1. Home
  2. Cisco Systems
  3. routing on Cisco 2821 and two ISP's

routing on Cisco 2821 and two ISP's

---Interfaces---- on-Cisco 2821---------------

GE 0/0 = DMZ

GE 0/1 = Local LAN

ATM0/0/0 = ISP 1 -//- Dialer 0 -//- pool vpnclient

ATM0/1/0 = ISP 2 -//- Dialer 1 -//- pool vpnclient-fix

------------------------------------------------

Default route pointed now to Dialer 0

What is working right now:

Traffic from inside GE 0/0 to outside via ISP 1 works

Traffic from outside on Dialer 0 for mail (SMTP 25) and VPN client works.

Now I want to implement an secondary VPN Client pool (backup) on the second ATM 0/1/0 interface, and also terminations of LAN-2-LAN VPN connection from and to an another Cisco 2801 router.

Ik know that there only can be only one default route to the outside, is there a work-around to implement my wishes

Thanks in advance

---------------------CONFIG------------Router------------------

C2821-rtr01#wr t Building configuration...

Current configuration : 9324 bytes ! ! No configuration change since last restart ! version 12.3 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers ! hostname C2821-rtr01 ! boot-start-marker boot-end-marker ! security authentication failure rate 3 log security passwords min-length 5 logging buffered 8192 debugging no logging console enable secret ! username administrator privilege 15 secret

clock timezone MET 1 clock summer-time MET recurring last Sun Mar 2:00 last Sun Oct 3:00 no network-clock-participate aim 0 no network-clock-participate aim 1 aaa new-model ! ! aaa authentication login default local aaa authentication login userlist local aaa authentication login RADIUS group radius aaa authentication login LOCAL local aaa authentication ppp default local aaa authorization exec default local aaa authorization network GROUPLIST local aaa session-id common ip subnet-zero no ip source-route ip tcp synwait-time 10 ! ! ip cef ! ! no ip bootp server no ip domain lookup ip domain name TEST-DOMAIN ip name-server 172.20.1.7 ip ssh time-out 60 ip ssh authentication-retries 2 ip inspect name DEFAULT100 cuseeme ip inspect name DEFAULT100 ftp ip inspect name DEFAULT100 h323 ip inspect name DEFAULT100 icmp ip inspect name DEFAULT100 netshow ip inspect name DEFAULT100 rcmd ip inspect name DEFAULT100 realaudio ip inspect name DEFAULT100 rtsp ip inspect name DEFAULT100 esmtp ip inspect name DEFAULT100 sqlnet ip inspect name DEFAULT100 streamworks ip inspect name DEFAULT100 tftp ip inspect name DEFAULT100 tcp ip inspect name DEFAULT100 udp ip inspect name DEFAULT100 vdolive ip ips po max-events 100 no ftp-server write-enable ! voice-card 0 no dspfarm ! ! crypto isakmp policy 1 authentication pre-share ! crypto isakmp policy 2 encr 3des authentication pre-share group 2 ! crypto isakmp client configuration group vpnclient key vpngroup1 dns 172.20.1.7 domain TEST-DOMAIN pool vpnclient acl 106 ! ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac ! crypto dynamic-map vpnusers 1 description Client to Site VPN Users set transform-set ESP-3DES-SHA ! ! crypto map CM-VPNCLIENT client authentication list RADIUS crypto map CM-VPNCLIENT isakmp authorization list GROUPLIST crypto map CM-VPNCLIENT client configuration address respond crypto map CM-VPNCLIENT 65000 ipsec-isakmp dynamic vpnusers ! ! ! ! interface GigabitEthernet0/0 description DMZ ip address 10.21.23.222 255.255.255.0 ip access-group 102 in no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip virtual-reassembly ip route-cache flow duplex auto speed auto no cdp enable no mop enabled ! interface GigabitEthernet0/1 description Local-LAN ip address 172.20.1.222 255.255.255.0 ip access-group 100 in no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip virtual-reassembly ip route-cache flow duplex auto speed auto no cdp enable no mop enabled ! interface ATM0/0/0 no ip address no ip redirects no ip unreachables no ip proxy-arp ip route-cache flow no atm ilmi-keepalive dsl equipment-type CPE dsl operating-mode GSHDSL symmetric annex B dsl linerate AUTO ! interface ATM0/0/0.1 point-to-point description ISP 1 pvc 2/32 encapsulation aal5mux ppp dialer dialer pool-member 1 ! ! interface ATM0/1/0 no ip address no ip redirects no ip unreachables no ip proxy-arp ip route-cache flow no atm ilmi-keepalive dsl equipment-type CPE dsl operating-mode GSHDSL symmetric annex B dsl linerate AUTO ! interface ATM0/1/0.1 point-to-point description ISP 2 pvc 2/32 encapsulation aal5mux ppp dialer dialer pool-member 2 ! ! interface Dialer0 description ISP 1 ip address negotiated ip access-group 101 in no ip redirects no ip unreachables no ip proxy-arp ip nat outside ip inspect DEFAULT100 out ip virtual-reassembly encapsulation ppp ip route-cache flow dialer pool 1 dialer-group 1 ppp authentication pap callin ppp pap sent-username ISP1 password removed crypto map CM-VPNCLIENT ! interface Dialer1 description ISP 2 ip address negotiated ip access-group 103 in no ip redirects no ip unreachables no ip proxy-arp ip nat outside ip inspect DEFAULT100 out ip virtual-reassembly encapsulation ppp ip route-cache flow dialer pool 2 dialer-group 1 no cdp enable ppp authentication pap callin ppp pap sent-username ISP2 password removed crypto map CM-VPNCLIENT ! ip local pool vpnclient 10.10.222.1 10.10.222.254 ip local pool vpnclient-fixed 10.20.222.1 10.20.222.254 ip classless ip route 0.0.0.0 0.0.0.0 Dialer0 ! ip http server ip http authentication local ip http secure-server ip http timeout-policy idle 600 life 86400 requests 10000 ip nat inside source list 105 interface Dialer0 overload ip nat inside source static tcp 172.20.1.222 22 interface Dialer0 22 ip nat inside source static tcp 172.20.1.7 25 80.xxx.yyy.221 25 extendable ! ! logging 172.20.1.7 access-list 1 remark INSIDE_IF=GigabitEthernet0/1 access-list 1 permit 172.20.1.0 0.0.0.255 access-list 1 permit 10.21.23.0 0.0.0.255

access-list 3 remark Traffic not to check for intrusion detection access-list 3 deny 10.20.222.0 0.0.0.255 access-list 3 permit any

access-list 100 remark Auto generated by SDM for NTP (123) 145.7.191.18 access-list 100 permit udp host 145.7.191.18 eq ntp host 172.20.1.222 eq ntp access-list 100 permit ip 172.20.1.0 0.0.0.255 10.10.222.0 0.0.0.255 access-list 100 remark Mailserver to Outside access-list 100 permit ip host 172.20.1.7 any access-list 100 remark Laptop Service Engineer to Outside access-list 100 permit ip host 172.20.1.199 any access-list 100 deny ip any any

access-list 101 remark Inbound rule on Dialer 0 access-list 101 remark SDM_ACL Category=1 access-list 101 permit ip 10.10.222.0 0.0.0.255 172.20.1.0 0.0.0.255 access-list 101 remark ssh from service engineer access-list 101 permit ip host 82.161.26.22 any access-list 101 remark Inbound mail on server 172.20.1.7 access-list 101 permit tcp any host 80.xxx.yyy.221 eq smtp access-list 101 remark Timeserver NTP (123) ntp access-list 101 permit udp host 145.x.xxx.18 eq ntp any eq ntp access-list 101 deny ip 10.21.23.0 0.0.0.255 any access-list 101 deny ip 172.20.1.0 0.0.0.255 any access-list 101 permit udp any any eq non500-isakmp access-list 101 permit udp any any eq isakmp access-list 101 permit esp any any access-list 101 permit tcp any any eq 1723 access-list 101 permit icmp any any echo-reply access-list 101 permit icmp any any time-exceeded access-list 101 permit icmp any any unreachable access-list 101 deny ip 10.0.0.0 0.255.255.255 any access-list 101 deny ip 172.16.0.0 0.15.255.255 any access-list 101 deny ip 192.168.0.0 0.0.255.255 any access-list 101 deny ip 127.0.0.0 0.255.255.255 any access-list 101 deny ip host 255.255.255.255 any access-list 101 deny ip host 0.0.0.0 any access-list 101 deny ip any any log

access-list 102 remark ISA server from DMZ to Outside access-list 102 permit ip host 10.21.23.1 any access-list 102 deny ip any any log

access-list 103 deny ip 10.21.23.0 0.0.0.255 any access-list 103 deny ip 172.20.1.0 0.0.0.255 any access-list 103 permit icmp any any echo-reply access-list 103 permit icmp any any time-exceeded access-list 103 permit icmp any any unreachable access-list 103 deny ip 10.0.0.0 0.255.255.255 any access-list 103 deny ip 172.16.0.0 0.15.255.255 any access-list 103 deny ip 192.168.0.0 0.0.255.255 any access-list 103 deny ip 127.0.0.0 0.255.255.255 any access-list 103 deny ip host 255.255.255.255 any access-list 103 deny ip host 0.0.0.0 any access-list 103 deny ip any any log

access-list 105 remark Traffic to NAT access-list 105 deny ip 172.20.1.0 0.0.0.255 10.10.222.0 0.0.0.255 log access-list 105 permit ip 10.21.23.0 0.0.0.255 any access-list 105 permit ip 172.20.1.0 0.0.0.255 any

access-list 106 remark User to Site VPN Clients access-list 106 permit ip 172.20.1.0 0.0.0.255 any dialer-list 1 protocol ip permit no cdp run ! ! ! radius-server host 172.20.1.7 auth-port 1645 acct-port 1646 key removed ! control-plane ! ! ! ! ! ! ! ! banner login ^CAuthorized access only! Disconnect IMMEDIATELY if you are not an authorized user!^C ! line con 0 transport output telnet line aux 0 transport output telnet line vty 0 4 exec-timeout 0 0 login authentication LOCAL transport input telnet ssh line vty 5 15 exec-timeout 0 0 login authentication LOCAL transport input telnet ssh ! scheduler allocate 20000 1000 ntp clock-period 17179449 ntp update-calendar ntp server 145.x.xxx.18 source Dialer0 ! end

C2821-rtr01#sh ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

80.0.0.0/32 is subnetted, 1 subnets C 80.xxx.yyy.217 is directly connected, Dialer0 172.20.0.0/24 is subnetted, 1 subnets C 172.20.1.0 is directly connected, GigabitEthernet0/1 10.0.0.0/24 is subnetted, 1 subnets C 10.21.23.0 is directly connected, GigabitEthernet0/0 194.aaa.b.0/32 is subnetted, 1 subnets C 194.aaa.b.245 is directly connected, Dialer0 195.cc.dd.0/32 is subnetted, 1 subnets C 195.cc.dd.217 is directly connected, Dialer1 62.0.0.0/32 is subnetted, 1 subnets C 62.qqq.rrr.48 is directly connected, Dialer1 S* 0.0.0.0/0 is directly connected, Dialer0 C2821-rtr01#
Reply to
Megane
Loading thread data ...

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.