Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

1760 DUAL NAT WAN (Backup connection)

Status
Not open for further replies.

chillbob2008

IS-IT--Management
May 1, 2008
4
GB
Hi there!

We have had 2 Internet connections for a while now, one was for backup purposes but it was on a different router and not really connected to the network so it wasn’t really serving any purpose. I have been meaning to get this connection working as a proper backup for some time now but have only just got round to it.

The configuration below is what I have come up with in the past few nights searching forums and the cisco website. It is currently running and it seems to do the job. The next hop gateway’s is tracked using the sla monitor. When the primary wan connection (eth0/0) goes down (or gets pulled out) the route is removed and the traffic flows over the secondary wan connection (Dialer1). The multi-homed nat configuration is also working ok.

Here's some useful links that helped me get to this point:



However there are a few issues I have noticed, I hope someone can help me rectify them or explain what or where the issue may be.

1. If I use both routes at the same time (i.e. to load balance) and im connected to the vpn I find some things become un-responsive but others are still reachable – this swaps about and is not fixed to a particular device or pc so I am presuming that some of the packet flows are going out of one interface and then maybe next time they are going out of the other. Is there any way of making sure that the vpn packets are always going out of the interface that the clients are connected to? or the interface the packets are incoming from?
2. When I am connected to the vpn I am no longer able to connect to the ports on the machines that have a static PAT/NAT translation to the external ip address, until I added the secondary connection (tracked it and setup a second nat statement) I could do this, can anyone see why I cant now?
3. If I were to get both the connections load balanced would it be possible to just repeat the static nat translations from the secondary wan connections to the same servers and ports as setup on the primary connection? Again Im guessing there must be some way of making sure that if a packet is received on a particular interface its response must go back out of that interface
4. Im not 100% sure on the route-map function, I kind of undersand what it is doing in terms of blocking certain traffic (vpn traffic) from going out via the nat, but where in the overall process are they consulted? (I have tried to stop the dns requests for the wrong servers going out of the wrong interfaces here too)
5. If you see anything that looks wrong or unnecessary please let me know, this router along time ago was initially set up with sdm although most of its garbage is gone some will still remain!

Heres the config:
NOTE - The external address of the primary wan connecton (eth0/0) has been replaced by aaa.aaa.aaa.aaa

The external address of the secondary wan connection (dialer1) has been replaced by bbb.bbb.bbb.bbb

All other passwords and domain names etc have been replaced with xxxxx’s



rt1#sh run
Building configuration...

Current configuration : 8758 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service compress-config
service sequence-numbers
!
hostname rt1
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $XXXXXXXXXXXXXXXXXXXXXXXX
!
aaa new-model
!
!
aaa authentication login sdm_vpn_xauth_ml_1 group radius local
aaa authorization network sdm_vpn_group_ml_1 local
!
aaa session-id common
clock timezone London 0
clock summer-time GMT+1 recurring
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no ip source-route
!
!
!
!
ip tcp synwait-time 10
ip cef
ip domain name XXXXXXXXXXX.local
ip name-server 192.168.70.1
no ip bootp server
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip ssh authentication-retries 2
ip ssh version 2
ip sla monitor logging traps
ip sla monitor 1
type echo protocol ipIcmpEcho 82.23.220.1 source-interface Ethernet0/0
request-data-size 32
timeout 800
frequency 3
ip sla monitor schedule 1 life forever start-time now
ip sla monitor 2
type echo protocol ipIcmpEcho 212.74.102.14 source-interface Dialer1
request-data-size 32
timeout 800
frequency 3
ip sla monitor schedule 2 life forever start-time now
login block-for 300 attempts 3 within 60
login quiet-mode access-class ACL-Login-Quiet
login on-failure log
login on-success log
!
!
!
!
username admin privilege 15 secret 5 $XXXXXXXXXXXXXXXXXXXXXXX
!
!
track 10 rtr 1 reachability
delay down 10 up 46
!
track 20 rtr 2 reachability
delay down 10 up 46
!
crypto logging session
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp keepalive 60 5
!
crypto isakmp client configuration group ashVPNusers
key XXXXXXXXXXXXXXXXXXXXX
dns 192.168.70.1
domain XXXXXXXXXXXXXXX.local
pool ashVPNusers-Pool
acl ACL-Encrypted-Routes-01
split-dns XXXXXXXXXXXXXXXX.local
backup-gateway xxx.xxx.xxx.xxx
max-users 10
max-logins 5
netmask 255.255.255.224
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set ESP-3DES-SHA
reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
!
!
interface Null0
no ip unreachables
!
interface Ethernet0/0
description PRI-WAN
ip address dhcp client-id Ethernet0/0
ip access-group ACL-External-01 in
no ip redirects
no ip unreachables
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly
ip route-cache flow
half-duplex
crypto map SDM_CMAP_1
!
interface FastEthernet0/0
description Local Interface
no ip address
no ip redirects
no ip unreachables
ip route-cache flow
speed 100
full-duplex
!
interface FastEthernet0/0.20
description New Local Network (Blade)
encapsulation dot1Q 20
ip address 192.168.70.254 255.255.255.0
ip access-group ACL-Local-01 in
no ip redirects
no ip unreachables
ip nat inside
ip virtual-reassembly
!
interface ATM1/0
no ip address
no ip redirects
no ip unreachables
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM1/0.38 point-to-point
description SEC-WAN
no ip redirects
no ip unreachables
no snmp trap link-status
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Dialer1
description SEC-WAN
ip address negotiated
ip access-group ACL-External-02 in
no ip redirects
no ip unreachables
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 1
ppp authentication chap callin
ppp chap hostname xxxxxxxxxx@xxxxxxxx.com
ppp chap password 7 XXXXXXXXXXXXXXXXXXXXXXXX
crypto map SDM_CMAP_1
!
ip local pool ashVPNusers-Pool 192.168.26.1 192.168.26.30
ip route 0.0.0.0 0.0.0.0 aaa.aaa.aaa.aaa 10 track 10
ip route 0.0.0.0 0.0.0.0 Dialer1 20 track 20
ip route aaa.aaa.aaa.aaa 255.255.255.255 Ethernet0/0
ip route bbb.bbb.bbb.bbb 255.255.255.255 Dialer1
no ip http server
no ip http secure-server
!
ip nat inside source route-map PRI-WAN interface Ethernet0/0 overload
ip nat inside source route-map SEC-WAN interface Dialer1 overload
ip nat inside source static tcp 192.168.70.3 22 interface Ethernet0/0 22
ip nat inside source static tcp 192.168.70.5 443 interface Ethernet0/0 443
ip nat inside source static tcp 192.168.70.5 25 interface Ethernet0/0 25
!
!
!
ip access-list extended ACL-Encrypted-Routes-01
permit ip 192.168.70.0 0.0.0.255 any
ip access-list extended ACL-External-01
deny ip host 190.144.151.52 any
deny ip host 77.39.19.67 any
deny icmp any any fragments
remark Allow Ping
permit icmp any any echo
permit ahp any any
permit esp any any
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit tcp any host aaa.aaa.aaa.aaa eq 443
permit tcp any host aaa.aaa.aaa.aaa eq 22
permit tcp any host aaa.aaa.aaa.aaa eq smtp
permit udp any eq bootps any eq bootpc
permit icmp any any echo-reply
permit icmp any any time-exceeded
permit icmp any any unreachable
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip host 255.255.255.255 any
deny ip any any log
ip access-list extended ACL-External-02
deny ip host 190.144.151.52 any
deny ip host 77.39.19.67 any
deny icmp any any fragments
remark Allow Ping
permit icmp any any echo
permit ahp any any
permit esp any any
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit tcp any host bbb.bbb.bbb.bbb eq 443
permit tcp any host bbb.bbb.bbb.bbb eq 22
permit tcp any host bbb.bbb.bbb.bbb eq smtp
permit udp any eq bootps any eq bootpc
permit icmp any any echo-reply
permit icmp any any time-exceeded
permit icmp any any unreachable
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip host 255.255.255.255 any
deny ip any any log
ip access-list extended ACL-Local-01
deny ip host 255.255.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
permit ip any any
ip access-list extended ACL-Login-Quiet
permit tcp 192.168.23.0 0.0.0.255 any
deny tcp any any eq telnet log
deny tcp any any eq deny tcp any any eq 22 log
permit ip any any log
ip access-list extended ACL-PRI-WAN-NAT-FILTER
deny ip 192.168.70.0 0.0.0.255 host 212.139.132.5
deny ip 192.168.70.0 0.0.0.255 host 212.139.132.21
deny ip 192.168.70.0 0.0.0.255 192.168.26.0 0.0.0.31
deny ip any 192.168.26.0 0.0.0.31
permit ip 192.168.70.0 0.0.0.255 host 194.168.4.100
permit ip 192.168.70.0 0.0.0.255 host 194.168.8.100
permit ip 192.168.70.0 0.0.0.255 any
ip access-list extended ACL-SEC-WAN-NAT-FILTER
deny ip 192.168.70.0 0.0.0.255 host 194.168.4.100
deny ip 192.168.70.0 0.0.0.255 host 194.168.8.100
deny ip 192.168.70.0 0.0.0.255 192.168.26.0 0.0.0.31
deny ip any 192.168.26.0 0.0.0.31
permit ip 192.168.70.0 0.0.0.255 any
permit ip 192.168.70.0 0.0.0.255 host 212.139.132.5
permit ip 192.168.70.0 0.0.0.255 host 212.139.132.21
logging 192.168.23.110
!
route-map SEC-WAN permit 1
match ip address ACL-SEC-WAN-NAT-FILTER
match interface Dialer1
!
route-map PRI-WAN permit 1
match ip address ACL-PRI-WAN-NAT-FILTER
match interface Ethernet0/0
!
radius-server host 192.168.70.1 auth-port 1812 acct-port 1813 key 7 XXXXXXXXXXXXXXXXXXXXXXX
!
control-plane
!
banner motd ^C
###########################################################################
RT1

Access to this system is restricted to authorized persons only, all login
attempts are recorded.

########################################################### XXXXXXXXXXXX.com
^C
!
line con 0
line aux 0
line vty 0 4
privilege level 15
transport input ssh
line vty 5 15
privilege level 15
transport input ssh
!
scheduler interval 500
ntp clock-period 17208163
ntp source FastEthernet0/0.20
ntp server 192.168.70.1 prefer
end

Thanks

Chill
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top