I am having hard time on configuring ezvpn remote vpn connection.
Basically, we have Cisco 1812 router and two ISP connections.
Our network = 192.168.1.0; router IP address: 192.168.1.1
ISP 1 is working on Fastethernet 0 (and its gateway is 80.65.62.1) and ISP 2 is working on Dialer 0 (gateway: 200.75.207.200). VPN network: 10.0.0.0 (gateway 10.0.0.1).
We want to use ezvpn connection on Dialer0 interface and we do not have issue on connecting it, but as soon we connect it we encounter issues. It takes over our default route and points all traffic to Virtual-Access3 interface (which brings up as soon as ezvpn is connected, split-tunneling is disabled by the policy of organization we are connecting to).
We point our traffic via route-maps and it works but we have following issue now: we have 192.168.1.15 ip address (actually some VOIP software) which needs to go via same link as VPN goes (Dialer 0), and we point it via route map (route-map VPN 12) but as soon as we do that 192.168.1.15 can not ping anything. On the router when i execute
show ip nat translations
i can see that 192.168.1.15 is trying to do natting thru VPN gateway instead of Dialer0 gateway (200.75.207.200). I assume that i am missing something with NAT or something like that.
I would appreciate your help. Here is my conf:
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname MyRouter
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
no logging buffered
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
!
!
aaa session-id common
!
!
dot11 syslog
ip source-route
!
!
!
!
ip cef
ip domain name mydomain.com
ip name-server 192.168.1.10
ip name-server 4.2.2.2
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
username user1 privilege 15 password 0 user1
username user2 password 0 user2
!
!
!
!
!
!
crypto ipsec client ezvpn CONNECTION
connect auto
group vpngrp key vpnpwd
mode client
peer 80.54.60.X
virtual-interface 1
xauth userid mode interactive
!
!
archive
log config
hidekeys
!
!
ip ssh version 2
!
!
!
interface FastEthernet0
ip address 80.65.62.86 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet1
no ip address
ip mask-reply
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Virtual-Template1 type tunnel
no ip address
tunnel mode ipsec ipv4
!
interface Vlan1
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip policy route-map VPN
crypto ipsec client ezvpn CONNECTION inside
!
interface Dialer0
ip address negotiated
ip mtu 1452
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 2
ppp authentication chap pap callin
ppp chap hostname XXXXX
ppp chap password 0 XXXXX
ppp pap sent-username XXXXXXX password 0 XXXX
crypto ipsec client ezvpn CONNECTION
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 80.65.62.1
ip route 80.54.60.X 255.255.255.0 200.75.207.200
!
ip http server
no ip http secure-server
!
!
ip nat inside source route-map ISP1 interface FastEthernet0 overload
ip nat inside source route-map ISP2 interface Dialer0 overload
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 105 permit ip any 10.0.0.0 0.255.255.255
access-list 105 permit icmp any 10.0.0.0 0.255.255.255
access-list 106 permit ip host 192.168.1.15 any
access-list 107 permit ip 192.168.1.0 0.0.0.255 any
!
!
route-map VPN permit 10
match ip address 105
set ip next-hop 10.0.0.1
!
route-map VPN permit 12
match ip address 106
set ip next-hop 200.75.207.200
!
route-map VPN permit 20
match ip address 107
set ip next-hop 80.65.62.1
!
!
route-map ISP2 permit 10
match ip address 1
match interface Dialer0
!
route-map ISP1 permit 10
match ip address 1
match interface FastEthernet0
!
!
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
password mypasswd
!
!
end
Basically, we have Cisco 1812 router and two ISP connections.
Our network = 192.168.1.0; router IP address: 192.168.1.1
ISP 1 is working on Fastethernet 0 (and its gateway is 80.65.62.1) and ISP 2 is working on Dialer 0 (gateway: 200.75.207.200). VPN network: 10.0.0.0 (gateway 10.0.0.1).
We want to use ezvpn connection on Dialer0 interface and we do not have issue on connecting it, but as soon we connect it we encounter issues. It takes over our default route and points all traffic to Virtual-Access3 interface (which brings up as soon as ezvpn is connected, split-tunneling is disabled by the policy of organization we are connecting to).
We point our traffic via route-maps and it works but we have following issue now: we have 192.168.1.15 ip address (actually some VOIP software) which needs to go via same link as VPN goes (Dialer 0), and we point it via route map (route-map VPN 12) but as soon as we do that 192.168.1.15 can not ping anything. On the router when i execute
show ip nat translations
i can see that 192.168.1.15 is trying to do natting thru VPN gateway instead of Dialer0 gateway (200.75.207.200). I assume that i am missing something with NAT or something like that.
I would appreciate your help. Here is my conf:
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname MyRouter
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
no logging buffered
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
!
!
aaa session-id common
!
!
dot11 syslog
ip source-route
!
!
!
!
ip cef
ip domain name mydomain.com
ip name-server 192.168.1.10
ip name-server 4.2.2.2
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
username user1 privilege 15 password 0 user1
username user2 password 0 user2
!
!
!
!
!
!
crypto ipsec client ezvpn CONNECTION
connect auto
group vpngrp key vpnpwd
mode client
peer 80.54.60.X
virtual-interface 1
xauth userid mode interactive
!
!
archive
log config
hidekeys
!
!
ip ssh version 2
!
!
!
interface FastEthernet0
ip address 80.65.62.86 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet1
no ip address
ip mask-reply
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Virtual-Template1 type tunnel
no ip address
tunnel mode ipsec ipv4
!
interface Vlan1
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip policy route-map VPN
crypto ipsec client ezvpn CONNECTION inside
!
interface Dialer0
ip address negotiated
ip mtu 1452
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 2
ppp authentication chap pap callin
ppp chap hostname XXXXX
ppp chap password 0 XXXXX
ppp pap sent-username XXXXXXX password 0 XXXX
crypto ipsec client ezvpn CONNECTION
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 80.65.62.1
ip route 80.54.60.X 255.255.255.0 200.75.207.200
!
ip http server
no ip http secure-server
!
!
ip nat inside source route-map ISP1 interface FastEthernet0 overload
ip nat inside source route-map ISP2 interface Dialer0 overload
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 105 permit ip any 10.0.0.0 0.255.255.255
access-list 105 permit icmp any 10.0.0.0 0.255.255.255
access-list 106 permit ip host 192.168.1.15 any
access-list 107 permit ip 192.168.1.0 0.0.0.255 any
!
!
route-map VPN permit 10
match ip address 105
set ip next-hop 10.0.0.1
!
route-map VPN permit 12
match ip address 106
set ip next-hop 200.75.207.200
!
route-map VPN permit 20
match ip address 107
set ip next-hop 80.65.62.1
!
!
route-map ISP2 permit 10
match ip address 1
match interface Dialer0
!
route-map ISP1 permit 10
match ip address 1
match interface FastEthernet0
!
!
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
password mypasswd
!
!
end