balancing 2 ISP's with Cisco 1800

Discussion in 'Cisco' started by delsio@gmail.com, Oct 10, 2007.

  1. Guest

    Hi
    Need some comments in my code below. I am having problems using both
    interfaces at the same time.

    ///
    ISP 1 - Cable
    ISP 2 ADSL
    ///
    crypto isakmp policy 1
    encr 3des
    authentication pre-share
    group 2
    crypto isakmp keepalive 20 10
    !
    crypto isakmp client configuration group XXXXX
    key xxxxxx
    pool vpn_pool
    crypto isakmp profile VPNclient
    description VPN clients profile
    match identity group PARCEIROS
    client authentication list vpnusers
    isakmp authorization list vpn_group
    client configuration address respond
    !
    !
    crypto ipsec transform-set 3des esp-3des esp-sha-hmac
    !
    crypto dynamic-map vpn_map 99
    set transform-set 3des
    set isakmp-profile VPNclient
    reverse-route
    !
    !
    crypto map vpn_map 99 ipsec-isakmp dynamic vpn_map
    !
    !

    !
    interface FastEthernet0/0
    description TRUNK PARA SWITCH
    no ip address
    duplex auto
    speed auto
    !
    interface FastEthernet0/0.3
    description LOCAL
    encapsulation dot1Q 3
    ip address 192.168.3.254 255.255.255.0
    ip flow ingress
    ip flow egress
    ip nat inside
    ip virtual-reassembly
    !
    interface FastEthernet0/0.4
    shutdown
    !
    interface FastEthernet0/0.7
    description ISP 1
    encapsulation dot1Q 7
    ip address dhcp
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip flow ingress
    ip flow egress
    ip nat outside
    ip virtual-reassembly
    no cdp enable
    crypto map vpn_map
    !
    interface FastEthernet0/1
    description ISP 2
    no ip address
    no ip mroute-cache
    duplex auto
    speed auto
    pppoe enable group global
    pppoe-client dial-pool-number 1
    no cdp enable
    !
    interface Dialer1
    ip address negotiated
    ip verify unicast reverse-path
    ip mtu 1492
    ip flow ingress
    ip flow egress
    ip nat outside
    ip virtual-reassembly
    encapsulation ppp
    ip tcp adjust-mss 1452
    dialer pool 1
    dialer-group 1
    no cdp enable
    ppp authentication chap pap callin
    ppp chap hostname 21328554
    ppp chap password 7 03560A58545774191A
    ppp pap sent-username 21328554 password 7 15405A5F56727E717C
    crypto map vpn_map
    !
    ip local pool vpn_pool h.h.h.h h.h.h.h
    ip route vrf isp 1 0.0.0.0 0.0.0.0 196.46.4.254 global
    ip route vrf isp 2 0.0.0.0 0.0.0.0 Dialer1
    !
    no ip http server
    no ip http secure-server
    ip nat inside source list lan_in2 interface Dialer1 vrf tdm overload
    ip nat inside source list lan_in interface FastEthernet0/0.7 vrf
    tvcabo overload
    ip nat inside source static tcp 192.168.3.100 21 interface Dialer1 21
    ip nat inside source static tcp 192.168.3.100 20 interface Dialer1 20
    ip nat inside source static tcp 192.168.3.101 25 y.y.y.y 25 extendable
    ip nat inside source static tcp 192.168.3.101 53 y.y.y.y 53 extendable
    ip nat inside source static udp 192.168.3.101 53 y.y.y.y 53 extendable
    ip nat inside source static tcp 192.168.3.100 80 y.y.y.y 80 extendable
    ip nat inside source static tcp 192.168.3.101 222 y.y.y.y 222
    extendable
    ip nat inside source static tcp 192.168.3.101 53 x.x.x.x 53 extendable
    ip nat inside source static udp 192.168.3.101 53 x.x.x.x 53 extendable
    ip nat inside source static tcp 192.168.3.100 80 x.x.x.x 80 redundancy
    teste extendable
    !
    ip access-list extended gestao_in
    permit tcp 196.46.0.0 0.0.255.255 any eq 22
    permit tcp 192.168.4.0 0.0.0.255 any eq 22
    permit tcp 192.168.3.0 0.0.0.255 any eq 22
    permit tcp 41.220.0.0 0.0.255.255 any eq 22
    ip access-list extended lan_in
    deny ip 192.168.3.0 0.0.0.255 192.168.5.0 0.0.0.255
    permit esp 192.168.3.0 0.0.0.255 any
    permit udp 192.168.3.0 0.0.0.255 any eq domain log
    permit udp 192.168.3.0 0.0.0.255 any eq isakmp
    permit tcp 192.168.3.0 0.0.0.255 any eq www log
    permit tcp 192.168.3.0 0.0.0.255 any eq 443
    ip access-list extended lan_in2
    deny ip 192.168.3.0 0.0.0.255 192.168.5.0 0.0.0.255
    permit tcp 192.168.3.0 0.0.0.255 any eq smtp domain
    permit udp 192.168.3.0 0.0.0.255 any eq domain log
    permit tcp 192.168.3.0 0.0.0.255 any eq 8080 log
    permit tcp 192.168.3.0 0.0.0.255 any eq www log
     
    , Oct 10, 2007
    #1
    1. Advertising

  2. wrote:

    > Hi
    > Need some comments in my code below. I am having problems using both
    > interfaces at the same time.
    >
    > ///
    > ISP 1 - Cable
    > ISP 2 ADSL
    > ///
    > crypto isakmp policy 1
    > encr 3des
    > authentication pre-share
    > group 2
    > crypto isakmp keepalive 20 10
    > !
    > crypto isakmp client configuration group XXXXX
    > key xxxxxx
    > pool vpn_pool
    > crypto isakmp profile VPNclient
    > description VPN clients profile
    > match identity group PARCEIROS
    > client authentication list vpnusers
    > isakmp authorization list vpn_group
    > client configuration address respond
    > !
    > !
    > crypto ipsec transform-set 3des esp-3des esp-sha-hmac
    > !
    > crypto dynamic-map vpn_map 99
    > set transform-set 3des
    > set isakmp-profile VPNclient
    > reverse-route
    > !
    > !
    > crypto map vpn_map 99 ipsec-isakmp dynamic vpn_map
    > !
    > !
    >
    > !
    > interface FastEthernet0/0
    > description TRUNK PARA SWITCH
    > no ip address
    > duplex auto
    > speed auto
    > !
    > interface FastEthernet0/0.3
    > description LOCAL
    > encapsulation dot1Q 3
    > ip address 192.168.3.254 255.255.255.0
    > ip flow ingress
    > ip flow egress
    > ip nat inside
    > ip virtual-reassembly
    > !
    > interface FastEthernet0/0.4
    > shutdown
    > !
    > interface FastEthernet0/0.7
    > description ISP 1
    > encapsulation dot1Q 7
    > ip address dhcp
    > no ip redirects
    > no ip unreachables
    > no ip proxy-arp
    > ip flow ingress
    > ip flow egress
    > ip nat outside
    > ip virtual-reassembly
    > no cdp enable
    > crypto map vpn_map
    > !
    > interface FastEthernet0/1
    > description ISP 2
    > no ip address
    > no ip mroute-cache
    > duplex auto
    > speed auto
    > pppoe enable group global
    > pppoe-client dial-pool-number 1
    > no cdp enable
    > !
    > interface Dialer1
    > ip address negotiated
    > ip verify unicast reverse-path
    > ip mtu 1492
    > ip flow ingress
    > ip flow egress
    > ip nat outside
    > ip virtual-reassembly
    > encapsulation ppp
    > ip tcp adjust-mss 1452
    > dialer pool 1
    > dialer-group 1
    > no cdp enable
    > ppp authentication chap pap callin
    > ppp chap hostname 21328554
    > ppp chap password 7 03560A58545774191A
    > ppp pap sent-username 21328554 password 7 15405A5F56727E717C
    > crypto map vpn_map
    > !
    > ip local pool vpn_pool h.h.h.h h.h.h.h
    > ip route vrf isp 1 0.0.0.0 0.0.0.0 196.46.4.254 global
    > ip route vrf isp 2 0.0.0.0 0.0.0.0 Dialer1
    > !
    > no ip http server
    > no ip http secure-server
    > ip nat inside source list lan_in2 interface Dialer1 vrf tdm overload
    > ip nat inside source list lan_in interface FastEthernet0/0.7 vrf
    > tvcabo overload
    > ip nat inside source static tcp 192.168.3.100 21 interface Dialer1 21
    > ip nat inside source static tcp 192.168.3.100 20 interface Dialer1 20
    > ip nat inside source static tcp 192.168.3.101 25 y.y.y.y 25 extendable
    > ip nat inside source static tcp 192.168.3.101 53 y.y.y.y 53 extendable
    > ip nat inside source static udp 192.168.3.101 53 y.y.y.y 53 extendable
    > ip nat inside source static tcp 192.168.3.100 80 y.y.y.y 80 extendable
    > ip nat inside source static tcp 192.168.3.101 222 y.y.y.y 222
    > extendable
    > ip nat inside source static tcp 192.168.3.101 53 x.x.x.x 53 extendable
    > ip nat inside source static udp 192.168.3.101 53 x.x.x.x 53 extendable
    > ip nat inside source static tcp 192.168.3.100 80 x.x.x.x 80 redundancy
    > teste extendable
    > !
    > ip access-list extended gestao_in
    > permit tcp 196.46.0.0 0.0.255.255 any eq 22
    > permit tcp 192.168.4.0 0.0.0.255 any eq 22
    > permit tcp 192.168.3.0 0.0.0.255 any eq 22
    > permit tcp 41.220.0.0 0.0.255.255 any eq 22
    > ip access-list extended lan_in
    > deny ip 192.168.3.0 0.0.0.255 192.168.5.0 0.0.0.255
    > permit esp 192.168.3.0 0.0.0.255 any
    > permit udp 192.168.3.0 0.0.0.255 any eq domain log
    > permit udp 192.168.3.0 0.0.0.255 any eq isakmp
    > permit tcp 192.168.3.0 0.0.0.255 any eq www log
    > permit tcp 192.168.3.0 0.0.0.255 any eq 443
    > ip access-list extended lan_in2
    > deny ip 192.168.3.0 0.0.0.255 192.168.5.0 0.0.0.255
    > permit tcp 192.168.3.0 0.0.0.255 any eq smtp domain
    > permit udp 192.168.3.0 0.0.0.255 any eq domain log
    > permit tcp 192.168.3.0 0.0.0.255 any eq 8080 log
    > permit tcp 192.168.3.0 0.0.0.255 any eq www log


    This flavor of setup should be (but isn't) in the FAQ. You have two
    different paths and depending upon which path you take, you need a
    different NAT to occur to put the right public return IP on your outbound
    traffic. For the duration of any TCP connection or UDP exchange, you need
    the same public IP to be used for your end of the communication. Think
    about what the other end sees if you start downloading a web page using one
    interface then switch to the other interface.

    Adding injury to insult, last time I checked (it has been awhile, so Cisco
    may have fixed this bug), once a policy NAT has been set up, that same NAT
    will continue to be used for the duration of the communication, even if the
    the interface changes. That is, the NAT policy is only checked when setting
    up a NAT. Once an established NAT is in the translation table, the cached
    entry will be used even if the conditions which met the policy change.

    For more details, do a search of this news group on "ping based routing"
    where this challenge has been beaten to death in the past.

    Good luck and have fun!
    --
    Vincent C Jones, Consultant Expert advice and a helping hand
    Networking Unlimited, Inc. for those who want to manage and
    Tenafly, NJ Phone: 201 568-7810 control their networking destiny
    http://www.networkingunlimited.com
     
    Vincent C Jones, Oct 13, 2007
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Terry Baranski

    Re: Load balancing 2 ISP's & BGP?

    Terry Baranski, Jul 24, 2003, in forum: Cisco
    Replies:
    2
    Views:
    1,264
    Barry Margolin
    Jul 24, 2003
  2. Rob
    Replies:
    6
    Views:
    1,003
    Barry Margolin
    Jul 25, 2003
  3. Kai
    Replies:
    1
    Views:
    1,053
    Ivan OstreŇ°
    Dec 13, 2004
  4. sada1981
    Replies:
    1
    Views:
    598
    Trendkill
    May 20, 2007
  5. angel

    2 ISP, Load balancing + NAT

    angel, Mar 27, 2009, in forum: Cisco
    Replies:
    0
    Views:
    3,500
    angel
    Mar 27, 2009
Loading...

Share This Page