I am trying to setup a VPN between two sites that have ADSL links to the Internet. On the host end there is a 1721 with 2 ADSL links, seperate Static IP blocks (/29)on both circuits. Also at the host end there is a Watchguard Firebox that I would like to have handle the VPN connection. On the remote side, I have a Cisco 837 with a single static IP address and a Watchguard SOHO 6tc for linking up to the other Watchguard at the host site. The problem I am having is how to pass the Public IPs back to the Watchguard in order for it to have a public IP on the WAN side interface. Here is the config for the 1721 at the host site:
The Watchguard IP Address on the WAN interface is currently in the 10.x.x.x 255.255.255.0 subnet, but it can be statically assigned to any of the WAN public IPs from the DSL providers.
!version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname cisco1721
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$JAmk$x2KS5kuQwvgh7QxOagaLt.
!
username ###### privilege 15 password 7 03255F060F0111404F1A0D0C14
clock timezone PCTimeZone -5
ip subnet-zero
no ip source-route
!
!
ip tcp synwait-time 10
no ip domain lookup
ip domain name xxxxxxxxx
!
no ip bootp server
ip audit notify log
ip audit po max-events 100
ip ssh time-out 60
ip ssh authentication-retries 2
no ftp-server write-enable
!
!
!
!
!
!
!
!
interface Null0
no ip unreachables
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
description DSL 1
no ip redirects
no ip unreachables
no ip proxy-arp
pvc 8/35
pppoe-client dial-pool-number 2
!
!
interface ATM1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM1.1 point-to-point
description DSL 2
no ip redirects
no ip unreachables
no ip proxy-arp
pvc 8/35
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
description $FW_INSIDE$$ETH-LAN$
ip address 10.x.x.x 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip route-cache flow
ip tcp adjust-mss 1452
speed auto
no cdp enable
!
!
interface Dialer0
description dsl 2
ip address x.x.x.x 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1452
ip nat outside
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap chap callin
ppp chap hostname ##################
ppp chap password 7 1445465F5A55737D
ppp pap sent-username ###########################
password 7 135743465D5D5D7C
!
interface Dialer1
description dsl 2
ip address x.x.x.x 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1452
ip nat outside
encapsulation ppp
ip route-cache flow
dialer pool 2
dialer-group 2
no cdp enable
ppp authentication pap chap callin
ppp chap hostname ###################
ppp chap password 7 075D75181858415C
ppp pap sent-username ###########################
password 7 00564752520A535F
!
!
ip nat inside source route-map Dialer0 interface Dialer0 overload
ip nat inside source route-map Dialer1 interface Dialer1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
ip http authentication local
ip http secure-server
!
!
logging trap debugging
logging 10.x.x.x
dialer-list 1 protocol ip permit
dialer-list 2 protocol ip permit
no cdp run
!
route-map dialer1 permit 10
match ip address 1
match interface Dialer1
!
route-map dialer0 permit 10
match ip address 1
match interface Dialer0
!
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!
^C
!
line con 0
login local
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
access-class 102 in
privilege level 15
login local
transport input telnet ssh
line vty 5 15
access-class 102 in
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 4000 1000
scheduler interval 500
**I would also like to load balance the DSL circuits at the host site if possible, but that is not the most critical problem, right now.
I believe that once I can get the IPs routed back effectively to the Watchguards, I will be able to setup the VPN easily. Any help on this matter would be greatly appreciated.
Thanks in advance and Happy New Year!!!!!!!!!!!
SLW
MCSE
The Watchguard IP Address on the WAN interface is currently in the 10.x.x.x 255.255.255.0 subnet, but it can be statically assigned to any of the WAN public IPs from the DSL providers.
!version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname cisco1721
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$JAmk$x2KS5kuQwvgh7QxOagaLt.
!
username ###### privilege 15 password 7 03255F060F0111404F1A0D0C14
clock timezone PCTimeZone -5
ip subnet-zero
no ip source-route
!
!
ip tcp synwait-time 10
no ip domain lookup
ip domain name xxxxxxxxx
!
no ip bootp server
ip audit notify log
ip audit po max-events 100
ip ssh time-out 60
ip ssh authentication-retries 2
no ftp-server write-enable
!
!
!
!
!
!
!
!
interface Null0
no ip unreachables
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
description DSL 1
no ip redirects
no ip unreachables
no ip proxy-arp
pvc 8/35
pppoe-client dial-pool-number 2
!
!
interface ATM1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM1.1 point-to-point
description DSL 2
no ip redirects
no ip unreachables
no ip proxy-arp
pvc 8/35
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
description $FW_INSIDE$$ETH-LAN$
ip address 10.x.x.x 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip route-cache flow
ip tcp adjust-mss 1452
speed auto
no cdp enable
!
!
interface Dialer0
description dsl 2
ip address x.x.x.x 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1452
ip nat outside
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap chap callin
ppp chap hostname ##################
ppp chap password 7 1445465F5A55737D
ppp pap sent-username ###########################
password 7 135743465D5D5D7C
!
interface Dialer1
description dsl 2
ip address x.x.x.x 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1452
ip nat outside
encapsulation ppp
ip route-cache flow
dialer pool 2
dialer-group 2
no cdp enable
ppp authentication pap chap callin
ppp chap hostname ###################
ppp chap password 7 075D75181858415C
ppp pap sent-username ###########################
password 7 00564752520A535F
!
!
ip nat inside source route-map Dialer0 interface Dialer0 overload
ip nat inside source route-map Dialer1 interface Dialer1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
ip http authentication local
ip http secure-server
!
!
logging trap debugging
logging 10.x.x.x
dialer-list 1 protocol ip permit
dialer-list 2 protocol ip permit
no cdp run
!
route-map dialer1 permit 10
match ip address 1
match interface Dialer1
!
route-map dialer0 permit 10
match ip address 1
match interface Dialer0
!
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!
^C
!
line con 0
login local
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
access-class 102 in
privilege level 15
login local
transport input telnet ssh
line vty 5 15
access-class 102 in
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 4000 1000
scheduler interval 500
**I would also like to load balance the DSL circuits at the host site if possible, but that is not the most critical problem, right now.
I believe that once I can get the IPs routed back effectively to the Watchguards, I will be able to setup the VPN easily. Any help on this matter would be greatly appreciated.
Thanks in advance and Happy New Year!!!!!!!!!!!
SLW
MCSE
