Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

wan failover with vpn

Hello all,

I have a question about a merged configuration which I attempted to get working recently with no luck. Our organization has a 1841 router which is it's primary router to ISP#1. This was a T1 connection which was being overworked by all of our Internet traffic. We bought a 1941 with an Ethernet card giving it 3 Ethernet interfaces. This 1941 router is connected to ISP#2 (Comcast). The 1841 has WebVPN config and a L2L VPN to another office. We want to retire the 1841 and just use the 1941 connected to both networks. When I tried to paste in the parts of the 1841 config into the 1941 all was ok from the Internet access perspective, but the VPNs do not function anymore. I also used a zone based firewall config on the 1941. Which traffic do I need to allow in for the L2L and SSL VPNs to work? I also set up a floating static route for the router to failover to ISP#1 (Comcast link is the primary) if the Comcast link goes down. The VPN traffic was setup to go out ISP#1, how do I make the VPN traffic go out to ISP#1 but keep the default route set to Comcast(ISP#2)? Sorry for the long post.

3 REPLIES
New Member

Re: wan failover with vpn

If you post your configs (minus any passwords) you'll probably get someone to help you.

New Member

Re: wan failover with vpn

Here is the config of the 1941:

!

! Last configuration change at 20:51:24 UTC Fri Aug 13 2010 by user

!

version 15.0

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname cisco

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication login external-vpn-users local group radius

aaa authentication login webvpn local

aaa authorization exec default local

aaa authorization network external-vpn-groups local

aaa authorization network external-vpn-users group radius local

!

!

!

!

!

aaa session-id common

!

!

!

!

no ipv6 cef

ip source-route

ip cef

!

!

!

!

ip domain name domain.com

ip name-server 68.87.64.150

!

multilink bundle-name authenticated

!

!

crypto pki trustpoint TP-self-signed-3735527223

enrollment selfsigned

ip-address 199.72.119.2

subject-name cn=IOS-Self-Signed-Certificate-3735527223

revocation-check none

rsakeypair TP-self-signed-3735527223

!

!

crypto pki certificate chain TP-self-signed-3735527223

certificate self-signed 01

  quit

license udi pid CISCO1941/K9 sn serial #

!

!

username user privilege 15 secret 5 passwd

!

redundancy

!

!

!

class-map type inspect match-any CMAP-1

match protocol tcp

match protocol icmp

match protocol udp

class-map type inspect match-all pptp-passthru

match access-group name PPTP-PASS-THROUGH

!

!

policy-map type inspect PMAP-1

class type inspect CMAP-1

  inspect

class type inspect pptp-passthru

  pass

class class-default

  drop

policy-map type inspect PMAP-2

class type inspect pptp-passthru

  pass

class class-default

  drop

!

zone security inside

zone security outside

zone-pair security inside-to-outside source inside destination outside

service-policy type inspect PMAP-1

zone-pair security outside-to-inside source outside destination inside

service-policy type inspect PMAP-2

!

!

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key key address 64.32.253.138 no-xauth

!

crypto isakmp client configuration group vpn-group-1

key key

dns 10.1.9.254

wins 10.1.9.254

domain fesnakllp.com

pool vpn_users1

acl 151

netmask 255.255.255.0

crypto isakmp profile VPNclient

   match identity group vpn-group-1

!

!

crypto ipsec transform-set sonicwall esp-3des esp-md5-hmac

crypto ipsec transform-set client-tsset esp-3des esp-sha-hmac

!

crypto dynamic-map client-map 1

set transform-set client-tsset

set isakmp-profile VPNclient

reverse-route

!

!

crypto map external-crypto client authentication list external-vpn-users

crypto map external-crypto isakmp authorization list external-vpn-groups

crypto map external-crypto client configuration address respond

crypto map external-crypto 10 ipsec-isakmp

description Tunnel to Sonicwall / 64.32.253.138

set peer 64.32.253.138

set security-association lifetime seconds 86400

set transform-set sonicwall

match address 150

crypto map external-crypto 65535 ipsec-isakmp dynamic client-map

!

!

!

!

!

interface Loopback2

description This is needed for WebVPN address pool

ip address 10.3.1.126 255.255.255.0

ip nat inside

ip virtual-reassembly

!

!

interface GigabitEthernet0/0

description Internal LAN

ip address 10.1.9.251 255.255.255.0

ip mask-reply

ip nat inside

ip virtual-reassembly

zone-member security inside

duplex auto

speed auto

no cdp enable

no mop enabled

!

!

interface GigabitEthernet0/1

description Internet via Comcast

ip address 75.151.154.178 255.255.255.248

ip nat outside

ip virtual-reassembly

zone-member security outside

duplex auto

speed auto

no cdp enable

no mop enabled

!

!

interface FastEthernet0/0/0

description Internet via Paetec

ip address 199.72.119.2 255.255.255.248

ip nat outside

ip virtual-reassembly

zone-member security outside

shutdown

duplex auto

speed auto

no cdp enable

no mop enabled

!

!

ip local pool vpn_users1 10.2.1.1 10.2.1.100

ip local pool webvpn_users 10.3.1.1 10.3.1.100

ip forward-protocol nd

!

ip http server

ip http authentication local

ip http secure-server

!

ip nat inside source list 105 interface GigabitEthernet0/1 overload

ip nat inside source route-map nonat-vpn interface FastEthernet0/0/0 overload

ip route 0.0.0.0 0.0.0.0 75.151.154.182

ip route 0.0.0.0 0.0.0.0 199.72.119.1 250

ip route 10.2.1.0 255.255.255.0 199.72.119.1 permanent

ip route 10.3.1.0 255.255.255.0 199.72.119.1 permanent

!

ip access-list extended PPTP-PASS-THROUGH

permit gre any any

!

access-list 100 remark NAT policy for this router

access-list 100 remark Deny NAT for packets via VPN

access-list 100 deny   ip 10.1.9.0 0.0.0.255 10.1.10.0 0.0.0.255

access-list 100 remark Deny NAT for packets to VPN clients (ippool)

access-list 100 deny   ip any host 10.2.1.1

access-list 100 deny   ip any host 10.2.1.2

access-list 100 deny   ip any host 10.2.1.3

access-list 100 deny   ip any host 10.2.1.4

access-list 100 deny   ip any host 10.2.1.5

access-list 100 deny   ip any host 10.2.1.6

access-list 100 deny   ip any host 10.2.1.7

access-list 100 deny   ip any host 10.2.1.8

access-list 100 deny   ip any host 10.2.1.9

access-list 100 deny   ip any host 10.2.1.10

access-list 100 deny   ip any host 10.2.1.11

access-list 100 deny   ip any host 10.2.1.12

access-list 100 deny   ip any host 10.2.1.13

access-list 100 deny   ip any host 10.2.1.14

access-list 100 deny   ip any host 10.2.1.15

access-list 100 deny   ip any host 10.2.1.16

access-list 100 deny   ip any host 10.2.1.17

access-list 100 deny   ip any host 10.2.1.18

access-list 100 deny   ip any host 10.2.1.19

access-list 100 deny   ip any host 10.2.1.20

access-list 100 deny   ip any host 10.2.1.21

access-list 100 deny   ip any host 10.2.1.22

access-list 100 deny   ip any host 10.2.1.23

access-list 100 deny   ip any host 10.2.1.24

access-list 100 deny   ip any host 10.2.1.25

access-list 100 deny   ip any host 10.2.1.26

access-list 100 deny   ip any host 10.2.1.27

access-list 100 deny   ip any host 10.2.1.28

access-list 100 deny   ip any host 10.2.1.29

access-list 100 deny   ip any host 10.2.1.30

access-list 100 deny   ip any host 10.2.1.31

access-list 100 deny   ip any host 10.2.1.32

access-list 100 deny   ip any host 10.2.1.33

access-list 100 deny   ip any host 10.2.1.34

access-list 100 deny   ip any host 10.2.1.35

access-list 100 deny   ip any host 10.2.1.36

access-list 100 deny   ip any host 10.2.1.37

access-list 100 deny   ip any host 10.2.1.38

access-list 100 deny   ip any host 10.2.1.39

access-list 100 deny   ip any host 10.2.1.40

access-list 100 deny   ip any host 10.2.1.41

access-list 100 deny   ip any host 10.2.1.42

access-list 100 deny   ip any host 10.2.1.43

access-list 100 deny   ip any host 10.2.1.44

access-list 100 deny   ip any host 10.2.1.45

access-list 100 deny   ip any host 10.2.1.46

access-list 100 deny   ip any host 10.2.1.47

access-list 100 deny   ip any host 10.2.1.48

access-list 100 deny   ip any host 10.2.1.49

access-list 100 deny   ip any host 10.2.1.50

access-list 100 deny   ip any host 10.2.1.51

access-list 100 deny   ip any host 10.2.1.52

access-list 100 deny   ip any host 10.2.1.53

access-list 100 deny   ip any host 10.2.1.54

access-list 100 deny   ip any host 10.2.1.55

access-list 100 deny   ip any host 10.2.1.56

access-list 100 deny   ip any host 10.2.1.57

access-list 100 deny   ip any host 10.2.1.58

access-list 100 deny   ip any host 10.2.1.59

access-list 100 deny   ip any host 10.2.1.60

access-list 100 deny   ip any host 10.2.1.61

access-list 100 deny   ip any host 10.2.1.62

access-list 100 deny   ip any host 10.2.1.63

access-list 100 deny   ip any host 10.2.1.64

access-list 100 deny   ip any host 10.2.1.65

access-list 100 deny   ip any host 10.2.1.66

access-list 100 deny   ip any host 10.2.1.67

access-list 100 deny   ip any host 10.2.1.68

access-list 100 deny   ip any host 10.2.1.69

access-list 100 deny   ip any host 10.2.1.70

access-list 100 deny   ip any host 10.2.1.71

access-list 100 deny   ip any host 10.2.1.72

access-list 100 deny   ip any host 10.2.1.73

access-list 100 deny   ip any host 10.2.1.74

access-list 100 deny   ip any host 10.2.1.75

access-list 100 deny   ip any host 10.2.1.76

access-list 100 deny   ip any host 10.2.1.77

access-list 100 deny   ip any host 10.2.1.78

access-list 100 deny   ip any host 10.2.1.79

access-list 100 deny   ip any host 10.2.1.80

access-list 100 deny   ip any host 10.2.1.81

access-list 100 deny   ip any host 10.2.1.82

access-list 100 deny   ip any host 10.2.1.83

access-list 100 deny   ip any host 10.2.1.84

access-list 100 deny   ip any host 10.2.1.85

access-list 100 deny   ip any host 10.2.1.86

access-list 100 deny   ip any host 10.2.1.87

access-list 100 deny   ip any host 10.2.1.88

access-list 100 deny   ip any host 10.2.1.89

access-list 100 deny   ip any host 10.2.1.90

access-list 100 deny   ip any host 10.2.1.91

access-list 100 deny   ip any host 10.2.1.92

access-list 100 deny   ip any host 10.2.1.93

access-list 100 deny   ip any host 10.2.1.94

access-list 100 deny   ip any host 10.2.1.95

access-list 100 deny   ip any host 10.2.1.96

access-list 100 deny   ip any host 10.2.1.97

access-list 100 deny   ip any host 10.2.1.98

access-list 100 deny   ip any host 10.2.1.99

access-list 100 deny   ip any host 10.2.1.100

access-list 100 deny   ip any host 10.3.1.1

access-list 100 deny   ip any host 10.3.1.2

access-list 100 deny   ip any host 10.3.1.3

access-list 100 deny   ip any host 10.3.1.4

access-list 100 deny   ip any host 10.3.1.5

access-list 100 deny   ip any host 10.3.1.6

access-list 100 deny   ip any host 10.3.1.7

access-list 100 deny   ip any host 10.3.1.8

access-list 100 deny   ip any host 10.3.1.9

access-list 100 deny   ip any host 10.3.1.10

access-list 100 deny   ip any host 10.3.1.11

access-list 100 deny   ip any host 10.3.1.12

access-list 100 deny   ip any host 10.3.1.13

access-list 100 deny   ip any host 10.3.1.14

access-list 100 deny   ip any host 10.3.1.15

access-list 100 deny   ip any host 10.3.1.16

access-list 100 deny   ip any host 10.3.1.17

access-list 100 deny   ip any host 10.3.1.18

access-list 100 deny   ip any host 10.3.1.19

access-list 100 deny   ip any host 10.3.1.20

access-list 100 deny   ip any host 10.3.1.21

access-list 100 deny   ip any host 10.3.1.22

access-list 100 deny   ip any host 10.3.1.23

access-list 100 deny   ip any host 10.3.1.24

access-list 100 deny   ip any host 10.3.1.25

access-list 100 deny   ip any host 10.3.1.26

access-list 100 deny   ip any host 10.3.1.27

access-list 100 deny   ip any host 10.3.1.28

access-list 100 deny   ip any host 10.3.1.29

access-list 100 deny   ip any host 10.3.1.30

access-list 100 deny   ip any host 10.3.1.31

access-list 100 deny   ip any host 10.3.1.32

access-list 100 deny   ip any host 10.3.1.33

access-list 100 deny   ip any host 10.3.1.34

access-list 100 deny   ip any host 10.3.1.35

access-list 100 deny   ip any host 10.3.1.36

access-list 100 deny   ip any host 10.3.1.37

access-list 100 deny   ip any host 10.3.1.38

access-list 100 deny   ip any host 10.3.1.39

access-list 100 deny   ip any host 10.3.1.40

access-list 100 deny   ip any host 10.3.1.41

access-list 100 deny   ip any host 10.3.1.42

access-list 100 deny   ip any host 10.3.1.43

access-list 100 deny   ip any host 10.3.1.44

access-list 100 deny   ip any host 10.3.1.45

access-list 100 deny   ip any host 10.3.1.46

access-list 100 deny   ip any host 10.3.1.47

access-list 100 deny   ip any host 10.3.1.48

access-list 100 deny   ip any host 10.3.1.49

access-list 100 deny   ip any host 10.3.1.50

access-list 100 deny   ip any host 10.3.1.51

access-list 100 deny   ip any host 10.3.1.52

access-list 100 deny   ip any host 10.3.1.53

access-list 100 deny   ip any host 10.3.1.54

access-list 100 deny   ip any host 10.3.1.55

access-list 100 deny   ip any host 10.3.1.56

access-list 100 deny   ip any host 10.3.1.57

access-list 100 deny   ip any host 10.3.1.58

access-list 100 deny   ip any host 10.3.1.59

access-list 100 deny   ip any host 10.3.1.60

access-list 100 deny   ip any host 10.3.1.61

access-list 100 deny   ip any host 10.3.1.62

access-list 100 deny   ip any host 10.3.1.63

access-list 100 deny   ip any host 10.3.1.64

access-list 100 deny   ip any host 10.3.1.65

access-list 100 deny   ip any host 10.3.1.66

access-list 100 deny   ip any host 10.3.1.67

access-list 100 deny   ip any host 10.3.1.68

access-list 100 deny   ip any host 10.3.1.69

access-list 100 deny   ip any host 10.3.1.70

access-list 100 deny   ip any host 10.3.1.71

access-list 100 deny   ip any host 10.3.1.72

access-list 100 deny   ip any host 10.3.1.73

access-list 100 deny   ip any host 10.3.1.74

access-list 100 deny   ip any host 10.3.1.75

access-list 100 deny   ip any host 10.3.1.76

access-list 100 deny   ip any host 10.3.1.77

access-list 100 deny   ip any host 10.3.1.78

access-list 100 deny   ip any host 10.3.1.79

access-list 100 deny   ip any host 10.3.1.80

access-list 100 deny   ip any host 10.3.1.81

access-list 100 deny   ip any host 10.3.1.82

access-list 100 deny   ip any host 10.3.1.83

access-list 100 deny   ip any host 10.3.1.84

access-list 100 deny   ip any host 10.3.1.85

access-list 100 deny   ip any host 10.3.1.86

access-list 100 deny   ip any host 10.3.1.87

access-list 100 deny   ip any host 10.3.1.88

access-list 100 deny   ip any host 10.3.1.89

access-list 100 deny   ip any host 10.3.1.90

access-list 100 deny   ip any host 10.3.1.91

access-list 100 deny   ip any host 10.3.1.92

access-list 100 deny   ip any host 10.3.1.93

access-list 100 deny   ip any host 10.3.1.94

access-list 100 deny   ip any host 10.3.1.95

access-list 100 deny   ip any host 10.3.1.96

access-list 100 deny   ip any host 10.3.1.97

access-list 100 deny   ip any host 10.3.1.98

access-list 100 deny   ip any host 10.3.1.99

access-list 100 deny   ip any host 10.3.1.100

access-list 100 remark NAT everything else

access-list 100 permit ip 10.1.9.0 0.0.0.255 any

access-list 105 remark CCP_ACL Category=2

access-list 105 permit ip 10.0.0.0 0.255.255.255 any

access-list 110 deny   ip 10.1.9.0 0.0.0.255 10.1.10.0 0.0.0.255

access-list 120 permit ip 10.1.9.0 0.0.0.255 10.1.10.0 0.0.0.255

access-list 150 remark Permit traffic between here and remote LAN via IPSEC

access-list 150 permit ip 10.1.9.0 0.0.0.255 10.1.10.0 0.0.0.255

access-list 151 remark ACL for VPN Client Split Tunneling

access-list 151 permit ip 10.1.9.0 0.0.0.255 any

!

no cdp run

!

!

!

route-map nonat-vpn permit 1

match ip address 100

!

!

radius-server host 10.1.9.254 auth-port 1645 acct-port 1646 key 12345

!

control-plane

!

!

!

line con 0

line aux 0

line vty 0 4

privilege level 15

transport input ssh

line vty 5 15

privilege level 15

transport input ssh

!

scheduler allocate 20000 1000

!

webvpn gateway WebVPNGateway

ip address 199.72.119.2 port 443 

ssl encryption 3des-sha1

ssl trustpoint TP-self-signed-3735527223

inservice

!

webvpn context Default_context

ssl authenticate verify all

!

nbns-list "Windows_Servers"

   nbns-server 10.1.9.254 master

!

port-forward "WebVPN_Ports"

   local-port 3001 remote-server "10.1.9.254" remote-port 2029 description "MSSQLPROFXENGAGEMENT"

   local-port 3002 remote-server "10.1.9.254" remote-port 6735 description "PFXEngDesktopService"

   local-port 3003 remote-server "10.1.9.254" remote-port 6736 description "PFXSYNPFTService"

   local-port 3004 remote-server "10.1.9.254" remote-port 1434 description "SQL Listening Service"

!

policy group WebVPN_Policy

   port-forward "WebVPN_Ports"

   nbns-list "Windows_Servers"

   functions file-access

   functions file-browse

   functions file-entry

   functions svc-required

   svc address-pool "webvpn_users"

   svc default-domain "fesnakllp.com"

   svc keep-client-installed

   svc dpd-interval gateway 30

   svc rekey method new-tunnel

   svc split include 10.1.9.0 255.255.255.0

   svc dns-server primary 10.1.9.254

   svc wins-server primary 10.1.9.254

default-group-policy WebVPN_Policy

aaa authentication list external-vpn-users

inservice

!

end

New Member

Re: wan failover with vpn

I think it's that there are no ports open for the incoming VPN traffic. I can't bring this down alot to test. Can anyone tell me if i'm on the right track?

Thanks.

251
Views
0
Helpful
3
Replies