Remote_IP crypto map WAN
router eigrp 100 distribute-list 10 out Tunnel1
ip route 0.0.0.0 0.0.0.0 fa0/0.1 track 123 !Tracking in the ISP 1 ip route 0.0.0.0 0.0.0.0 fa0/0.2 track 124!Tracking in the ISP 1 !
ip nat inside source route-map nat1 interface FastEthernet0/0.1 ! replace the source interface by the public address of the ISP 1 ip nat inside source route-map nat2 interface FastEthernet0/0.2 ! replace the source interface by the public address of the ISP 2 ! ! ip sla 1 icmp-echo gw_isp1 source-interface Fa0/0.1 timeout 1000 threshold 40 frequency 3 ! ip sla 2 icmp-echo gw_isp2 source-interface Fa0/0.2 timeout 1000 threshold 40 frequency 3 ! ! ip sla schedule 1 life forever start-time now ip sla schedule 2 life forever start-time now ! ! access-list 11 permit gre host 220.127.116.11 host Remote_IP ! ! route-map nat1 permit 10 match ip address 11 match interface Fa0/0.1 ! route-map nat2 permit 10 match ip address 110 match interface FastEthernet0/0.2
I'm fully aware that in the other side, I would have to translate again the two public ip address that source my tunnel with a nat one like in this side.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :