06-08-2009 04:21 AM - edited 03-04-2019 05:01 AM
Using a Cisco 877 router with ADSL connectivity, a backup connection is needed. A 3G (cellular) device is available, capable of setting up an IPsec VPN, and offering an ethernet port for connecting the (backup) port of the 877 router.
Neither the ADSL (on the 877 router) nor the cellular (on the 3G device) have fixed IP addresses assigned to them by the ADSL/3G service providers.
The main site has a fixed IP address, both on the connection with the internet as for a (dedicated) connection to the 3G provider.
The purpose is
- create an IPsec VPN on the ADSL interface (over the internet) to the main site
- route all traffic over the IPsec VPN on the ADSL interface
- route all traffic over the ethernet port to the 3G (cellular) device if the main site is not acceaccessible via the ADSL interface.
How can I proceed ?
Solved! Go to Solution.
06-08-2009 12:42 PM
Hello Paul,
let's think about the components:
routing
nat
ipsec
a) routing
you can use a floating static route for the secondary link
ip route 0.0.0.0 0.0.0.0 Vlan2 200
(this is specific of 877 the usage of SVIs like a switch)
200 is the AD.
the primary default route can be tracked using object tracking.
see
http://www.cisco.com/en/US/docs/ios/12_3/12_3x/12_3xe/feature/guide/dbackupx.html
ip route 0.0.0.0 0.0.0.0 dialer1 track 122
you need a probe and the document describes how to configure it depending on your IOS version.
if the probe or IP SLA fails the primary default route is removed from the routing table.
b) NAT
you can use nat overload combined with a route map that checks the outgoing interface
example:
lan interface 10.10.10.0 /24
! deny traffic that will be sent over
! the ipsec tunnel it doesn't need to be NATTED
access-list 111 deny ip 10.10.10.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 111 permit ip 10.10.10.0 0.0.0.255 any
route-map nat_primary permit 10
match ip address 111
match interface dialer1
route-map nat_secondary permit 10
match ip address 111
match interface Vlan2
you need two statements in global config
ip nat inside source route-map nat_primary overload
ip nat inside source route-map nat_secondary overload
internal lan needs
ip nat inside
external interfaces require
ip nat outside
c)
ipsec you need to configure the crypto map under dialer1
traffic that has to encrypted is the same that is not NATTED
access-list 112 permit ip 10.10.10.0 0.0.0.255 10.0.0.0 0.255.255.255
crypto isakmp policy 10
hash md5
authentication pre-share
!
crypto isakmp key pwd1 address HQ-address1
crypto ipsec transform-set VPN-ADSL esp-3des esp-md5-hmac
!
crypto map VPN_MAP local-address dialer1
crypto map VPN_MAP 10 ipsec-isakmp
set peer HQ-address1
set transform-set VPN-ADSL
match address 112
!
this is only a trace for the ipsec part: notice that you probably need a second crypto map for the backup link.
Hope to help
Giuseppe
06-08-2009 12:42 PM
Hello Paul,
let's think about the components:
routing
nat
ipsec
a) routing
you can use a floating static route for the secondary link
ip route 0.0.0.0 0.0.0.0 Vlan2 200
(this is specific of 877 the usage of SVIs like a switch)
200 is the AD.
the primary default route can be tracked using object tracking.
see
http://www.cisco.com/en/US/docs/ios/12_3/12_3x/12_3xe/feature/guide/dbackupx.html
ip route 0.0.0.0 0.0.0.0 dialer1 track 122
you need a probe and the document describes how to configure it depending on your IOS version.
if the probe or IP SLA fails the primary default route is removed from the routing table.
b) NAT
you can use nat overload combined with a route map that checks the outgoing interface
example:
lan interface 10.10.10.0 /24
! deny traffic that will be sent over
! the ipsec tunnel it doesn't need to be NATTED
access-list 111 deny ip 10.10.10.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 111 permit ip 10.10.10.0 0.0.0.255 any
route-map nat_primary permit 10
match ip address 111
match interface dialer1
route-map nat_secondary permit 10
match ip address 111
match interface Vlan2
you need two statements in global config
ip nat inside source route-map nat_primary overload
ip nat inside source route-map nat_secondary overload
internal lan needs
ip nat inside
external interfaces require
ip nat outside
c)
ipsec you need to configure the crypto map under dialer1
traffic that has to encrypted is the same that is not NATTED
access-list 112 permit ip 10.10.10.0 0.0.0.255 10.0.0.0 0.255.255.255
crypto isakmp policy 10
hash md5
authentication pre-share
!
crypto isakmp key pwd1 address HQ-address1
crypto ipsec transform-set VPN-ADSL esp-3des esp-md5-hmac
!
crypto map VPN_MAP local-address dialer1
crypto map VPN_MAP 10 ipsec-isakmp
set peer HQ-address1
set transform-set VPN-ADSL
match address 112
!
this is only a trace for the ipsec part: notice that you probably need a second crypto map for the backup link.
Hope to help
Giuseppe
06-09-2009 06:08 AM
My problem was rather the tracking part as I have never done it.
It'll take some time to adjust the parameters, but i'M confident we'll get there.
Thank you
Paul
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide