Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

2 ISPs with addresses /32 and PPtP Server onboard of Cisco 3825

First of all, excuse me for my bad English, it's not my native language.

A couple of years ago our company changed our central router Cisco 1841 with more powerfull 3825 ISR.

Here is show ver

Cisco IOS Software, 3800 Software (C3825-ADVENTERPRISEK9-M), Version 12.4(24)T7

This Cisco 3825 contains 2 DIMMs - 256Mb and 512 Mb of RAM onboard.

Now it works with 2 ISPs (take a glance on pdf picture http://www.intelcom-ug.ru/scheme.pdf or in the attached file). We're using the failover scheme, the ISP1 with statically assigned IP address 85.20.20.20/32 (Dialer 1)  is used as Backup link. The ISP2 L2TP link is main.

Now our authorities organize the remote office with Cisco 1841. And we face with the problem, we cannot connect via PPtP from anywhere to the  85.20.20.20/32 (Dialer 1). And we need some help or advise. The config of Cisco 3825 is like this:

 

!
version 12.4
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime localtime
service password-encryption
!
hostname CENTRAL-OFFICE
!
boot-start-marker
warm-reboot
boot-end-marker
!
security authentication failure rate 3 log
logging message-counter syslog
logging buffered 64000
enable secret 5 HEREISTHESECRETPASSWORD
!
aaa new-model
aaa local authentication attempts max-fail 3
!
!
aaa authentication login default local
aaa authentication ppp default local
aaa authentication ppp vpn-users local
aaa authorization exec default local 
aaa authorization exec vpn-users local 
aaa authorization network vpn-users local 
!
!
aaa session-id common
clock timezone MSK 4
!
ip source-route
no ip gratuitous-arps
ip cef
!
!
!
!
no ip domain lookup
ip domain name somewhere.net
ip name-server 8.8.8.8
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
vpdn enable
!
vpdn-group 239
 accept-dialin
  protocol pptp
  virtual-template 100
!
vpdn-group global
! Default L2TP VPDN group
! Default PPTP VPDN group
 accept-dialin
  protocol any
!
!
password encryption aes
voice-card 0
!
username administrator privilege 15 password 7 737364645252414571
username vpnuser password 7 85956353413120384645373930
archive
 log config
  hidekeys

ip tcp selective-ack
ip tcp timestamp
ip tcp synwait-time 5
ip tcp path-mtu-discovery
ip ssh version 2
!
l2tp-class beeline
pseudowire-class pw-beeline
 encapsulation l2tpv2
 protocol l2tpv2 beeline
!
buffers tune automatic
!
interface Loopback0
 ip address 10.111.111.111 255.255.255.255
!
interface GigabitEthernet0/0
descrition --Our Local Network--
 ip address 192.168.7.2 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
 media-type rj45
!
interface GigabitEthernet0/1
 description --Trunk Connection--
 no ip address
 duplex auto
 speed auto
 media-type rj45
!
interface GigabitEthernet0/1.10
description --Connection to ISP1 through vlan on our managed switch--
 encapsulation dot1Q 10
 pppoe enable group global
 pppoe-client dial-pool-number 2
!
interface GigabitEthernet0/1.20
description --Connection to ISP2 through vlan on our managed switch--
 encapsulation dot1Q 20
 ip address dhcp
 ip virtual-reassembly
!
interface Virtual-PPP5
description --Interface for ISP2--
 ip address negotiated
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 ip tcp adjust-mss 1380
 no peer neighbor-route
 no cdp enable
 ppp authentication chap callin
 ppp chap hostname 8282828282828
 ppp chap password 7 theSecretForISP2
 pseudowire 10.255.255.242 10 pw-class pw-beeline
!
interface Virtual-Template100
description --TEMPLATE for incoming PPtP connections of our users--
 ip unnumbered Dialer1
 autodetect encapsulation ppp
 peer default ip address pool for-vpn
 no keepalive
 ppp authentication ms-chap ms-chap-v2 vpn-users
 ppp authorization vpn-users
!
interface Dialer1
description --Interface for ISP1. PPPoE--
 bandwidth 10240
 ip address negotiated
 ip accounting output-packets
 ip nbar protocol-discovery
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 ip tcp adjust-mss 1400
 load-interval 30
 dialer pool 2
 dialer-group 2
 no fair-queue
 ppp authentication chap callin
 ppp pap sent-username reteretere password 7 PasswordForISP1
!
ip local policy route-map External_VPN
ip local pool for-vpn 172.16.135.1 172.16.135.10
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1 100 track 1
ip route 0.0.0.0 0.0.0.0 Virtual-PPP5 track 2
ip route 192.168.239.0 255.255.255.0 172.16.135.1 name C1841-Rossiyskaya70
ip route 194.87.0.8 255.255.255.255 Dialer1
ip route 194.87.0.9 255.255.255.255 Virtual-PPP5
ip route 10.255.255.242 255.255.255.255 dhcp
ip route 10.255.255.247 255.255.255.255 dhcp
no ip http server
no ip http secure-server
!
!
ip nat inside source route-map Beeline interface Virtual-PPP5 overload
ip nat inside source route-map UTK interface Dialer1 overload
!
!
! This access-list is for local Network proxy
ip access-list standard fwd-squid
 permit 192.168.7.100
 permit 192.168.7.0 0.0.0.255
!
! This access-list is for ip local policy
ip access-list extended External_VPN_access
 permit tcp host 85.20.20.20 eq 1723 any
 permit tcp host 85.20.20.20 eq 22 any
 permit tcp host 85.20.20.20 eq telnet any
 permit icmp host 85.20.20.20 any echo-reply
!
!
track 1 ip sla 1 reachability
ip sla 1
 icmp-echo 194.87.0.8 source-interface Dialer1
 timeout 7000
 threshold 100
 frequency 15
ip sla schedule 1 life forever start-time now
ip sla reaction-configuration 1 react timeout threshold-type immediate action-type triggerOnly
!
!
track 2 ip sla 2 reachability
ip sla 2
 icmp-echo 194.87.0.9 source-interface Virtual-PPP5
 timeout 7000
 threshold 400
 frequency 15
ip sla schedule 2 life forever start-time now
ip sla reaction-configuration 2 react timeout threshold-type immediate action-type triggerOnly
!
!
access-list 1 remark --SNMP Watching--
access-list 1 permit 192.168.7.0 0.0.0.255
access-list 100 permit ip 192.168.7.0 0.0.0.255 any
dialer-list 1 protocol ip permit
dialer-list 2 protocol ip permit
dialer-list 3 protocol ip permit
!
route-map External_VPN permit 10
 match ip address External_VPN_access
 set default interface Dialer1
!
route-map UTK permit 10
 match ip address 100
 match interface Dialer1
!         
route-map Beeline permit 10
 match ip address 100
 match interface Virtual-PPP5
!
!
snmp-server community public RO 1
!
control-plane
!
line con 0
line aux 0
line vty 0 4
 exec-timeout 30 0
line vty 5 15
!
exception memory ignore overflow processor
exception memory ignore overflow io
scheduler allocate 20000 1000
ntp update-calendar
ntp peer 194.33.84.1
event manager applet nat_clear_isp1 
 event track 1 state any
 action 1 wait 5
 action 2 cli command "enable"
 action 3 cli command "clear ip nat translation *"
event manager applet nat_clear_isp2 
 event track 2 state any
 action 1 wait 5
 action 2 cli command "enable"
 action 3 cli command "clear ip nat translation *"
!
end

_____________________________ With respect, Sergey Sokolov
Everyone's tags (3)
95
Views
0
Helpful
0
Replies
CreatePlease to create content