Yes now there are 2511 with HDSL and ISDN backup, but not VPN.

So you are going to install the 887 routers, and keep the existing ISDN setup?

Do you run a dynamic routing protocol over the ISDN?

Are the ISDN lines always up, or are they activated with interesting traffic?

Thanks Andrew,

>So you are going to install the 887 routers, and keep the existing ISDN setup?

No, really I can change the existing ISDN setup, is not a must maintain it, now isdn backup is used only to ensure a web/mail, but then I have to ensure VoIP.

>Do you run a dynamic routing protocol over the ISDN?

What do you it mean?

>Are the ISDN lines always up, or are they activated with interesting traffic?

No not alway up, I need isdn backup start with all type of traffic only if ADSL goes down.

I made a config but I'm not sure it works:

crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
encr aes
group 2
crypto isakmp key pwdVPN address 222.222.222.222
!
!
crypto ipsec transform-set ESP-AES128-SHA ah-sha-hmac esp-aes esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to 222.222.222.222
set peer 222.222.222.222
set transform-set ESP-AES128-SHA
match address 103
!
!
interface BRI0
no ip address
encapsulation ppp
no ip route-cache
dialer pool-member 1
isdn switch-type basic-net3
isdn termination multidrop
isdn point-to-point-setup
!
interface ATM0
backup delay 10 30
backup interface Dialer0
no ip address
no ip route-cache
no atm ilmi-keepalive
service-policy output CCP-QoS-Policy-1
!
interface ATM0.1 point-to-point
description $FW_OUTSIDE$
ip address 88.88.88.88 255.255.255.252
ip access-group 100 in
ip nat outside
ip inspect CCP_LOW out
ip virtual-reassembly
no ip route-cache
crypto map SDM_CMAP_1
pvc 8/35
  encapsulation aal5snap
!
!
interface FastEthernet0
switchport access vlan 100
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description $FW_INSIDE$
ip address 192.168.20.254 255.255.255.0
ip access-group 102 in
ip nat inside
ip virtual-reassembly
no ip route-cache
!
interface Vlan100
ip address 10.0.0.254 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
ip access-group 100 in
ip nat outside
ip inspect CCP_LOW out
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer idle-timeout 180
dialer string 0000000000
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname user1
ppp chap password pwduser1
ppp pap sent-username user1 password pwduser1
no cdp enable
crypto map SDM_CMAP_1
service-policy output CCP-QoS-Policy-1
!
!
ip nat inside source route-map SDM_RMAP_1 interface ATM0.1 overload
ip nat inside source route-map SDM_RMAP_2 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 ATM0.1
ip route 0.0.0.0 0.0.0.0 Dialer0 100
!
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.20.0 0.0.0.255
access-list 101 remark Auto generated by SDM Management Access feature
access-list 101 remark CCP_ACL Category=1
access-list 101 permit ip 192.168.20.0 0.0.0.255 any
access-list 102 remark Auto generated by SDM Management Access feature
access-list 102 remark CCP_ACL Category=1
access-list 102 permit ip any any
access-list 103 remark CCP_ACL Category=4
access-list 103 permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 103 permit ip 10.0.20.0 0.0.0.255 10.0.10.0 0.0.0.255
access-list 104 remark CCP_ACL Category=2
access-list 104 deny   ip 10.0.20.0 0.0.0.255 10.0.10.0 0.0.0.255
access-list 104 deny   ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 104 permit ip 192.168.20.0 0.0.0.255 any
dialer-list 1 protocol ip permit
!

!
route-map SDM_RMAP_1 permit 1
match ip address 104
!
route-map SDM_RMAP_2 permit 1
match ip address 104

Thank a lot

Augusto

Looks OK - try it out and test it.

HTH>