ā04-09-2014 09:12 AM - edited ā03-04-2019 10:45 PM
Hi,
I have a production network that I can't take down for maintenance. There is an ASA5505 in site A and a C800 router in site B. There is a leased line between the sites but the client also has an ADSL line which is currently being used as a backup in case the first link fails. I would like to enable policy based routing so that selected traffic will pass over the ADSL line over a VPN instead of using the leased line. This traffic will have the same destination device of site A but will be from a different subnet. I obviously can't break the network while adding the config so I would really appreciate it if someone could let me know what config is needed. Here is the current config from the router at site B:
#CMRTR
version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname CMRTR
!
boot-start-marker
boot-end-marker
!
logging console critical
logging monitor informational
!
aaa new-model
!
aaa authentication login default group radius local
aaa authentication enable default group radius enable
aaa authorization exec default group radius local
!
aaa session-id common
crypto pki token default removal timeout 0
!
no ip source-route
ip cef
!
ip dhcp excluded-address 10.135.135.1
ip dhcp excluded-address 192.168.101.1
ip dhcp excluded-address 10.150.150.1
ip dhcp excluded-address 192.168.100.254
!
ip dhcp pool 429
network 10.135.135.0 255.255.255.0
default-router 10.135.135.1
dns-server 8.8.8.8
!
ip dhcp pool 428
network 192.168.101.0 255.255.255.0
default-router 192.168.101.1
dns-server 81.19.56.10 8.8.8.8
!
no ip bootp server
no ip domain lookup
no ipv6 cef
!
archive
log config
logging enable
notify syslog contenttype plaintext
hidekeys
object-group network OFF-TRU-LAN
192.168.100.0 255.255.255.0
!
object-group network OFF-TRU-WLAN
192.168.101.0 255.255.255.0
!
controller VDSL 0
!
ip tcp synwait-time 10
!
track 1 ip sla 1 reachability
delay down 1 up 1
!
track 2 ip sla 2 reachability
delay down 1 up 1
!
crypto logging session
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key xxxxxxxxxxxxxxxxxxxxxx address x.x.x.102
!
crypto ipsec transform-set QU esp-3des esp-md5-hmac
!
crypto map CM-MAP 10 ipsec-isakmp
set peer x.x.x.102
set transform-set QU
match address VPN-L-OFF
!
interface ATM0
description ADSL
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
no ip redirects
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
interface Ethernet0
description $ES_WAN$
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
pppoe-client dial-pool-number 2
no fair-queue
!
interface FastEthernet0
description TLOC
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
switchport mode trunk
no ip address
!
interface wlan-ap0
description Service module interface to manage the embedded AP
ip address 10.150.150.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 192.168.100.254 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1412
!
interface Vlan428
description CM-TRU
ip address 192.168.101.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1412
!
interface Vlan429
description CM-PUB
ip address 10.135.135.1 255.255.255.0
ip access-group 133 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1412
!
interface Dialer0
ip address x.x.x.70 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1452
ip flow ingress
ip nat outside
ip virtual-reassembly in
encapsulation ppp
no ip route-cache
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
no cdp enable
crypto map CM-MAP
!
ip forward-protocol nd
ip http server
ip http access-class 13
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source route-map ADSL-NAT interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 192.168.100.1 track 1
ip route 0.0.0.0 0.0.0.0 Dialer0 200 track 2
!
ip access-list standard NAT_ACL
permit 10.135.135.0 0.0.0.255
permit 192.168.101.0 0.0.0.255
permit 192.168.100.0 0.0.0.255
ip access-list standard TEST7
permit 8.8.8.8
permit 8.8.9.9
permit 8.9.9.9
permit 81.19.62.186
!
ip access-list extended VPN-LN-OFF
permit ip object-group OFF-TRU-LAN host x.x.x.7
permit ip object-group OFF-TRU-WLAN host x.x.x.7
!
ip sla 1
icmp-echo 192.168.100.1 source-interface Vlan1
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo x.x.x.69 source-interface Dialer0
ip sla schedule 2 life forever start-time now
logging history debugging
logging facility local1
dialer-list 1 protocol ip permit
dialer-list 2 protocol ip permit
no cdp run
!
route-map TRU-NAT permit 10
match ip address NAT_ACL
!
route-map TRU-WLAN-POLICY permit 10
match ip address TRU-WLAN acl_TRU-WLAN
set ip next-hop verify-availability x.x.x.102 1 track 1
set ip next-hop verify-availability 100.100.100.1 2 track 2
!
route-map PUB-WLAN-POLICY permit 10
match ip address acl_PUB-WLAN
set ip next-hop verify-availability 192.168.100.1 2 track 1
!
route-map ADSL-NAT permit 10
match ip address NAT_ACL
!
route-map QU-NAT permit 10
match ip address NAT_ACL
!
line con 0
password 7
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
stopbits 1
line vty 0 4
access-class 13 in
exec-timeout 60 0
privilege level 15
password 7
transport input ssh
!
scheduler allocate 20000 1000
scheduler interval 500
In order to see what route maps are currently being used I ran the following:
CMRTR#sh route-map
route-map TRU-NAT, permit, sequence 10
Match clauses:
ip address (access-lists): NAT_ACL
Set clauses:
Policy routing matches: 0 packets, 0 bytes
route-map TRU-WLAN-POLICY, permit, sequence 10
Match clauses:
ip address (access-lists): TRU-WLAN acl_TRU-WLAN
Set clauses:
ip next-hop verify-availability x.x.x.102 1 track 1 [up]
ip next-hop verify-availability 100.100.100.1 2 track 2 [up]
Policy routing matches: 0 packets, 0 bytes
route-map PUB-WLAN-POLICY, permit, sequence 10
Match clauses:
ip address (access-lists): acl_PUB-WLAN
Set clauses:
ip next-hop verify-availability 192.168.100.1 2 track 1 [up]
Policy routing matches: 0 packets, 0 bytes
route-map ADSL-NAT, permit, sequence 10
Match clauses:
ip address (access-lists): NAT_ACL
Set clauses:
Policy routing matches: 0 packets, 0 bytes
route-map QU-NAT, permit, sequence 10
Match clauses:
ip address (access-lists): NAT_ACL
Set clauses:
Policy routing matches: 0 packets, 0 bytes
Am I right to assume that if it shows as up it is in use? As I think there is quite a bit that can be cleaned up if not being used.
Thanks in advance!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide