cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1361
Views
0
Helpful
10
Replies

Adding Second Peer IP to a Cisco 881 router

Hello Experts, please i need some help. I have a ASA 5505 firewal in my HQ doing failover (2 ISPs -Dual homming), i also have a remote site having on a Cisco 881 router.
Now i have the 881 connecting well to the HQ on the primary ISP IP (say 1.1.1.1), but each time there's a faiolver at the HQ and the backup ISP kicks (say on IP 2.2.2.2), the remote site looses the VPN access.
I need to make the IPSec VPN on the 881 site redundant so that if ISP 1 goes down on the ASA (HQ) site, the remote site users (881) can detect and also start setting VPN traffic to the HQ using the backup IP.

HQ (ASA): ISP1 --1.1.1.1 --------------------------   4.4.4.4 -Remote(881)
                    ISP2 --2.2.2.2  ??????????????   

 

Above is a sketch, the "?" means i want the 4.4.4.4 site to also be able to use 2.2.2.2 if 1.1.1.1 goes down.

Thank you in advance.
 

10 Replies 10

sotiris_pafitis
Level 1
Level 1

Can you please post configuration of the remote site.

 

Thanks.

Hello Sotiris,

thank you for responding;

this is the config for the remote (Router 881)site:

 

 


crypto pki certificate chain TP-self-signed-2039955482
ip source-route
!
!
!
ip dhcp excluded-address 192.168.40.1 192.168.40.100
!
ip dhcp pool CAV_LAN
 network 192.168.40.0 255.255.255.0
 default-router 192.168.40.1
 dns-server 192.168.10.5 192.168.40.5
 lease 3
!
!
ip cef
ip flow-cache timeout active 1
no ip domain lookup
ip domain name yourdomain.com
no ipv6 cef
!
!
license udi pid CISCO881-K9 sn FCZ171593US
!
!

!
!
!
!
!
class-map match-any SHAPING_1
 description bandwidth mgt
 match access-group 119
class-map match-any Internet_Sites
 match protocol http host "*youtube*"
 match protocol http host "*footytube*"
 match protocol http host "*badoo*"
 match protocol http host "*twitter*"
 match protocol http host "*thepiratebay*"
 match protocol http host "*movies*"
 match protocol http host "*atdhenet*"
 match protocol http host "*naijapals*"
 match protocol http host "*cnn*"
 match protocol http host "*aljazeera*"
 match protocol http host "*livestation*"
 match protocol http host "*soccernet.espn.go*"
 match protocol http host "*grooveshark*"
 match protocol http host "*orbit.innoshock*"
 match protocol http host "*channelstv*"
 match protocol http host "*eztv.it*"
 match protocol http host "*torrentz.en*"
 match protocol http host "*watchseries*"
 match protocol http host "*facebook.com*"
 match protocol http host "*liveway.tv*"
!
!
policy-map Restricted_Internet_Access
 class Internet_Sites
  drop
policy-map BANDWITH-RESTRICT
 class SHAPING_1
  police cir 256000
   exceed-action drop
!
!
!
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key ******** address 41.x.y.z
crypto isakmp key ******** address 80.a.b.c.d
crypto isakmp keepalive 10 5 periodic
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map ALL_CRYPTO_MAP 1 ipsec-isakmp
 description IKEJA MAIN
 set peer 41.x.y.z
 set peer 80.a.b.c.d
 set security-association idle-time 60
 set transform-set ESP-3DES-SHA
 match address 105
!
!
!
!
!
interface Loopback0
 no ip address

!
interface FastEthernet0
 switchport mode trunk
 no ip address
 load-interval 30
 duplex full
!
interface FastEthernet1
 switchport mode trunk
 bandwidth 256
 no ip address
 load-interval 30
 service-policy input BANDWITH-RESTRICT
 service-policy output BANDWITH-RESTRICT
!
interface FastEthernet2
 no ip address
!
interface FastEthernet3
 bandwidth 256
 no ip address
 load-interval 30
 service-policy input BANDWITH-RESTRICT
 service-policy output BANDWITH-RESTRICT
!
interface FastEthernet4
 description Connection to WAN
 ip address 41.184.X.X 255.255.255.248
 ip nat outside
 ip virtual-reassembly in
 load-interval 30
 duplex auto
 speed auto
 crypto map ALL_CRYPTO_MAP
!
interface FastEthernet4.1
 no cdp enable
!
interface Vlan1
 description LAN INTERFACE 
 ip address 192.168.40.1 255.255.255.0
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly in
 load-interval 30
 service-policy input Restricted_Internet_Access
!
interface Vlan20
 bandwidth 256000
 no ip address
 ip nat inside
 ip virtual-reassembly in
!
router rip
 network 10.0.0.0
 network 192.168.40.0
 no auto-summary
!
ip forward-protocol nd
no ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip flow-export source Vlan1
ip flow-export version 9
ip flow-export destination 192.168.40.10 9999
!
ip nat inside source static tcp 192.168.40.6 3306 interface FastEthernet4 3306
ip nat inside source static tcp 192.168.40.6 2322 interface FastEthernet4 2322
ip nat inside source static tcp 192.168.40.6 2112 interface FastEthernet4 2112
ip nat inside source static tcp 192.168.40.6 10000 interface FastEthernet4 10000
ip nat inside source static tcp 192.168.40.6 10001 interface FastEthernet4 10001
ip nat inside source static tcp 192.168.40.6 80 interface FastEthernet4 80
ip nat inside source static tcp 192.168.40.13 21 interface FastEthernet4 21
ip nat inside source static udp 192.168.40.13 21 interface FastEthernet4 21
ip nat inside source static tcp 192.168.40.13 20 interface FastEthernet4 20
ip nat inside source static udp 192.168.40.13 20 interface FastEthernet4 20
ip nat inside source route-map NONAT_IPSEC_ADDRESS interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 41.184.q.r

access-list 105 permit ip 192.168.40.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 110 deny   ip 192.168.40.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 110 permit ip 192.168.40.0 0.0.0.255 any
no cdp run
!
!
!
!
route-map NONAT_IPSEC_ADDRESS permit 10
 match ip address 110

 

 

thank you again in advance.

Hi Leonard,

I cant see sth wrong to this conifg can you please post also the asa config so I can have a complete picture.

 

Thanks

 

Many thanks once again, here is the ASA side config, i am sorry i have to blur out some IPs ....(for security please.)


 

: Saved
:
ASA Version 8.4(3) 
!
hostname CavatonIKEA
enable password Irs79CWHG5.fi1VE encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
 duplex full
!
interface Ethernet0/1
 switchport access vlan 15
!
interface Ethernet0/2
 switchport monitor Ethernet0/1 
!
interface Ethernet0/3
!
interface Ethernet0/4
 switchport access vlan 2
 speed 100
 duplex full
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.10.1 255.255.255.0 
!
interface Vlan2
 backup interface Vlan15
 nameif outside
 security-level 0
 ip address 41.x.y.z 255.255.255.248 ---------> Primary ISP
!
interface Vlan15
 nameif Failover
 security-level 0
 ip address 80.a.b.c.d 255.255.255.248 ------------->backup ISP
!
regex domainlist1 "facebook.com"
regex domainlist2 "twitter.com"
regex domainlist3 "badoo.com"
regex domainlist4 "footytube.com"
regex domainlist5 "naijapals.com"
regex domainlist6 "piratebay.org"
regex domainlist7 "atdhenet.tv"
regex domainlist8 "movies.com"
regex domainlist9 "movies.net"
regex domainlist10 "cnn.com"
regex domainlist11 "bbc.com"
regex domainlist12 "thepiratebay.org"
regex domainlist13 "movieshark.com"


ftp mode passive
clock timezone WAT 1
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network NETWORK_OBJ_192.168.10.0_24
 subnet 192.168.10.0 255.255.255.0
object network NETWORK_OBJ_192.168.48.0_24
 subnet 192.168.48.0 255.255.255.0
object network NETWORK_OBJ_192.168.101.0_25
 subnet 192.168.101.0 255.255.255.128
object network NETWORK_OBJ_192.168.2.8
 host 192.168.2.8
object network NETWORK_OBJ_192.168.11.0_24
 subnet 192.168.11.0 255.255.255.0
object network NETWORK_OBJ_192.168.12.0_24
 subnet 192.168.12.0 255.255.255.0
object network 3389
 host 192.168.10.3
 description 3389      
object network Youtube.com
 host 209.85.148.91
object network naijapals.com
 host 69.64.65.4
object network atdthenet.tv
 host 88.80.11.29
object network movies.net
 host 69.64.155.10
object network bbc.com
 host 212.58.224.138
object network cnn.com
 host 157.166.255.18
object network movies.com
 host 216.178.161.244
object network piratebay.org
 host 194.71.107.15
object network cnn.com.1
 host 157.166.226.25
object network movies.com.1
 host 93.158.110.242
object network movies.net.1
 host 209.85.148.91
object network NETWORK_OBJ_192.168.40.0_24
 subnet 192.168.40.0 255.255.255.0
object network badoo.com
 host 77.67.1.39
object network badoo.com.1
 host 87.245.192.35
object network footytube.com
 host 174.129.253.150
object network movies.com.2
 host 83.151.132.113
object network movies.com.3
 host 83.151.132.104
object network twitter.com
 host 199.59.149.230
object network twitter.com.1
 host 199.59.148.10
object network twitter.com.2
 host 199.59.148.82
object network NETWORK_OBJ_192.168.50.0_24
 subnet 192.168.50.0 255.255.255.0
object network 2322
 host 192.168.10.6
 description 2322
object network 80
 host 192.168.10.6
 description 80
object network 3306
 host 192.168.10.6
 description 3306
object network 192.168.70.0
 subnet 192.168.70.0 255.255.255.0
object network facebook.com
 host 69.171.242.54
object network failover
 subnet 0.0.0.0 0.0.0.0
object network 192.168.1.0
 subnet 192.168.1.0 255.255.255.0
 description HQ NETWORK
object-group network Blocked
 description Blocked
 network-object object naijapals.com
 network-object object atdthenet.tv
 network-object object movies.net
 network-object object bbc.com
 network-object object cnn.com
 network-object object movies.com
 network-object object piratebay.org
 network-object object cnn.com.1
 network-object object movies.com.1
 network-object object movies.net.1
 network-object object badoo.com
 network-object object badoo.com.1
 network-object object footytube.com
 network-object object movies.com.2
 network-object object movies.com.3
 network-object object twitter.com
 network-object object twitter.com.1
 network-object object twitter.com.2
 network-object object facebook.com
 network-object object Youtube.com
object-group protocol DM_INLINE_PROTOCOL_1
 protocol-object udp
 protocol-object tcp
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
access-list outside_access_in extended deny ip host 212.68.224.138 any inactive 
access-list outside_access_in extended permit ip any any 
access-list outside_1_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.48.0 255.255.255.0 
access-list Nigeria-IKEA_splitTunnelAcl standard permit 192.168.10.0 255.255.255.0 
access-list outside_cryptomap_3 extended permit ip 192.168.10.0 255.255.255.0 192.168.11.0 255.255.255.0 
access-list outside_cryptomap_2 extended permit ip 192.168.10.0 255.255.255.0 192.168.12.0 255.255.255.0 
access-list inside_access_in extended deny object-group DM_INLINE_PROTOCOL_1 any object-group Blocked 
access-list inside_access_in extended permit ip any any 
access-list outside_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.40.0 255.255.255.0 
access-list outside_5_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.50.0 255.255.255.0 
access-list inside_mpc extended permit object-group DM_INLINE_PROTOCOL_1 any any eq www 
access-list outside_cryptomap_1 extended permit ip 192.168.10.0 255.255.255.0 object 192.168.70.0 
access-list Failover_access_in extended permit ip any any 
access-list Failover_access_in extended permit ip object NETWORK_OBJ_192.168.10.0_24 192.168.40.0 255.255.255.0 inactive 
access-list outside_cryptomap_4 extended permit ip 192.168.10.0 255.255.255.0 object 192.168.1.0 
access-list outside_cryptomap_5 extended permit ip 192.168.10.0 255.255.255.0 192.168.12.0 255.255.255.0 
pager lines 24
logging enable
logging asdm informational

mtu inside 1500
mtu outside 1500
mtu Failover 1500
ip local pool POOL 192.168.101.10-192.168.101.100 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-647.bin
asdm history enable
arp timeout 14400
nat (inside,outside) source static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 destination static NETWORK_OBJ_192.168.48.0_24 NETWORK_OBJ_192.168.48.0_24 no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 destination static NETWORK_OBJ_192.168.101.0_25 NETWORK_OBJ_192.168.101.0_25 no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 destination static NETWORK_OBJ_192.168.2.8 NETWORK_OBJ_192.168.2.8 no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 destination static NETWORK_OBJ_192.168.11.0_24 NETWORK_OBJ_192.168.11.0_24 no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 destination static NETWORK_OBJ_192.168.12.0_24 NETWORK_OBJ_192.168.12.0_24 no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 destination static NETWORK_OBJ_192.168.40.0_24 NETWORK_OBJ_192.168.40.0_24 no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 destination static NETWORK_OBJ_192.168.50.0_24 NETWORK_OBJ_192.168.50.0_24 no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 destination static 192.168.70.0 192.168.70.0 no-proxy-arp route-lookup
nat (inside,Failover) source static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 destination static NETWORK_OBJ_192.168.12.0_24 NETWORK_OBJ_192.168.12.0_24 no-proxy-arp route-lookup
nat (inside,Failover) source static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 destination static NETWORK_OBJ_192.168.11.0_24 NETWORK_OBJ_192.168.11.0_24 no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 destination static 192.168.1.0 192.168.1.0
!
object network obj_any
 nat (inside,outside) dynamic interface
object network 3389
 nat (any,outside) static interface service tcp 3389 3389 
object network 2322
 nat (any,outside) static interface service tcp 2322 2322 
object network 80
 nat (any,outside) static interface service tcp www www 
object network 3306
 nat (any,outside) static interface service tcp 3306 3306 
object network failover
 nat (any,Failover) dynamic interface
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group Failover_access_in in interface Failover
route outside 0.0.0.0 0.0.0.0 41.184.i.j 128 track 1
route Failover 0.0.0.0 0.0.0.0 80.248.e.f
timeout xlate 1:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication enable console LOCAL 
aaa authentication http console LOCAL 
aaa authentication serial console LOCAL 
aaa authentication ssh console LOCAL 
aaa authentication telnet console LOCAL 
http server enable 4433
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
sla monitor 123
 type echo protocol ipIcmpEcho 8.8.8.8 interface outside
 num-packets 3
 frequency 10
sla monitor schedule 123 life forever start-time now
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer x.x.x.x
crypto map outside_map 1 set ikev1 transform-set ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 2 match address outside_cryptomap
crypto map outside_map 2 set peer 41.184.x.x ----------> 881 side peer ID
crypto map outside_map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 3 match address outside_cryptomap_3
crypto map outside_map 3 set pfs group5
crypto map outside_map 3 set peer 41.184.y.y 
crypto map outside_map 3 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 4 match address outside_cryptomap_2
crypto map outside_map 4 set pfs group5
crypto map outside_map 4 set peer 197.H.H.H 197.G.G.G
crypto map outside_map 4 set ikev1 transform-set ESP-AES-128-MD5
crypto map outside_map 5 match address outside_5_cryptomap
crypto map outside_map 5 set peer 62.173.F.F 
crypto map outside_map 5 set ikev1 transform-set ESP-3DES-SHA
crypto map outside_map 6 match address outside_cryptomap_1
crypto map outside_map 6 set peer 41.216.K.K 
crypto map outside_map 6 set ikev1 transform-set ESP-3DES-SHA
crypto map outside_map 6 set nat-t-disable
crypto map outside_map 7 match address outside_cryptomap_4
crypto map outside_map 7 set peer 80.248.J.J 
crypto map outside_map 7 set ikev1 transform-set ESP-3DES-SHA
crypto map outside_map 7 set nat-t-disable
crypto map outside_map 8 match address outside_cryptomap_5
crypto map outside_map 8 set peer 197.K.K.K 
crypto map outside_map 8 set ikev1 transform-set ESP-AES-128-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map outside_map interface Failover
crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 10
 encryption aes-192
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 20
 encryption aes
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 30
 encryption 3des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 40
 encryption des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev1 enable outside
crypto ikev1 enable Failover
crypto ikev1 policy 10
 authentication pre-share
 encryption des
 hash md5
 group 2
 lifetime 86400
crypto ikev1 policy 20
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 30
 authentication pre-share
 encryption des
 hash sha
 group 1
 lifetime 86400
crypto ikev1 policy 40
 authentication pre-share
 encryption des
 hash md5
 group 1
 lifetime 86400
crypto ikev1 policy 60
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 80
 authentication pre-share
 encryption aes
 hash md5
 group 5
 lifetime 86400
crypto ikev1 policy 100
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
!
track 1 rtr 123 reachability
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0

dhcpd auto_config outside
!
dhcpd address 192.168.10.100-192.168.10.254 inside
dhcpd dns 192.168.10.5 interface inside
dhcpd lease 259200 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
group-policy GroupPolicy_41.73.230.17 internal
group-policy GroupPolicy_41.73.230.17 attributes
 vpn-tunnel-protocol ikev1 
group-policy GroupPolicy_41.73.226.136 internal
group-policy GroupPolicy_41.73.226.136 attributes
 vpn-tunnel-protocol ikev1 ikev2 
group-policy GroupPolicy_195.24.217.254 internal
group-policy GroupPolicy_195.24.217.254 attributes
 vpn-tunnel-protocol ikev1 
group-policy GroupPolicy_80.248.J.J  internal
group-policy GroupPolicy_80.248.J.J  attributes
 vpn-tunnel-protocol ikev1 
group-policy GroupPolicy_41.73.239.80 internal
group-policy GroupPolicy_41.73.239.80 attributes
 vpn-tunnel-protocol ikev1 
group-policy Nigeria-IKEA internal
group-policy Nigeria-IKEA attributes
 dns-server value 8.8.8.8
 vpn-tunnel-protocol ikev1 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Nigeria-IKEA_splitTunnelAcl
username cava password zYEMNTkYbNaEawft encrypted privilege 15
username centex password 0avj4QAh6zcPkEh9 encrypted privilege 15
username root password RxYtFI.j8c3JPmCW encrypted privilege 15
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
 ikev1 pre-shared-key *****
tunnel-group Nigeria-IKEA type remote-access
tunnel-group Nigeria-IKEA general-attributes
 address-pool POOL
 default-group-policy Nigeria-IKEA
tunnel-group Nigeria-IKEA ipsec-attributes
 ikev1 pre-shared-key *****
tunnel-group peer 41.184.y.y type ipsec-l2l
tunnel-group peer 41.184.y.y ipsec-attributes
 ikev1 pre-shared-key *****
tunnel-group 197.K.K.K  type ipsec-l2l
tunnel-group 197.K.K.K  ipsec-attributes
 ikev1 pre-shared-key *****
tunnel-group 41.184.x.x type ipsec-l2l  -------------->881 side
tunnel-group 41.184.x.x ipsec-attributes ----------->881 side

 ikev1 pre-shared-key *****
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****
tunnel-group 62.173.F.F  type ipsec-l2l
tunnel-group 62.173.F.F  ipsec-attributes
 ikev1 pre-shared-key *****
tunnel-group 41.216.K.K type ipsec-l2l
tunnel-group 41.216.K.K ipsec-attributes
 ikev1 pre-shared-key *****
tunnel-group 80.248.J.J  type ipsec-l2l
tunnel-group 80.248.J.J  ipsec-attributes
 ikev1 pre-shared-key *****
tunnel-group 197.H.H.H type ipsec-l2l
tunnel-group 197.H.H.H ipsec-attributes
 ikev1 pre-shared-key *****
!
class-map type regex match-any URLBlockList
 match regex domainlist10
 match regex domainlist12
 match regex domainlist11
 match regex domainlist13
 match regex domainlist1
 match regex domainlist3
 match regex domainlist2
 match regex domainlist5
 match regex domainlist4
 match regex domainlist7
 match regex domainlist6
 match regex domainlist9
 match regex domainlist8
class-map type inspect http match-all BlockDomainsClass
 match request header host regex class URLBlockList
class-map inspection_default
 match default-inspection-traffic
class-map httptraffic
 match access-list inside_mpc
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map type inspect http http_inspection_policy
 parameters
 class BlockDomainsClass
  reset log
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
policy-map global-policy
 class class-default
  user-statistics accounting
policy-map inside-policy
 class httptraffic
  inspect http http_inspection_policy 
!
service-policy global_policy global
service-policy inside-policy interface inside
prompt hostname context 
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
hpm topN enable
Cryptochecksum:7e1fcc718d594c34d13a27ef60a1993c
: end
asdm image disk0:/asdm-647.bin
asdm history enable

 

 

 

thank you again for your time.

HI leonard my pleasure,

When on backup link  Do you see MM_ACTIVE from command sh crypto isakmp sa output ? 

 

 

Hello Sotiris,

below is the output of the command from the 881 side:

sh crypto isakmp sa


IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
80.a.b.cd     41.184.X.X  QM_IDLE           2037 ACTIVE

IPv6 Crypto ISAKMP SA

 

 

Furthermore i just made a discovery, i did a trace with packet tracer animation when on the backup to 192.168.40.5, it showed that packet is been dropped due to ca configured NAT rule:

object network failover
 nat (any,Failover) dynamic interface

i then removed the above config and the tunnel from the 881 side came up ! i.e. it connected and brought the VPN with the backup IP. But now the issue is that the HQ users can no longer access the internet. They can reach any remote site via the tunnel but can't access internet (8.8.8.8 or yahoo.com) -----request timed out.

Any ideas why?

Hello I think i have found the solution; i ran through the nat rules and found that this was missing for the 881 site LAN, 

nat (inside,Failover) source static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 destination static NETWORK_OBJ_192.168.40.0_24 NETWORK_OBJ_192.168.40.0_24 no-proxy-arp route-lookup

 

i put in the config and it works !!!

Thank you for your time Sotiris.... I will update this page with the working config so that any one with this same problem can use it.
I will do that by monday when i am 100% sure there is no other problem and all my circuits are fine.

Yeeeppieeeeeeeeeee!!!!laugh

Good Job :)

Hi Buddy,

Everything works perfectly fine, all other sites have now been integrated as well. 

All configs above are live and correct for those who may want to use the template, just make sure the nat rules are also define for the failover IP ; i.e. nat (inside, failover) source static .........

Thanks Sotiris again for working with me on this..... Much regards.


 

This discussion has been reposted from Top Contributors to the WAN, Routing and Switching community.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: