routing on Cisco 2821 and two ISP's

Discussion in 'Cisco' started by Megane, Aug 9, 2005.

  1. Megane

    Megane Guest

    ---Interfaces---- on-Cisco 2821---------------



    GE 0/0 = DMZ

    GE 0/1 = Local LAN

    ATM0/0/0 = ISP 1 -//- Dialer 0 -//- pool vpnclient

    ATM0/1/0 = ISP 2 -//- Dialer 1 -//- pool vpnclient-fix



    ------------------------------------------------



    Default route pointed now to Dialer 0



    What is working right now:



    Traffic from inside GE 0/0 to outside via ISP 1 works

    Traffic from outside on Dialer 0 for mail (SMTP 25) and VPN client works.



    Now I want to implement an secondary VPN Client pool (backup) on the second
    ATM 0/1/0 interface, and also terminations of LAN-2-LAN VPN connection from
    and to an another Cisco 2801 router.



    Ik know that there only can be only one default route to the outside, is
    there a work-around to implement my wishes



    Thanks in advance



    ---------------------CONFIG------------Router------------------

    C2821-rtr01#wr t
    Building configuration...

    Current configuration : 9324 bytes
    !
    ! No configuration change since last restart
    !
    version 12.3
    no service pad
    service tcp-keepalives-in
    service tcp-keepalives-out
    service timestamps debug datetime msec localtime show-timezone
    service timestamps log datetime msec localtime show-timezone
    service password-encryption
    service sequence-numbers
    !
    hostname C2821-rtr01
    !
    boot-start-marker
    boot-end-marker
    !
    security authentication failure rate 3 log
    security passwords min-length 5
    logging buffered 8192 debugging
    no logging console
    enable secret <REMOVED>
    !
    username administrator privilege 15 secret <REMOVED>

    clock timezone MET 1
    clock summer-time MET recurring last Sun Mar 2:00 last Sun Oct 3:00
    no network-clock-participate aim 0
    no network-clock-participate aim 1
    aaa new-model
    !
    !
    aaa authentication login default local
    aaa authentication login userlist local
    aaa authentication login RADIUS group radius
    aaa authentication login LOCAL local
    aaa authentication ppp default local
    aaa authorization exec default local
    aaa authorization network GROUPLIST local
    aaa session-id common
    ip subnet-zero
    no ip source-route
    ip tcp synwait-time 10
    !
    !
    ip cef
    !
    !
    no ip bootp server
    no ip domain lookup
    ip domain name TEST-DOMAIN
    ip name-server 172.20.1.7
    ip ssh time-out 60
    ip ssh authentication-retries 2
    ip inspect name DEFAULT100 cuseeme
    ip inspect name DEFAULT100 ftp
    ip inspect name DEFAULT100 h323
    ip inspect name DEFAULT100 icmp
    ip inspect name DEFAULT100 netshow
    ip inspect name DEFAULT100 rcmd
    ip inspect name DEFAULT100 realaudio
    ip inspect name DEFAULT100 rtsp
    ip inspect name DEFAULT100 esmtp
    ip inspect name DEFAULT100 sqlnet
    ip inspect name DEFAULT100 streamworks
    ip inspect name DEFAULT100 tftp
    ip inspect name DEFAULT100 tcp
    ip inspect name DEFAULT100 udp
    ip inspect name DEFAULT100 vdolive
    ip ips po max-events 100
    no ftp-server write-enable
    !
    voice-card 0
    no dspfarm
    !
    !
    crypto isakmp policy 1
    authentication pre-share
    !
    crypto isakmp policy 2
    encr 3des
    authentication pre-share
    group 2
    !
    crypto isakmp client configuration group vpnclient
    key vpngroup1
    dns 172.20.1.7
    domain TEST-DOMAIN
    pool vpnclient
    acl 106
    !
    !
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    !
    crypto dynamic-map vpnusers 1
    description Client to Site VPN Users
    set transform-set ESP-3DES-SHA
    !
    !
    crypto map CM-VPNCLIENT client authentication list RADIUS
    crypto map CM-VPNCLIENT isakmp authorization list GROUPLIST
    crypto map CM-VPNCLIENT client configuration address respond
    crypto map CM-VPNCLIENT 65000 ipsec-isakmp dynamic vpnusers
    !
    !
    !
    !
    interface GigabitEthernet0/0
    description DMZ
    ip address 10.21.23.222 255.255.255.0
    ip access-group 102 in
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat inside
    ip virtual-reassembly
    ip route-cache flow
    duplex auto
    speed auto
    no cdp enable
    no mop enabled
    !
    interface GigabitEthernet0/1
    description Local-LAN
    ip address 172.20.1.222 255.255.255.0
    ip access-group 100 in
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat inside
    ip virtual-reassembly
    ip route-cache flow
    duplex auto
    speed auto
    no cdp enable
    no mop enabled
    !
    interface ATM0/0/0
    no ip address
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip route-cache flow
    no atm ilmi-keepalive
    dsl equipment-type CPE
    dsl operating-mode GSHDSL symmetric annex B
    dsl linerate AUTO
    !
    interface ATM0/0/0.1 point-to-point
    description ISP 1
    pvc 2/32
    encapsulation aal5mux ppp dialer
    dialer pool-member 1
    !
    !
    interface ATM0/1/0
    no ip address
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip route-cache flow
    no atm ilmi-keepalive
    dsl equipment-type CPE
    dsl operating-mode GSHDSL symmetric annex B
    dsl linerate AUTO
    !
    interface ATM0/1/0.1 point-to-point
    description ISP 2
    pvc 2/32
    encapsulation aal5mux ppp dialer
    dialer pool-member 2
    !
    !
    interface Dialer0
    description ISP 1
    ip address negotiated
    ip access-group 101 in
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat outside
    ip inspect DEFAULT100 out
    ip virtual-reassembly
    encapsulation ppp
    ip route-cache flow
    dialer pool 1
    dialer-group 1
    ppp authentication pap callin
    ppp pap sent-username ISP1 password removed
    crypto map CM-VPNCLIENT
    !
    interface Dialer1
    description ISP 2
    ip address negotiated
    ip access-group 103 in
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat outside
    ip inspect DEFAULT100 out
    ip virtual-reassembly
    encapsulation ppp
    ip route-cache flow
    dialer pool 2
    dialer-group 1
    no cdp enable
    ppp authentication pap callin
    ppp pap sent-username ISP2 password removed
    crypto map CM-VPNCLIENT
    !
    ip local pool vpnclient 10.10.222.1 10.10.222.254
    ip local pool vpnclient-fixed 10.20.222.1 10.20.222.254
    ip classless
    ip route 0.0.0.0 0.0.0.0 Dialer0
    !
    ip http server
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 600 life 86400 requests 10000
    ip nat inside source list 105 interface Dialer0 overload
    ip nat inside source static tcp 172.20.1.222 22 interface Dialer0 22
    ip nat inside source static tcp 172.20.1.7 25 80.xxx.yyy.221 25 extendable
    !
    !
    logging 172.20.1.7
    access-list 1 remark INSIDE_IF=GigabitEthernet0/1
    access-list 1 permit 172.20.1.0 0.0.0.255
    access-list 1 permit 10.21.23.0 0.0.0.255

    access-list 3 remark Traffic not to check for intrusion detection
    access-list 3 deny 10.20.222.0 0.0.0.255
    access-list 3 permit any

    access-list 100 remark Auto generated by SDM for NTP (123) 145.7.191.18
    access-list 100 permit udp host 145.7.191.18 eq ntp host 172.20.1.222 eq ntp
    access-list 100 permit ip 172.20.1.0 0.0.0.255 10.10.222.0 0.0.0.255
    access-list 100 remark Mailserver to Outside
    access-list 100 permit ip host 172.20.1.7 any
    access-list 100 remark Laptop Service Engineer to Outside
    access-list 100 permit ip host 172.20.1.199 any
    access-list 100 deny ip any any

    access-list 101 remark Inbound rule on Dialer 0
    access-list 101 remark SDM_ACL Category=1
    access-list 101 permit ip 10.10.222.0 0.0.0.255 172.20.1.0 0.0.0.255
    access-list 101 remark ssh from service engineer
    access-list 101 permit ip host 82.161.26.22 any
    access-list 101 remark Inbound mail on server 172.20.1.7
    access-list 101 permit tcp any host 80.xxx.yyy.221 eq smtp
    access-list 101 remark Timeserver NTP (123) ntp
    access-list 101 permit udp host 145.x.xxx.18 eq ntp any eq ntp
    access-list 101 deny ip 10.21.23.0 0.0.0.255 any
    access-list 101 deny ip 172.20.1.0 0.0.0.255 any
    access-list 101 permit udp any any eq non500-isakmp
    access-list 101 permit udp any any eq isakmp
    access-list 101 permit esp any any
    access-list 101 permit tcp any any eq 1723
    access-list 101 permit icmp any any echo-reply
    access-list 101 permit icmp any any time-exceeded
    access-list 101 permit icmp any any unreachable
    access-list 101 deny ip 10.0.0.0 0.255.255.255 any
    access-list 101 deny ip 172.16.0.0 0.15.255.255 any
    access-list 101 deny ip 192.168.0.0 0.0.255.255 any
    access-list 101 deny ip 127.0.0.0 0.255.255.255 any
    access-list 101 deny ip host 255.255.255.255 any
    access-list 101 deny ip host 0.0.0.0 any
    access-list 101 deny ip any any log

    access-list 102 remark ISA server from DMZ to Outside
    access-list 102 permit ip host 10.21.23.1 any
    access-list 102 deny ip any any log

    access-list 103 deny ip 10.21.23.0 0.0.0.255 any
    access-list 103 deny ip 172.20.1.0 0.0.0.255 any
    access-list 103 permit icmp any any echo-reply
    access-list 103 permit icmp any any time-exceeded
    access-list 103 permit icmp any any unreachable
    access-list 103 deny ip 10.0.0.0 0.255.255.255 any
    access-list 103 deny ip 172.16.0.0 0.15.255.255 any
    access-list 103 deny ip 192.168.0.0 0.0.255.255 any
    access-list 103 deny ip 127.0.0.0 0.255.255.255 any
    access-list 103 deny ip host 255.255.255.255 any
    access-list 103 deny ip host 0.0.0.0 any
    access-list 103 deny ip any any log

    access-list 105 remark Traffic to NAT
    access-list 105 deny ip 172.20.1.0 0.0.0.255 10.10.222.0 0.0.0.255 log
    access-list 105 permit ip 10.21.23.0 0.0.0.255 any
    access-list 105 permit ip 172.20.1.0 0.0.0.255 any

    access-list 106 remark User to Site VPN Clients
    access-list 106 permit ip 172.20.1.0 0.0.0.255 any
    dialer-list 1 protocol ip permit
    no cdp run
    !
    !
    !
    radius-server host 172.20.1.7 auth-port 1645 acct-port 1646 key removed
    !
    control-plane
    !
    !
    !
    !
    !
    !
    !
    !
    banner login ^CAuthorized access only!
    Disconnect IMMEDIATELY if you are not an authorized user!^C
    !
    line con 0
    transport output telnet
    line aux 0
    transport output telnet
    line vty 0 4
    exec-timeout 0 0
    login authentication LOCAL
    transport input telnet ssh
    line vty 5 15
    exec-timeout 0 0
    login authentication LOCAL
    transport input telnet ssh
    !
    scheduler allocate 20000 1000
    ntp clock-period 17179449
    ntp update-calendar
    ntp server 145.x.xxx.18 source Dialer0
    !
    end

    C2821-rtr01#sh ip route
    Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
    D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
    N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
    E1 - OSPF external type 1, E2 - OSPF external type 2
    i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
    ia - IS-IS inter area, * - candidate default, U - per-user static
    route
    o - ODR, P - periodic downloaded static route

    Gateway of last resort is 0.0.0.0 to network 0.0.0.0

    80.0.0.0/32 is subnetted, 1 subnets
    C 80.xxx.yyy.217 is directly connected, Dialer0
    172.20.0.0/24 is subnetted, 1 subnets
    C 172.20.1.0 is directly connected, GigabitEthernet0/1
    10.0.0.0/24 is subnetted, 1 subnets
    C 10.21.23.0 is directly connected, GigabitEthernet0/0
    194.aaa.b.0/32 is subnetted, 1 subnets
    C 194.aaa.b.245 is directly connected, Dialer0
    195.cc.dd.0/32 is subnetted, 1 subnets
    C 195.cc.dd.217 is directly connected, Dialer1
    62.0.0.0/32 is subnetted, 1 subnets
    C 62.qqq.rrr.48 is directly connected, Dialer1
    S* 0.0.0.0/0 is directly connected, Dialer0
    C2821-rtr01#
    Megane, Aug 9, 2005
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. James Parks

    Two ISP -Two Routers - 1 PIX

    James Parks, Dec 8, 2003, in forum: Cisco
    Replies:
    5
    Views:
    3,636
    James Parks
    Dec 11, 2003
  2. John
    Replies:
    4
    Views:
    660
    Barry Margolin
    Oct 16, 2004
  3. Fax with Cisco 2821

    , Jul 25, 2005, in forum: Cisco
    Replies:
    0
    Views:
    539
  4. Merv
    Replies:
    25
    Views:
    7,527
  5. Ganapathy

    Cisco 2821

    Ganapathy, Nov 16, 2005, in forum: Cisco
    Replies:
    1
    Views:
    566
    thatoneguy
    Nov 18, 2005
Loading...

Share This Page