Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

1941 Dual Wan + Nat + VPN

Hello,

i've got some issues with a router Config.

We've two PPPoE WAn Connectios with static IP.

normal Internet Access with Nat should go through DSL-1 (failover to DSL-2)

Static Nat (Port Forward) and our RAS-VPN should work on both external IP's.

2 Site-to-Site VPNs should go on DSL-2 (Failover to DSL-1)

here my Config so far:

version 15.1

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

boot-start-marker

boot-end-marker

!

!

logging buffered 51200 warnings

!

aaa new-model

!

!

aaa group server radius sdm-vpn-server-group-1

server 192.168.100.5 auth-port 1645 acct-port 1646

!

aaa authentication login default local

aaa authentication login ciscocp_vpn_xauth_ml_1 group sdm-vpn-server-group-1 local

aaa authorization exec default local

aaa authorization network ciscocp_vpn_group_ml_1 local

aaa authorization network ciscocp_vpn_group_ml_2 local

!

!

aaa session-id common

!

clock timezone Berlin 1 0

clock summer-time Berlin date Mar 30 2003 2:00 Oct 26 2003 3:00

!

no ipv6 cef

ip source-route

ip cef

!

!

ip domain name xxxxxx.de

ip name-server 8.8.8.8

ip name-server 8.8.4.4

!

multilink bundle-name authenticated

!

!

...

redundancy

!

!

!

!

ip scp server enable

!

track 1 ip sla 1

delay down 5 up 2

!

track 2 ip sla 2

delay down 5 up 2

!

!

crypto isakmp policy 1

encr aes 256

hash sha512

authentication pre-share

group 16

crypto isakmp policy 2

encr aes 256

authentication pre-share

group 2

!

crypto isakmp key dummy address Site1-IP

crypto isakmp xauth timeout 10

!

crypto isakmp client configuration group RAS_VPN_1

key udfgdfg

pool SDM_POOL_1

acl 150

max-users 30

netmask 255.255.255.192

!

crypto isakmp client configuration group RAS_VPN_2

key asdfasdfsdf

pool SDM_POOL_2

acl 151

max-users 30

netmask 255.255.255.192

!

crypto isakmp profile ciscocp-ike-profile-1

   match identity group RAS_VPN_1

   client authentication list ciscocp_vpn_xauth_ml_1

   isakmp authorization list ciscocp_vpn_group_ml_1

   client configuration address respond

   virtual-template 1

crypto isakmp profile ciscocp-ike-profile-2

   match identity group RAS_VPN_2

   client authentication list ciscocp_vpn_xauth_ml_1

   isakmp authorization list ciscocp_vpn_group_ml_2

   client configuration address respond

   virtual-template 2

!

!

crypto ipsec transform-set RAS_VPN esp-aes 256 esp-sha-hmac

!

crypto ipsec profile CiscoCP_Profile1

description RAS VPN 1

set security-association idle-time 3600

set transform-set RAS_VPN

set isakmp-profile ciscocp-ike-profile-1

!

crypto ipsec profile CiscoCP_Profile2

description RAS VPN 2

set security-association idle-time 3600

set transform-set RAS_VPN

set isakmp-profile ciscocp-ike-profile-2

!

!---VPN: Site-to-Site

crypto ipsec transform-set VPN esp-aes 256 esp-sha512-hmac

!

crypto map D1_Site 10 ipsec-isakmp

set peer Site1_ip

set transform-set VPN

match address VPN_1

crypto map D1_Site 20 ipsec-isakmp

set peer Site1_ip

set transform-set VPN

match address VPN_2

!

!

!

!

!--- Inerface Configuration

interface Loopback0

ip address 192.168.230.1 255.255.255.192

!

interface Loopback1

ip address 172.20.230.1 255.255.255.192

!

interface GigabitEthernet0/0

description green

no ip address

ip virtual-reassembly in

ip tcp adjust-mss 1412

duplex auto

speed auto

!

interface GigabitEthernet0/0.1

description LAN

encapsulation dot1Q 2 native

ip address 192.168.100.2 255.255.255.0

ip nbar protocol-discovery

ip flow ingress

ip flow egress

ip nat inside

ip virtual-reassembly in

ip policy route-map PBR

!

interface GigabitEthernet0/1

description WI orange

no ip address

ip tcp adjust-mss 1412

duplex auto

speed auto

!

interface GigabitEthernet0/1.1

description LAN 2

encapsulation dot1Q 1 native

ip address 172.20.100.2 255.255.255.0

ip nbar protocol-discovery

ip flow ingress

ip flow egress

ip virtual-reassembly in

!

interface FastEthernet0/0/0

description DSL-1

no ip address

duplex auto

speed auto

pppoe enable group global

pppoe-client dial-pool-number 1

!

interface FastEthernet0/0/1

description DSL-2

no ip address

ip virtual-reassembly in

duplex auto

speed auto

pppoe enable group global

pppoe-client dial-pool-number 2

!

interface Virtual-Template1 type tunnel

description RAS-VPN 1

ip unnumbered Loopback0

tunnel mode ipsec ipv4

tunnel protection ipsec profile CiscoCP_Profile1

!

interface Virtual-Template2 type tunnel

description RAS-VPN 2

ip unnumbered Loopback1

tunnel mode ipsec ipv4

tunnel protection ipsec profile CiscoCP_Profile2

!

interface Dialer1

description DSL-1 (VDSL)

ip address negotiated

ip mtu 1452

ip nbar protocol-discovery

ip flow ingress

ip flow egress

ip nat outside

ip virtual-reassembly in

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname xxx

ppp chap password 0 xxx

ppp pap sent-username xxx password 0 xxx

crypto map D1_Site

!

interface Dialer2

description DSL-2 (T-DSL)

ip address negotiated

ip mtu 1452

ip nbar protocol-discovery

ip flow ingress

ip flow egress

ip nat outside

ip virtual-reassembly in

encapsulation ppp

dialer pool 2

dialer-group 2

ppp authentication chap pap callin

ppp chap hostname xxx

ppp chap password 0 xxx

ppp pap sent-username xxx password 0 xxx

crypto map D1_Site

!

ip local pool SDM_POOL_1 192.168.230.34 192.168.230.62

ip local pool SDM_POOL_2 172.20.230.34 172.20.230.62

ip forward-protocol nd

!

no ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http secure-port 10443

ip http timeout-policy idle 60 life 86400 requests 10000

!

!--- DNS Server

ip dns server

!

!--- NAT

ip nat inside source route-map NAT_DSL-1 interface Dialer1 overload

ip nat inside source route-map NAT_DSL-2 interface Dialer2 overload

!

!--- NAT Access-Lists

access-list 100 remark -= Outgoing NAT -> DSL-1 =-

access-list 100 deny   ip 192.168.100.0 0.0.0.255 192.168.40.0 0.0.0.255

access-list 100 permit ip 192.168.100.0 0.0.0.255 any

access-list 101 remark -= Outgoing NAT -> DSL-2 =-

access-list 101 deny   ip 192.168.100.0 0.0.0.255 192.168.40.0 0.0.0.255

access-list 101 permit ip 192.168.100.0 0.0.0.255 any

!--- Policy-Based-Routing Access-List

access-list 110 remark -= PBR 1 =-

access-list 110 permit ip 192.168.100.0 0.0.0.255 any

!

!--- Routing

ip route 0.0.0.0 0.0.0.0 Dialer2 track 2

ip route 0.0.0.0 0.0.0.0 Dialer1 track 1

!

!--- VPN Access-Lists

ip access-list extended VPN_1

permit ip 192.168.100.0 0.0.0.255 192.168.40.0 0.0.0.255

ip access-list extended VPN_2

permit ip 172.20.100.0 0.0.0.255 172.20.110.0 0.0.0.255

!

access-list 150 remark -= RAS VPN 1 =-

access-list 150 remark CCP_ACL Category=4

access-list 150 permit ip 192.168.100.0 0.0.0.255 any

access-list 151 remark -= RAS VPN 2 =-

access-list 151 remark CCP_ACL Category=4

access-list 151 permit ip 172.20.100.0 0.0.0.255 any

!

dialer-list 1 protocol ip permit

dialer-list 2 protocol ip permit

!

!

!--- Route Maps

route-map NAT_DSL-1 permit

match ip address 100

match interface Dialer1

!

route-map NAT_DSL-2 permit

match ip address 101

match interface Dialer2

!

route-map PBR permit 10

match ip address 110

set interface Dialer 1

route-map PBR permit 20

match ip address 110

set interface Dialer 2

!

!

ip radius source-interface GigabitEthernet0/0.1

!

ip sla 1

icmp-echo Dialer1_ip

tag Check DSL-1

threshold 300

timeout 500

frequency 5

ip sla schedule 1 life forever start-time now

ip sla 2

icmp-echo Dialer2_ip

tag Check DSL-2

threshold 300

timeout 500

frequency 1

ip sla schedule 2 life forever start-time now

!

radius-server host 192.168.100.5 auth-port 1645 acct-port 1646 timeout 10 key xxxxx

....

end

my problems start very early, sometimes i'm not able to ping anything outside.. have you got some suggestions for me?

Everyone's tags (4)
1487
Views
0
Helpful
0
Replies
CreatePlease to create content