Hello,
Here is the issue.
I've got 3 ISP, The first ISP (ISP1) is used for SMTP (inbound & outbound) and webmail (https Inbound).
On the second ISP (ISP2) => Web (http, https, dns, msn, etc.) and Inbound VPN.
On the third ISP (ISP3), => Inbound FTP an dHTTP.
This configuration seems to works perfetly, but what i want to do is:
- Use the third ISP (ISP3) for inbound VPN.
OR
- if it's not possible, use the third ISP for Web outbound protocol (http, https, etc.)
I configure Policy Based Routing.
My first attempt for inbound VPN on the third ISP was not a success. In fact, traffic go through the first SA (client => router) but is not re-encapsulate (router => client) in the second SA. So, i think that the default route is the problem ??
When i use "sh ip access-list" command, i never see change on my access-list for ESP traffic, ESP seems to not match this ACL (access-list 106).
For the second solution, (Outbound web access through the third ISP), PBR seems to works but i've the feeling that router doesn't do any NAT on Interface (FA 0/1)? It's really strange and i'm stuck in this !!
Thanks a lot !
Here is my configuration:
version 12.4 no service pad service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname Router ! boot-start-marker boot system flash:/c1841-advsecurityk9-mz.124-6.T.bin boot-end-marker ! logging buffered 51200 warnings enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxx ! aaa new-model ! ! aaa authentication login default local aaa authentication login sdm_vpn_xauth_ml_1 local aaa authentication login sdm_vpn_xauth_ml_2 local aaa authorization exec default local aaa authorization network sdm_vpn_group_ml_1 local ! aaa session-id common ! resource policy ! clock timezone Paris 1 clock summer-time Paris date Mar 30 2003 2:00 Oct 26 2003 3:00 no ip cef ! ! ! ! ip inspect name CBAC tcp audit-trail on ip inspect name CBAC udp audit-trail on ip inspect name CBAC dns audit-trail on ip inspect name CBAC smtp audit-trail on ip inspect name CBAC pop3 audit-trail on ip inspect name CBAC telnet audit-trail on ip inspect name CBAC http audit-trail on ip inspect name CBAC https audit-trail on ip ips sdf location flash:/128MB.sdf ip ips fail closed ip ips notify SDEE ip ips signature 3701 0 disable ip domain name mydomain.com ip name-server 10.1.1.7 ! ! ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 ! crypto isakmp client configuration group VPN key xxxxxxxxxx dns 10.1.1.7 domain mydomaine.com pool SDM_POOL_1 acl 100 max-users 5 netmask 255.255.0.0 ! ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac ! crypto dynamic-map SDM_DYNMAP_1 1 set transform-set ESP-3DES-SHA reverse-route ! ! crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1 crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1 crypto map SDM_CMAP_1 client configuration address respond crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1 ! ! ! interface FastEthernet0/0 description ISP2 ip address 82.xxx.xxx.xxx 255.255.255.0 ip nat outside ip virtual-reassembly speed 100 full-duplex crypto map SDM_CMAP_1 ! interface FastEthernet0/1 description ISP3 ip address 84.xxx.xxx.xxx 255.255.255.0 ip nat outside ip virtual-reassembly duplex auto speed auto crypto map SDM_CMAP_1 ! interface FastEthernet0/1/0 description DMZ switchport access vlan 2 speed 100 ! interface FastEthernet0/1/1 description Nordnet switchport access vlan 3 ! interface FastEthernet0/1/2 switchport access vlan 4 ! interface FastEthernet0/1/3 ! interface Vlan1 no ip address ! interface Vlan2 description DMZ ip address 10.11.1.202 255.255.0.0 ip inspect CBAC in ip nat inside ip virtual-reassembly ip policy route-map PBR ! interface Vlan3 description ISP1 ip address 10.13.1.1 255.255.0.0 ip nat outside ip virtual-reassembly ! interface Vlan4 description LAN ip address 10.1.1.202 255.255.0.0 ip inspect CBAC in ip nat inside ip virtual-reassembly ip route-cache policy ip policy route-map PBR ! ip local policy route-map PBR ip local pool SDM_POOL_1 10.254.0.1 10.254.0.5 ip route 0.0.0.0 0.0.0.0 82.233.201.254 permanent ip route 0.0.0.0 0.0.0.0 82.229.252.254 100 ! ! ip http server ip http access-class 1 ip http authentication local ip http secure-server ip http timeout-policy idle 5 life 86400 requests 10000 ip nat inside source static tcp 10.1.2.99 3389 interface FastEthernet0/1 3389 ip nat inside source static tcp 10.11.1.2 80 interface FastEthernet0/1 80 ip nat inside source static tcp 10.11.1.2 21 interface FastEthernet0/1 21 ip nat inside source static tcp 10.11.1.2 20 interface FastEthernet0/1 20 ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/1 overload ip nat inside source route-map SDM_RMAP_2 interface FastEthernet0/0 overload ip nat inside source route-map SDM_RMAP_3 interface Vlan3 overload ip nat inside source static tcp 10.1.1.7 25 interface Vlan3 25 ip nat inside source static tcp 10.1.1.7 443 interface Vlan3 443 ! ! ip access-list extended ISP3 remark SDM_ACL Category=2 deny ip 10.11.0.0 0.0.255.255 host 10.254.0.1 deny ip 10.11.0.0 0.0.255.255 host 10.254.0.2 deny ip 10.11.0.0 0.0.255.255 host 10.254.0.3 deny ip 10.11.0.0 0.0.255.255 host 10.254.0.4 deny ip 10.11.0.0 0.0.255.255 host 10.254.0.5 deny ip 10.1.0.0 0.0.255.255 host 10.254.0.1 deny ip 10.1.0.0 0.0.255.255 host 10.254.0.2 deny ip 10.1.0.0 0.0.255.255 host 10.254.0.3 deny ip 10.1.0.0 0.0.255.255 host 10.254.0.4 deny ip 10.1.0.0 0.0.255.255 host 10.254.0.5 permit ip 10.1.0.0 0.0.255.255 any permit ip 10.11.0.0 0.0.255.255 any ! access-list 2 permit XXXXXXXXXXXXXXXXXXX access-list 2 permit 10.1.0.0 0.0.255.255 access-list 2 permit 10.254.0.0 0.0.255.255 access-list 102 remark SDM_ACL Category=2 access-list 102 deny ip 10.11.0.0 0.0.255.255 host 10.254.0.1 access-list 102 deny ip 10.11.0.0 0.0.255.255 host 10.254.0.2 access-list 102 deny ip 10.11.0.0 0.0.255.255 host 10.254.0.3 access-list 102 deny ip 10.11.0.0 0.0.255.255 host 10.254.0.4 access-list 102 deny ip 10.11.0.0 0.0.255.255 host 10.254.0.5 access-list 102 deny ip 10.1.0.0 0.0.255.255 host 10.254.0.1 access-list 102 deny ip 10.1.0.0 0.0.255.255 host 10.254.0.2 access-list 102 deny ip 10.1.0.0 0.0.255.255 host 10.254.0.3 access-list 102 deny ip 10.1.0.0 0.0.255.255 host 10.254.0.4 access-list 102 deny ip 10.1.0.0 0.0.255.255 host 10.254.0.5 access-list 102 permit ip 10.11.0.0 0.0.255.255 any access-list 102 permit ip 10.1.0.0 0.0.255.255 any access-list 104 remark SDM_ACL Category=2 access-list 104 deny ip 10.11.0.0 0.0.255.255 host 10.254.0.1 access-list 104 deny ip 10.11.0.0 0.0.255.255 host 10.254.0.2 access-list 104 deny ip 10.11.0.0 0.0.255.255 host 10.254.0.3 access-list 104 deny ip 10.11.0.0 0.0.255.255 host 10.254.0.4 access-list 104 deny ip 10.11.0.0 0.0.255.255 host 10.254.0.5 access-list 104 deny ip 10.1.0.0 0.0.255.255 host 10.254.0.1 access-list 104 deny ip 10.1.0.0 0.0.255.255 host 10.254.0.2 access-list 104 deny ip 10.1.0.0 0.0.255.255 host 10.254.0.3 access-list 104 deny ip 10.1.0.0 0.0.255.255 host 10.254.0.4 access-list 104 deny ip 10.1.0.0 0.0.255.255 host 10.254.0.5 access-list 104 permit ip 10.11.0.0 0.0.255.255 any access-list 104 permit ip 10.1.0.0 0.0.255.255 any access-list 105 permit tcp any any eq smtp access-list 105 permit tcp any eq 443 any access-list 105 permit tcp any eq smtp any access-list 106 permit esp any any access-list 106 permit udp any any eq non500-isakmp access-list 106 permit udp any any eq isakmp access-list 106 permit tcp any any eq 1723 access-list 106 permit tcp any eq 1723 any access-list 106 permit gre any any access-list 106 permit udp any eq non500-isakmp any access-list 106 permit udp any eq isakmp any no cdp run ! ! route-map PBR permit 10 match ip address 105 set ip next-hop 10.13.1.3 ! route-map PBR permit 20 match ip address 106 set ip next-hop ! route-map SDM_RMAP_1 permit 1 match ip address 102 ! route-map SDM_RMAP_2 permit 1 match ip address ISP3 ! route-map SDM_RMAP_3 permit 1 match ip address 104 ! ! ! control-plane ! banner login ^CCunauthorized access are forbidden !!^C ! line con 0 line aux 0 line vty 0 4 access-class 2 in transport input telnet ssh transport output none ! scheduler allocate 20000 1000 ! end