One router and 2 DSL lines

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

80.0.0.0/32 is subnetted, 1 subnets C 80.aaa.bbb.217 is directly connected, Dialer0 172.20.0.0/24 is subnetted, 1 subnets C 172.20.1.0 is directly connected, GigabitEthernet0/1 82.0.0.0/32 is subnetted, 1 subnets S 82.eee.fff.49 is directly connected, Dialer1 10.0.0.0/24 is subnetted, 2 subnets C 10.21.23.0 is directly connected, GigabitEthernet0/0 S 10.20.1.0 is directly connected, Dialer1 194.109.5.0/32 is subnetted, 1 subnets C 194.109.5.245 is directly connected, Dialer0 195.cc.dd.0/32 is subnetted, 1 subnets C 195.cc.dd.217 is directly connected, Dialer1 62.0.0.0/32 is subnetted, 1 subnets C 62.12.4.48 is directly connected, Dialer1 S* 0.0.0.0/0 is directly connected, Dialer0 rtr-2801#
Reply to
Megane
Loading thread data ...

Customer who decided to order 2 dsl lines and combines them on one Cisco 2821 router onto their lan.

GE0/0 : DMZ // ISA Server GE0/1 : inside LAN network (172.20.1.x/24)

DSL 1 : Access to Internet // incoming mail // incoming VPN clients This part is working.

added a second WIC DSL 2: used to set up SITE to SITE VPN only for a remote office with a Cisco 877 router ( Local LAN 10.20.1.x/). This remote office only needs the resource op the central site 172.20.1.x.

VPN IPSec Site to Site tunnel is connected, but routing is the issue of course. Is there a way to route de packets for network 10.20.1.x to the correct Dialer interface.

Thanks in advance

===================

rtr-2801#wr t Building configuration...

Current configuration : 11680 bytes ! ! version 12.3 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers ! hostname rtr-2801 ! boot-start-marker boot-end-marker ! security authentication failure rate 3 log security passwords min-length 5 logging buffered 8192 debugging logging console informational enable secret [REMOVED] ! username administrator privilege 15 [removed] clock timezone MET 1 clock summer-time MET recurring last Sun Mar 2:00 last Sun Oct 3:00 no network-clock-participate aim 0 no network-clock-participate aim 1 aaa new-model ! ! aaa authentication login default local aaa authentication login userlist local aaa authentication login RADIUS group radius aaa authentication login LOCAL local aaa authentication ppp default local aaa authorization exec default local aaa authorization network GROUPLIST local aaa session-id common ip subnet-zero no ip source-route ip tcp synwait-time 10 ! ! ip cef ! ! no ip bootp server no ip domain lookup ip domain name new-2801.nl ip name-server 172.20.1.7 ip name-server 172.20.1.6 ip ssh time-out 60 ip ssh authentication-retries 2 ip inspect name DEFAULT100 cuseeme ip inspect name DEFAULT100 ftp ip inspect name DEFAULT100 h323 ip inspect name DEFAULT100 icmp ip inspect name DEFAULT100 netshow ip inspect name DEFAULT100 rcmd ip inspect name DEFAULT100 realaudio ip inspect name DEFAULT100 rtsp ip inspect name DEFAULT100 esmtp ip inspect name DEFAULT100 sqlnet ip inspect name DEFAULT100 streamworks ip inspect name DEFAULT100 tftp ip inspect name DEFAULT100 tcp ip inspect name DEFAULT100 udp ip inspect name DEFAULT100 vdolive ip ips notify SDEE ip ips po max-events 100 no ftp-server write-enable ! voice-card 0 no dspfarm ! ! crypto isakmp policy 1 authentication pre-share ! crypto isakmp policy 2 encr 3des authentication pre-share group 2 crypto isakmp key [REMOVED] address 82.eee.fff.49 ! crypto isakmp client configuration group vpnclient key [REMOVED] dns 172.20.1.7 172.20.1.6 domain new-2801.nl pool vpnclient acl 106 ! ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac ! crypto dynamic-map vpnusers 1 description Client to Site VPN Users set transform-set ESP-3DES-SHA ! ! crypto map CM-LAN2LAN 65001 ipsec-isakmp description Tunnel to 82.eee.fff.49 set peer 82.eee.fff.49 set transform-set ESP-3DES-SHA match address 109 ! crypto map CM-VPNCLIENT client authentication list RADIUS crypto map CM-VPNCLIENT isakmp authorization list GROUPLIST crypto map CM-VPNCLIENT client configuration address respond crypto map CM-VPNCLIENT 65000 ipsec-isakmp dynamic vpnusers ! ! ! ! interface GigabitEthernet0/0 description DMZ ip address 10.21.23.222 255.255.255.0 ip access-group 102 in no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip virtual-reassembly ip route-cache flow duplex auto speed auto no cdp enable no mop enabled ! interface GigabitEthernet0/1 description Local-LAN ip address 172.20.1.222 255.255.255.0 ip access-group 100 in no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip virtual-reassembly ip route-cache flow duplex auto speed auto no cdp enable no mop enabled ! interface ATM0/0/0 no ip address no ip redirects no ip unreachables no ip proxy-arp ip route-cache flow no atm ilmi-keepalive dsl equipment-type CPE dsl operating-mode GSHDSL symmetric annex B dsl linerate AUTO ! interface ATM0/0/0.1 point-to-point description 1e DSL pvc 2/32 encapsulation aal5mux ppp dialer dialer pool-member 1 ! ! interface ATM0/1/0 no ip address no ip redirects no ip unreachables no ip proxy-arp ip route-cache flow no atm ilmi-keepalive dsl equipment-type CPE dsl operating-mode GSHDSL symmetric annex B dsl linerate AUTO ! interface ATM0/1/0.1 point-to-point description 2e DSL pvc 2/32 encapsulation aal5mux ppp dialer dialer pool-member 2 ! ! interface ATM0/2/0 no ip address shutdown no atm ilmi-keepalive dsl equipment-type CPE dsl operating-mode GSHDSL symmetric annex B dsl linerate AUTO ! interface Dialer0 description 1 DSL ip address negotiated ip access-group 101 in no ip redirects no ip unreachables no ip proxy-arp ip nat outside ip inspect DEFAULT100 out ip virtual-reassembly encapsulation ppp ip route-cache flow dialer pool 1 dialer-group 1 ppp authentication pap callin ppp pap sent-username [REMOVED] password [REMOVED] crypto map CM-VPNCLIENT ! interface Dialer1 description 2e DSL ip address negotiated ip access-group 103 in no ip redirects no ip unreachables no ip proxy-arp ip nat outside ip inspect DEFAULT100 out ip virtual-reassembly encapsulation ppp ip route-cache flow dialer pool 2 dialer-group 1 no cdp enable ppp authentication pap callin ppp pap sent-username [REMOVED] password [REMOVED] crypto map CM-LAN2LAN ! ip local pool vpnclient 10.10.222.1 10.10.222.254 ip classless ip route 0.0.0.0 0.0.0.0 Dialer0 ip route 10.20.1.0 255.255.255.0 Dialer1 ip route 82.eee.fff.49 255.255.255.255 Dialer1 ! ip http server ip http authentication local ip http secure-server ip http timeout-policy idle 600 life 86400 requests 10000 ! ip nat inside source list 105 interface Dialer0 overload ip nat inside source route-map RMAP_ODE3 interface Dialer1 overload ip nat inside source static tcp 172.20.1.222 22 interface Dialer0 22 ip nat inside source static 172.20.1.7 80.aaa.bbb.221 route-map SDM_RMAP_2 extendable ip nat inside source static 172.20.1.7 80.aaa.bbb.222 route-map SDM_RMAP_3 extendable ip nat inside source static 172.20.1.3 80.aaa.bbb.223 route-map SDM_RMAP_1 extendable ! ! logging 172.20.1.3 access-list 1 remark INSIDE_IF=GigabitEthernet0/1 access-list 1 remark SDM_ACL Category=2 access-list 1 permit 172.20.1.0 0.0.0.255 access-list 1 permit 10.21.23.0 0.0.0.255

access-list 3 remark Traffic not to check for intrusion detection access-list 3 deny 10.20.222.0 0.0.0.255 access-list 3 permit any

access-list 100 remark Inbound on GE 0/1 access-list 100 remark NTP (123) 145.7.191.18 access-list 100 permit udp host 145.7.191.18 eq ntp host 172.20.1.222 eq ntp access-list 100 permit ip 172.20.1.0 0.0.0.255 10.10.222.0 0.0.0.255 access-list 100 remark To ODE3 access-list 100 permit ip 172.20.1.0 0.0.0.255 10.20.1.0 0.0.0.255 access-list 100 remark Intranetserver to Outside access-list 100 permit ip host 172.20.1.3 any access-list 100 remark Dataserver to Outside access-list 100 permit ip host 172.20.1.6 any access-list 100 remark Mailserver to Outside access-list 100 permit ip host 172.20.1.7 any access-list 100 remark WS-Beheer to Outside access-list 100 permit ip host 172.20.1.10 any access-list 100 remark Laptop Service Engineer to Outside access-list 100 permit ip host 172.20.1.199 any access-list 100 remark Cisco 2801 tbv NTP update access-list 100 permit ip host 172.20.1.253 any access-list 100 deny ip any any

access-list 101 remark Inbound rule on Dialer 0 access-list 101 permit esp any any access-list 101 permit udp any any eq isakmp access-list 101 permit udp any any eq non500-isakmp access-list 101 permit ip 10.10.222.0 0.0.0.255 172.20.1.0 0.0.0.255 access-list 101 remark ssh from service engineer access-list 101 permit ip host 82.iii.jj.22 any access-list 101 remark Inbound mail (172.20.1.7) access-list 101 permit tcp any host 80.aaa.bbb.221 eq smtp access-list 101 remark Timeserver NTP (123) ntp1.kpn.com access-list 101 permit udp host 145.7.191.18 eq ntp any eq ntp access-list 101 deny ip 10.21.23.0 0.0.0.255 any access-list 101 deny ip 172.20.1.0 0.0.0.255 any access-list 101 permit tcp any any eq 1723 access-list 101 permit icmp any any echo-reply access-list 101 permit icmp any any time-exceeded access-list 101 permit icmp any any unreachable access-list 101 deny ip 10.0.0.0 0.255.255.255 any access-list 101 deny ip 172.16.0.0 0.15.255.255 any access-list 101 deny ip 192.168.0.0 0.0.255.255 any access-list 101 deny ip 127.0.0.0 0.255.255.255 any access-list 101 deny ip host 255.255.255.255 any access-list 101 deny ip host 0.0.0.0 any access-list 101 deny ip any any log

access-list 102 remark Inbound on GE 0/0 access-list 102 remark ISA server from DMZ to Outside access-list 102 permit ip host 10.21.23.1 any access-list 102 deny ip any any log

access-list 103 remark Dialer 1 access-list 103 permit udp host 82.eee.fff.49 any eq non500-isakmp access-list 103 permit udp host 82.eee.fff.49 any eq isakmp access-list 103 permit esp host 82.eee.fff.49 any access-list 103 permit ahp host 82.eee.fff.49 any access-list 103 permit icmp any any echo-reply access-list 103 permit icmp any any time-exceeded access-list 103 permit icmp any any unreachable access-list 103 permit ip 10.20.1.0 0.0.0.255 172.20.1.0 0.0.0.255 access-list 103 deny ip 10.0.0.0 0.255.255.255 any access-list 103 deny ip 172.16.0.0 0.15.255.255 any access-list 103 deny ip 192.168.0.0 0.0.255.255 any access-list 103 deny ip 127.0.0.0 0.255.255.255 any access-list 103 deny ip host 255.255.255.255 any access-list 103 deny ip host 0.0.0.0 any access-list 103 deny ip any any log

access-list 104 deny ip host 172.20.1.3 10.10.222.0 0.0.0.255 access-list 104 permit ip host 172.20.1.3 any

access-list 105 remark Traffic to NAT access-list 105 deny ip 172.20.1.0 0.0.0.255 10.10.222.0 0.0.0.255 log access-list 105 permit ip 10.21.23.0 0.0.0.255 any access-list 105 permit ip 172.20.1.0 0.0.0.255 any

access-list 106 remark User to Site VPN Clients access-list 106 permit ip 172.20.1.0 0.0.0.255 any

access-list 107 deny ip host 172.20.1.7 10.10.222.0 0.0.0.255 access-list 107 permit ip host 172.20.1.7 any

access-list 108 deny ip host 172.20.1.7 10.10.222.0 0.0.0.255 access-list 108 permit ip host 172.20.1.7 any

access-list 109 remark Traffic to NAT ODE3 access-list 109 permit ip 172.20.1.0 0.0.0.255 10.20.1.0 0.0.0.255

access-list 110 remark IPSec Rule ODE3 access-list 110 permit ip 172.20.1.0 0.0.0.255 10.20.1.0 0.0.0.255

dialer-list 1 protocol ip permit

no cdp run ! route-map RMAP_ODE3 permit 1 match ip address 110 ! route-map SDM_RMAP_1 permit 1 match ip address 104 ! route-map SDM_RMAP_2 permit 1 match ip address 107 ! route-map SDM_RMAP_3 permit 1 match ip address 108 ! radius-server host 172.20.1.7 auth-port 1645 acct-port 1646 key [REMOVED] ! control-plane ! ! ! banner login ^CAuthorized access only! Disconnect IMMEDIATELY if you are not an authorized user!^C ! line con 0 transport output telnet line aux 0 transport output telnet line vty 0 4 exec-timeout 0 0 login authentication LOCAL transport input telnet ssh line vty 5 15 exec-timeout 0 0 login authentication LOCAL transport input telnet ssh ! scheduler allocate 20000 1000 ntp clock-period 17179467 ntp master ntp update-calendar ntp server 145.7.191.18 source Dialer0 ! end

rtr-2801# sh crypto isakmp sa dst src state conn-id slot 80.aaa.bbb.217 193.ggg.hhh.58 QM_IDLE 45 0 195.cc.dd.217 82.eee.fff.49 QM_IDLE 44 0

rtr-2801#sh ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

80.0.0.0/32 is subnetted, 1 subnets C 80.aaa.bbb.217 is directly connected, Dialer0 172.20.0.0/24 is subnetted, 1 subnets C 172.20.1.0 is directly connected, GigabitEthernet0/1 82.0.0.0/32 is subnetted, 1 subnets S 82.eee.fff.49 is directly connected, Dialer1 10.0.0.0/24 is subnetted, 2 subnets C 10.21.23.0 is directly connected, GigabitEthernet0/0 S 10.20.1.0 is directly connected, Dialer1 194.109.5.0/32 is subnetted, 1 subnets C 194.109.5.245 is directly connected, Dialer0 195.cc.dd.0/32 is subnetted, 1 subnets C 195.cc.dd.217 is directly connected, Dialer1 62.0.0.0/32 is subnetted, 1 subnets C 62.12.4.48 is directly connected, Dialer1 S* 0.0.0.0/0 is directly connected, Dialer0 rtr-2801#
Reply to
jw

Customer who decided to order 2 dsl lines and combines them on one Cisco 2821 router onto their lan.

GE0/0 : DMZ // ISA Server GE0/1 : inside LAN network (172.20.1.x/24)

DSL 1 : Access to Internet // incoming mail // incoming VPN clients This part is working.

added a second WIC DSL 2: used to set up SITE to SITE VPN only for a remote office with a Cisco 877 router ( Local LAN 10.20.1.x/). This remote office only needs the resource op the central site 172.20.1.x.

VPN IPSec Site to Site tunnel is connected, but routing is the issue of course. Is there a way to route de packets for network 10.20.1.x to the correct Dialer interface.

Thanks in advance

===================

rtr-2801#wr t Building configuration...

Current configuration : 11680 bytes ! ! version 12.3 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers ! hostname rtr-2801 ! boot-start-marker boot-end-marker ! security authentication failure rate 3 log security passwords min-length 5 logging buffered 8192 debugging logging console informational enable secret [REMOVED] ! username administrator privilege 15 [removed] clock timezone MET 1 clock summer-time MET recurring last Sun Mar 2:00 last Sun Oct 3:00 no network-clock-participate aim 0 no network-clock-participate aim 1 aaa new-model ! ! aaa authentication login default local aaa authentication login userlist local aaa authentication login RADIUS group radius aaa authentication login LOCAL local aaa authentication ppp default local aaa authorization exec default local aaa authorization network GROUPLIST local aaa session-id common ip subnet-zero no ip source-route ip tcp synwait-time 10 ! ! ip cef ! ! no ip bootp server no ip domain lookup ip domain name new-2801.nl ip name-server 172.20.1.7 ip name-server 172.20.1.6 ip ssh time-out 60 ip ssh authentication-retries 2 ip inspect name DEFAULT100 cuseeme ip inspect name DEFAULT100 ftp ip inspect name DEFAULT100 h323 ip inspect name DEFAULT100 icmp ip inspect name DEFAULT100 netshow ip inspect name DEFAULT100 rcmd ip inspect name DEFAULT100 realaudio ip inspect name DEFAULT100 rtsp ip inspect name DEFAULT100 esmtp ip inspect name DEFAULT100 sqlnet ip inspect name DEFAULT100 streamworks ip inspect name DEFAULT100 tftp ip inspect name DEFAULT100 tcp ip inspect name DEFAULT100 udp ip inspect name DEFAULT100 vdolive ip ips notify SDEE ip ips po max-events 100 no ftp-server write-enable ! voice-card 0 no dspfarm ! ! crypto isakmp policy 1 authentication pre-share ! crypto isakmp policy 2 encr 3des authentication pre-share group 2 crypto isakmp key [REMOVED] address 82.eee.fff.49 ! crypto isakmp client configuration group vpnclient key [REMOVED] dns 172.20.1.7 172.20.1.6 domain new-2801.nl pool vpnclient acl 106 ! ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac ! crypto dynamic-map vpnusers 1 description Client to Site VPN Users set transform-set ESP-3DES-SHA ! ! crypto map CM-LAN2LAN 65001 ipsec-isakmp description Tunnel to 82.eee.fff.49 set peer 82.eee.fff.49 set transform-set ESP-3DES-SHA match address 109 ! crypto map CM-VPNCLIENT client authentication list RADIUS crypto map CM-VPNCLIENT isakmp authorization list GROUPLIST crypto map CM-VPNCLIENT client configuration address respond crypto map CM-VPNCLIENT 65000 ipsec-isakmp dynamic vpnusers ! ! ! ! interface GigabitEthernet0/0 description DMZ ip address 10.21.23.222 255.255.255.0 ip access-group 102 in no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip virtual-reassembly ip route-cache flow duplex auto speed auto no cdp enable no mop enabled ! interface GigabitEthernet0/1 description Local-LAN ip address 172.20.1.222 255.255.255.0 ip access-group 100 in no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip virtual-reassembly ip route-cache flow duplex auto speed auto no cdp enable no mop enabled ! interface ATM0/0/0 no ip address no ip redirects no ip unreachables no ip proxy-arp ip route-cache flow no atm ilmi-keepalive dsl equipment-type CPE dsl operating-mode GSHDSL symmetric annex B dsl linerate AUTO ! interface ATM0/0/0.1 point-to-point description 1e DSL pvc 2/32 encapsulation aal5mux ppp dialer dialer pool-member 1 ! ! interface ATM0/1/0 no ip address no ip redirects no ip unreachables no ip proxy-arp ip route-cache flow no atm ilmi-keepalive dsl equipment-type CPE dsl operating-mode GSHDSL symmetric annex B dsl linerate AUTO ! interface ATM0/1/0.1 point-to-point description 2e DSL pvc 2/32 encapsulation aal5mux ppp dialer dialer pool-member 2 ! ! interface ATM0/2/0 no ip address shutdown no atm ilmi-keepalive dsl equipment-type CPE dsl operating-mode GSHDSL symmetric annex B dsl linerate AUTO ! interface Dialer0 description 1 DSL ip address negotiated ip access-group 101 in no ip redirects no ip unreachables no ip proxy-arp ip nat outside ip inspect DEFAULT100 out ip virtual-reassembly encapsulation ppp ip route-cache flow dialer pool 1 dialer-group 1 ppp authentication pap callin ppp pap sent-username [REMOVED] password [REMOVED] crypto map CM-VPNCLIENT ! interface Dialer1 description 2e DSL ip address negotiated ip access-group 103 in no ip redirects no ip unreachables no ip proxy-arp ip nat outside ip inspect DEFAULT100 out ip virtual-reassembly encapsulation ppp ip route-cache flow dialer pool 2 dialer-group 1 no cdp enable ppp authentication pap callin ppp pap sent-username [REMOVED] password [REMOVED] crypto map CM-LAN2LAN ! ip local pool vpnclient 10.10.222.1 10.10.222.254 ip classless ip route 0.0.0.0 0.0.0.0 Dialer0 ip route 10.20.1.0 255.255.255.0 Dialer1 ip route 82.eee.fff.49 255.255.255.255 Dialer1 ! ip http server ip http authentication local ip http secure-server ip http timeout-policy idle 600 life 86400 requests 10000 ! ip nat inside source list 105 interface Dialer0 overload ip nat inside source route-map RMAP_ODE3 interface Dialer1 overload ip nat inside source static tcp 172.20.1.222 22 interface Dialer0 22 ip nat inside source static 172.20.1.7 80.aaa.bbb.221 route-map SDM_RMAP_2 extendable ip nat inside source static 172.20.1.7 80.aaa.bbb.222 route-map SDM_RMAP_3 extendable ip nat inside source static 172.20.1.3 80.aaa.bbb.223 route-map SDM_RMAP_1 extendable ! ! logging 172.20.1.3 access-list 1 remark INSIDE_IF=GigabitEthernet0/1 access-list 1 remark SDM_ACL Category=2 access-list 1 permit 172.20.1.0 0.0.0.255 access-list 1 permit 10.21.23.0 0.0.0.255

access-list 3 remark Traffic not to check for intrusion detection access-list 3 deny 10.20.222.0 0.0.0.255 access-list 3 permit any

access-list 100 remark Inbound on GE 0/1 access-list 100 remark NTP (123) 145.7.191.18 access-list 100 permit udp host 145.7.191.18 eq ntp host 172.20.1.222 eq ntp access-list 100 permit ip 172.20.1.0 0.0.0.255 10.10.222.0 0.0.0.255 access-list 100 remark To ODE3 access-list 100 permit ip 172.20.1.0 0.0.0.255 10.20.1.0 0.0.0.255 access-list 100 remark Intranetserver to Outside access-list 100 permit ip host 172.20.1.3 any access-list 100 remark Dataserver to Outside access-list 100 permit ip host 172.20.1.6 any access-list 100 remark Mailserver to Outside access-list 100 permit ip host 172.20.1.7 any access-list 100 remark WS-Beheer to Outside access-list 100 permit ip host 172.20.1.10 any access-list 100 remark Laptop Service Engineer to Outside access-list 100 permit ip host 172.20.1.199 any access-list 100 remark Cisco 2801 tbv NTP update access-list 100 permit ip host 172.20.1.253 any access-list 100 deny ip any any

access-list 101 remark Inbound rule on Dialer 0 access-list 101 permit esp any any access-list 101 permit udp any any eq isakmp access-list 101 permit udp any any eq non500-isakmp access-list 101 permit ip 10.10.222.0 0.0.0.255 172.20.1.0 0.0.0.255 access-list 101 remark ssh from service engineer access-list 101 permit ip host 82.iii.jj.22 any access-list 101 remark Inbound mail (172.20.1.7) access-list 101 permit tcp any host 80.aaa.bbb.221 eq smtp access-list 101 remark Timeserver NTP (123) ntp1.kpn.com access-list 101 permit udp host 145.7.191.18 eq ntp any eq ntp access-list 101 deny ip 10.21.23.0 0.0.0.255 any access-list 101 deny ip 172.20.1.0 0.0.0.255 any access-list 101 permit tcp any any eq 1723 access-list 101 permit icmp any any echo-reply access-list 101 permit icmp any any time-exceeded access-list 101 permit icmp any any unreachable access-list 101 deny ip 10.0.0.0 0.255.255.255 any access-list 101 deny ip 172.16.0.0 0.15.255.255 any access-list 101 deny ip 192.168.0.0 0.0.255.255 any access-list 101 deny ip 127.0.0.0 0.255.255.255 any access-list 101 deny ip host 255.255.255.255 any access-list 101 deny ip host 0.0.0.0 any access-list 101 deny ip any any log

access-list 102 remark Inbound on GE 0/0 access-list 102 remark ISA server from DMZ to Outside access-list 102 permit ip host 10.21.23.1 any access-list 102 deny ip any any log

access-list 103 remark Dialer 1 access-list 103 permit udp host 82.eee.fff.49 any eq non500-isakmp access-list 103 permit udp host 82.eee.fff.49 any eq isakmp access-list 103 permit esp host 82.eee.fff.49 any access-list 103 permit ahp host 82.eee.fff.49 any access-list 103 permit icmp any any echo-reply access-list 103 permit icmp any any time-exceeded access-list 103 permit icmp any any unreachable access-list 103 permit ip 10.20.1.0 0.0.0.255 172.20.1.0 0.0.0.255 access-list 103 deny ip 10.0.0.0 0.255.255.255 any access-list 103 deny ip 172.16.0.0 0.15.255.255 any access-list 103 deny ip 192.168.0.0 0.0.255.255 any access-list 103 deny ip 127.0.0.0 0.255.255.255 any access-list 103 deny ip host 255.255.255.255 any access-list 103 deny ip host 0.0.0.0 any access-list 103 deny ip any any log

access-list 104 deny ip host 172.20.1.3 10.10.222.0 0.0.0.255 access-list 104 permit ip host 172.20.1.3 any

access-list 105 remark Traffic to NAT access-list 105 deny ip 172.20.1.0 0.0.0.255 10.10.222.0 0.0.0.255 log access-list 105 permit ip 10.21.23.0 0.0.0.255 any access-list 105 permit ip 172.20.1.0 0.0.0.255 any

access-list 106 remark User to Site VPN Clients access-list 106 permit ip 172.20.1.0 0.0.0.255 any

access-list 107 deny ip host 172.20.1.7 10.10.222.0 0.0.0.255 access-list 107 permit ip host 172.20.1.7 any

access-list 108 deny ip host 172.20.1.7 10.10.222.0 0.0.0.255 access-list 108 permit ip host 172.20.1.7 any

access-list 109 remark Traffic to NAT ODE3 access-list 109 permit ip 172.20.1.0 0.0.0.255 10.20.1.0 0.0.0.255

access-list 110 remark IPSec Rule ODE3 access-list 110 permit ip 172.20.1.0 0.0.0.255 10.20.1.0 0.0.0.255

dialer-list 1 protocol ip permit

no cdp run ! route-map RMAP_ODE3 permit 1 match ip address 110 ! route-map SDM_RMAP_1 permit 1 match ip address 104 ! route-map SDM_RMAP_2 permit 1 match ip address 107 ! route-map SDM_RMAP_3 permit 1 match ip address 108 ! radius-server host 172.20.1.7 auth-port 1645 acct-port 1646 key [REMOVED] ! control-plane ! ! ! banner login ^CAuthorized access only! Disconnect IMMEDIATELY if you are not an authorized user!^C ! line con 0 transport output telnet line aux 0 transport output telnet line vty 0 4 exec-timeout 0 0 login authentication LOCAL transport input telnet ssh line vty 5 15 exec-timeout 0 0 login authentication LOCAL transport input telnet ssh ! scheduler allocate 20000 1000 ntp clock-period 17179467 ntp master ntp update-calendar ntp server 145.7.191.18 source Dialer0 ! end

rtr-2801# sh crypto isakmp sa dst src state conn-id slot 80.aaa.bbb.217 193.ggg.hhh.58 QM_IDLE 45 0 195.cc.dd.217 82.eee.fff.49 QM_IDLE 44 0

rtr-2801#sh ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

80.0.0.0/32 is subnetted, 1 subnets C 80.aaa.bbb.217 is directly connected, Dialer0 172.20.0.0/24 is subnetted, 1 subnets C 172.20.1.0 is directly connected, GigabitEthernet0/1 82.0.0.0/32 is subnetted, 1 subnets S 82.eee.fff.49 is directly connected, Dialer1 10.0.0.0/24 is subnetted, 2 subnets C 10.21.23.0 is directly connected, GigabitEthernet0/0 S 10.20.1.0 is directly connected, Dialer1 194.109.5.0/32 is subnetted, 1 subnets C 194.109.5.245 is directly connected, Dialer0 195.cc.dd.0/32 is subnetted, 1 subnets C 195.cc.dd.217 is directly connected, Dialer1 62.0.0.0/32 is subnetted, 1 subnets C 62.12.4.48 is directly connected, Dialer1 S* 0.0.0.0/0 is directly connected, Dialer0 rtr-2801#
Reply to
Megane

Check your nat. you are natting to that site. Should esclude it Also that route map only matches traffic, doesnt do anything with it, ie set next hop....

Reply to
jw

It's working oké now, thanks.

Remark 1ste DSL ip nat inside source route-map dialer0 interface Dialer0 overload Remark 2e DSL ip nat inside source route-map dialer1 interface Dialer1 overload ! route-map dialer0 permit 10 description Route to DSL1 match ip address 105 match interface Dialer0 ! route-map dialer1 permit 10 description Route to DSL2 match ip address 110 match interface Dialer1 ! ip route 0.0.0.0 0.0.0.0 Dialer0 ip route 82.ISP.TWO.49 255.255.255.255 Dialer1 ip route 10.20.1.0 255.255.255.0 Dialer1 ! access-list 109 remark Traffic to SITE 2 SITE (crypto map) access-list 109 permit ip 172.20.1.0 0.0.0.255 10.20.1.0 0.0.0.255 access-list 109 deny ip any any ! access-list 110 remark Traffic to NAT Rule access-list 110 deny ip 172.20.1.0 0.0.0.255 10.20.1.0 0.0.0.255 access-list 110 permit ip 172.20.1.0 0.0.0.255 any access-list 110 deny ip any any ! access-list 105 remark Traffic to NAT access-list 105 deny ip 172.20.1.0 0.0.0.255 10.10.222.0 0.0.0.255 log access-list 105 permit ip 172.20.1.0 0.0.0.255 any !

Reply to
Megane

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.