Router# sh run inter fa0/1.10 ! interface FastEthernet0/1.10 description VLAN 10 192-168-5-0 encapsulation dot1Q 10 ip address 192.168.5.1 255.255.255.0 ip nat inside ip virtual-reassembly max-reassemblies 32 ip policy route-map REDIRECT-VIA-FAST-WAN2 no cdp enable end Router# Router#sh run inter fa0/1.20 Building configuration... Current configuration : 251 bytes ! interface FastEthernet0/1.20 description VLAN 20 10-10-0-0 encapsulation dot1Q 20 ip address 10.10.0.254 255.255.255.0 ip access-group PERMIT-MNG out ip nat inside ip virtual-reassembly ip policy route-map REDIRECT-VIA-FAST-WAN no cdp enable end Router# Router#sh route-map route-map REDIRECT-VIA-FAST-WAN2, permit, sequence 10 Match clauses: ip address (access-lists): REDIRECT-VIA-FAST-WAN2 Set clauses: ip next-hop 88.XX.XX.73 Policy routing matches: 0 packets, 0 bytes ! route-map REDIRECT-VIA-FAST-WAN, permit, sequence 10 Match clauses: ip address (access-lists): REDIRECT-VIA-FAST-WAN Set clauses: ip next-hop 88.XX.XX.73 Policy routing matches: 1948323 packets, 2212263065 bytes ! Router# Router#sh access-lists REDIRECT-VIA-FAST-WAN Extended IP access list REDIRECT-VIA-FAST-WAN 10 deny tcp host 10.10.0.43 eq 443 9675 192.168.5.0 0.0.0.255 (2068620 matches) 20 permit tcp host 10.10.0.43 eq 443 9675 any (1948603 matches) 30 permit esp any any 40 permit ahp any any ! !!! NOTE: THISFIRST ENTRIESI TRIED WITHOUT THESE. THEY WERE ADDED AFTERWARDS JUST IN CASE. !!! ALSO THE ROUTER ITSELF CORECTEDCORRECTED THE PORT NUMBERS INTO THE CORRESPONDING PROTOCOLS 50 permit udp any any eq isakmp 60 permit udp any any eq 10000 ! !!! I MAY ASSUME THAT THE CORRECTED ENTRY non500-isakmp ACTUALY MEANS "THIS WILL NOT BE USED FOR ISAKMP 70 permit udp any any eq non500-isakmp 80 permit tcp any any eq 4500 Router#sh access-lists REDIRECT-VIA-FAST-WAN2 Extended IP access list REDIRECT-VIA-FAST-WAN2 10 permit ahp any any 20 permit esp any any 30 permit udp any any eq isakmp 40 permit udp any any eq 10000 50 permit udp any any eq non500-isakmp 60 permit tcp any any eq 4500 Router# Router# sh run inter fa0/1.10 ! interface FastEthernet0/1.10 description VLAN 10 192-168-5-0 encapsulation dot1Q 10 ip address 192.168.5.1 255.255.255.0 ip nat inside ip virtual-reassembly max-reassemblies 32 ip policy route-map REDIRECT-VIA-FAST-WAN2 no cdp enable end Router# Router#sh run inter fa0/1.20 Building configuration... Current configuration : 251 bytes ! interface FastEthernet0/1.20 description VLAN 20 10-10-0-0 encapsulation dot1Q 20 ip address 10.10.0.254 255.255.255.0 ip access-group PERMIT-MNG out ip nat inside ip virtual-reassembly ip policy route-map REDIRECT-VIA-FAST-WAN no cdp enable end Router# Router#sh route-map route-map REDIRECT-VIA-FAST-WAN2, permit, sequence 10 Match clauses: ip address (access-lists): REDIRECT-VIA-FAST-WAN2 Set clauses: ip next-hop 88.XX.XX.73 Policy routing matches: 0 packets, 0 bytes ! route-map REDIRECT-VIA-FAST-WAN, permit, sequence 10 Match clauses: ip address (access-lists): REDIRECT-VIA-FAST-WAN Set clauses: ip next-hop 88.XX.XX.73 Policy routing matches: 1948323 packets, 2212263065 bytes ! Router# Router#sh access-lists REDIRECT-VIA-FAST-WAN Extended IP access list REDIRECT-VIA-FAST-WAN 10 deny tcp host 10.10.0.43 eq 443 9675 192.168.5.0 0.0.0.255 (2068620 matches) 20 permit tcp host 10.10.0.43 eq 443 9675 any (1948603 matches) 30 permit esp any any 40 permit ahp any any ! !!! NOTE: THIS ENTRIES WERE ADDED AFTERWARDS JUST IN CASE. !!! ALSO THE ROUTER ITSELF CORECTED THE PORT NUMBERS INTO THE CORRESPONDING PROTOCOLS 50 permit udp any any eq isakmp 60 permit udp any any eq 10000 ! !!! I MAY ASSUME THAT THE CORRECTED ENTRY non500-isakmp ACTUALY MEANS "THIS WILL NOT BE USED FOR ISAKMP 70 permit udp any any eq non500-isakmp 80 permit tcp any any eq 4500 Router#sh access-lists REDIRECT-VIA-FAST-WAN2 Extended IP access list REDIRECT-VIA-FAST-WAN2 10 permit ahp any any 20 permit esp any any 30 permit udp any any eq isakmp 40 permit udp any any eq 10000 50 permit udp any any eq non500-isakmp 60 permit tcp any any eq 4500 Router# Router# sh run inter fa0/1.10 ! interface FastEthernet0/1.10 description VLAN 10 192-168-5-0 encapsulation dot1Q 10 ip address 192.168.5.1 255.255.255.0 ip nat inside ip virtual-reassembly max-reassemblies 32 ip policy route-map REDIRECT-VIA-FAST-WAN2 no cdp enable end Router# Router#sh run inter fa0/1.20 Building configuration... Current configuration : 251 bytes ! interface FastEthernet0/1.20 description VLAN 20 10-10-0-0 encapsulation dot1Q 20 ip address 10.10.0.254 255.255.255.0 ip access-group PERMIT-MNG out ip nat inside ip virtual-reassembly ip policy route-map REDIRECT-VIA-FAST-WAN no cdp enable end Router# Router#sh route-map route-map REDIRECT-VIA-FAST-WAN2, permit, sequence 10 Match clauses: ip address (access-lists): REDIRECT-VIA-FAST-WAN2 Set clauses: ip next-hop 88.XX.XX.73 Policy routing matches: 0 packets, 0 bytes ! route-map REDIRECT-VIA-FAST-WAN, permit, sequence 10 Match clauses: ip address (access-lists): REDIRECT-VIA-FAST-WAN Set clauses: ip next-hop 88.XX.XX.73 Policy routing matches: 1948323 packets, 2212263065 bytes ! Router# Router#sh access-lists REDIRECT-VIA-FAST-WAN Extended IP access list REDIRECT-VIA-FAST-WAN 10 deny tcp host 10.10.0.43 eq 443 9675 192.168.5.0 0.0.0.255 (2068620 matches) 20 permit tcp host 10.10.0.43 eq 443 9675 any (1948603 matches) 30 permit esp any any 40 permit ahp any any ! !!! NOTE: FIRST I TRIED WITHOUT THESE. THEY WERE ADDED AFTERWARDS JUST IN CASE. !!! ALSO THE ROUTER ITSELF CORRECTED THE PORT NUMBERS INTO THE CORRESPONDING PROTOCOLS 50 permit udp any any eq isakmp 60 permit udp any any eq 10000 ! !!! I MAY ASSUME THAT THE CORRECTED ENTRY non500-isakmp ACTUALY MEANS "THIS WILL NOT BE USED FOR ISAKMP 70 permit udp any any eq non500-isakmp 80 permit tcp any any eq 4500 Router#sh access-lists REDIRECT-VIA-FAST-WAN2 Extended IP access list REDIRECT-VIA-FAST-WAN2 10 permit ahp any any 20 permit esp any any 30 permit udp any any eq isakmp 40 permit udp any any eq 10000 50 permit udp any any eq non500-isakmp 60 permit tcp any any eq 4500 Router# UPDATE: 20.12.2013
I did as John Kennedy suggested. However the traffic was still routed OUT the slow-wan interface. I created a separate route-map for the other lan interface. This is the config and the show output:
At the time of executing this commands I am actually SSHed from the VPN. I also tried to disconnect and reconnect again just in case.
You may notice bellow that when I execute a show access-list command that there are no matched packets for the ESP or AHP protocols.
Also for the newly created route map REDIRECT-VIA-FAST-WAN2 there are no matched packets yet my vpn assigned IP address is into the 192.168.5.0 subnet.
Router# sh run inter fa0/1.10 ! interface FastEthernet0/1.10 description VLAN 10 192-168-5-0 encapsulation dot1Q 10 ip address 192.168.5.1 255.255.255.0 ip nat inside ip virtual-reassembly max-reassemblies 32 ip policy route-map REDIRECT-VIA-FAST-WAN2 no cdp enable end Router# Router#sh run inter fa0/1.20 Building configuration... Current configuration : 251 bytes ! interface FastEthernet0/1.20 description VLAN 20 10-10-0-0 encapsulation dot1Q 20 ip address 10.10.0.254 255.255.255.0 ip access-group PERMIT-MNG out ip nat inside ip virtual-reassembly ip policy route-map REDIRECT-VIA-FAST-WAN no cdp enable end Router# Router#sh route-map route-map REDIRECT-VIA-FAST-WAN2, permit, sequence 10 Match clauses: ip address (access-lists): REDIRECT-VIA-FAST-WAN2 Set clauses: ip next-hop 88.XX.XX.73 Policy routing matches: 0 packets, 0 bytes ! route-map REDIRECT-VIA-FAST-WAN, permit, sequence 10 Match clauses: ip address (access-lists): REDIRECT-VIA-FAST-WAN Set clauses: ip next-hop 88.XX.XX.73 Policy routing matches: 1948323 packets, 2212263065 bytes ! Router# Router#sh access-lists REDIRECT-VIA-FAST-WAN Extended IP access list REDIRECT-VIA-FAST-WAN 10 deny tcp host 10.10.0.43 eq 443 9675 192.168.5.0 0.0.0.255 (2068620 matches) 20 permit tcp host 10.10.0.43 eq 443 9675 any (1948603 matches) 30 permit esp any any 40 permit ahp any any ! !!! NOTE: THIS ENTRIES WERE ADDED AFTERWARDS JUST IN CASE. !!! ALSO THE ROUTER ITSELF CORECTED THE PORT NUMBERS INTO THE CORRESPONDING PROTOCOLS 50 permit udp any any eq isakmp 60 permit udp any any eq 10000 ! !!! I MAY ASSUME THAT THE CORRECTED ENTRY non500-isakmp ACTUALY MEANS "THIS WILL NOT BE USED FOR ISAKMP 70 permit udp any any eq non500-isakmp 80 permit tcp any any eq 4500 Router#sh access-lists REDIRECT-VIA-FAST-WAN2 Extended IP access list REDIRECT-VIA-FAST-WAN2 10 permit ahp any any 20 permit esp any any 30 permit udp any any eq isakmp 40 permit udp any any eq 10000 50 permit udp any any eq non500-isakmp 60 permit tcp any any eq 4500 Router# UPDATE: 20.12.2013
I did as John Kennedy suggested. However the traffic was still routed OUT the slow-wan interface. I created a separate route-map for the other lan interface. This is the config and the show output:
At the time of executing this commands I am actually SSHed from the VPN. I also tried to disconnect and reconnect again just in case.
You may notice bellow that when I execute a show access-list command that there are no matched packets for the ESP or AHP protocols.
Also for the newly created route map REDIRECT-VIA-FAST-WAN2 there are no matched packets yet my vpn assigned IP address is into the 192.168.5.0 subnet.
Router# sh run inter fa0/1.10 ! interface FastEthernet0/1.10 description VLAN 10 192-168-5-0 encapsulation dot1Q 10 ip address 192.168.5.1 255.255.255.0 ip nat inside ip virtual-reassembly max-reassemblies 32 ip policy route-map REDIRECT-VIA-FAST-WAN2 no cdp enable end Router# Router#sh run inter fa0/1.20 Building configuration... Current configuration : 251 bytes ! interface FastEthernet0/1.20 description VLAN 20 10-10-0-0 encapsulation dot1Q 20 ip address 10.10.0.254 255.255.255.0 ip access-group PERMIT-MNG out ip nat inside ip virtual-reassembly ip policy route-map REDIRECT-VIA-FAST-WAN no cdp enable end Router# Router#sh route-map route-map REDIRECT-VIA-FAST-WAN2, permit, sequence 10 Match clauses: ip address (access-lists): REDIRECT-VIA-FAST-WAN2 Set clauses: ip next-hop 88.XX.XX.73 Policy routing matches: 0 packets, 0 bytes ! route-map REDIRECT-VIA-FAST-WAN, permit, sequence 10 Match clauses: ip address (access-lists): REDIRECT-VIA-FAST-WAN Set clauses: ip next-hop 88.XX.XX.73 Policy routing matches: 1948323 packets, 2212263065 bytes ! Router# Router#sh access-lists REDIRECT-VIA-FAST-WAN Extended IP access list REDIRECT-VIA-FAST-WAN 10 deny tcp host 10.10.0.43 eq 443 9675 192.168.5.0 0.0.0.255 (2068620 matches) 20 permit tcp host 10.10.0.43 eq 443 9675 any (1948603 matches) 30 permit esp any any 40 permit ahp any any ! !!! NOTE: THIS ENTRIES WERE ADDED AFTERWARDS JUST IN CASE. !!! ALSO THE ROUTER ITSELF CORECTED THE PORT NUMBERS INTO THE CORRESPONDING PROTOCOLS 50 permit udp any any eq isakmp 60 permit udp any any eq 10000 ! !!! I MAY ASSUME THAT THE CORRECTED ENTRY non500-isakmp ACTUALY MEANS "THIS WILL NOT BE USED FOR ISAKMP 70 permit udp any any eq non500-isakmp 80 permit tcp any any eq 4500 Router#sh access-lists REDIRECT-VIA-FAST-WAN2 Extended IP access list REDIRECT-VIA-FAST-WAN2 10 permit ahp any any 20 permit esp any any 30 permit udp any any eq isakmp 40 permit udp any any eq 10000 50 permit udp any any eq non500-isakmp 60 permit tcp any any eq 4500 Router# Policy Based Routing for VPN connections with VPN Client configuration
We have a Cisco 2800 router in our company that also serves as a VPN server. We use the VPN Client to connect to our corporate network (pls don't laugh, I know that it is very obsolete but I haven't had the time lately to switch to SSL VPN).
The router has two WAN connections. One is the primary wan ("slow wan" link with slower upload 10D/1U mbps) and it is used for the corporate workstations used by the employees. The other is our backup link. It has higher upload speed - 11D/11U mbps, (fast wan), and thus we also use the high upload link for our webserver (I have done this using PBR just for the http traffic from the webserver). For numerous other reasons we can not use the fast wan connection as our primary connection and it is used only as a failover in case the primary link fails.
The fast wan also has a static IP address and we use this static IP for the VPN Client configuration.
Now the thing is that because of the failover, when we connect from the outside using the VPN Client, the traffic comes from thefast wan interface, but exits from the slow wan interface. And because the slow wan has only 1mbps upload the vpn connection is slow.
Is there any way for us to redirect the vpn traffic to always use the fast wan interface and to take advantage of the 11mbps upload speed of that connection?
Bellow is a sanitized config of our router
! crypto isakmp policy 1 encr 3des authentication pre-share group 2 ! crypto isakmp client configuration group dc key *** dns 192.168.5.7 domain corp.local pool SDM_POOL_1 acl 101 max-users 3 netmask 255.255.255.0 crypto isakmp profile sdm-ike-profile-1 match identity group dc isakmp authorization list sdm_vpn_group_ml_1 client configuration address respond virtual-template 1 ! ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac ! crypto ipsec profile SDM_Profile1 set security-association idle-time 3600 set transform-set ESP-3DES-SHA set isakmp-profile sdm-ike-profile-1 ! ! ! ! interface Loopback0 ip address 10.10.10.1 255.255.255.0 ! interface FastEthernet0/0 description *WAN* no ip address ip mtu 1396 duplex auto speed auto ! interface FastEthernet0/0.3 description FAST-WAN-11D-11U encapsulation dot1Q 3 ip address 88.XX.XX.75 255.255.255.248 ip load-sharing per-packet ip nat outside ip virtual-reassembly ! interface FastEthernet0/0.4 description SLOW-WAN-10D-1U encapsulation dot1Q 4 ip address dhcp ip nat outside ip virtual-reassembly no cdp enable ! interface FastEthernet0/1 description *LOCAL* no ip address ip virtual-reassembly duplex auto speed auto ! interface FastEthernet0/1.10 description VLAN 10 192-168-5-0 encapsulation dot1Q 10 ip address 192.168.5.1 255.255.255.0 ip nat inside ip virtual-reassembly max-reassemblies 32 no cdp enable ! interface FastEthernet0/1.20 description VLAN 20 10-10-0-0 encapsulation dot1Q 20 ip address 10.10.0.254 255.255.255.0 ip access-group PERMIT-MNG out ip nat inside ip virtual-reassembly ! !!! NOTE: This route map is used to PBR the http traffic for our server ip policy route-map REDIRECT-VIA-FAST-WAN no cdp enable ! interface Virtual-Template1 type tunnel ip unnumbered Loopback0 tunnel mode ipsec ipv4 tunnel protection ipsec profile SDM_Profile1 ! interface Virtual-Template3 no ip address ! interface Virtual-Template4 no ip address ! ! ip local pool SDM_POOL_1 192.168.5.150 192.168.5.152 ip forward-protocol nd ! ! ! !!! SLOW-WAN NEXT HOP DEFAULT ADDRESS ip route 0.0.0.0 0.0.0.0 89.XX.XX.1 5 ! !!! FAST-WAN NEXT HOP DEFAULT ADDRESS ip route 0.0.0.0 0.0.0.0 88.XX.XX.73 10 ! ! ! ip nat inside source route-map FAST-WAN-NAT-RMAP interface FastEthernet0/0.3 overload ip nat inside source route-map SLOW-WAN-NAT-RMAP interface FastEthernet0/0.4 overload ! ! access-list 101 remark SDM_ACL Category=4 access-list 101 permit ip 192.168.5.0 0.0.0.255 any access-list 101 permit ip 10.10.0.0 0.0.0.255 any ! ip access-list extended FAST-WAN-NAT permit tcp 192.168.5.0 0.0.0.255 range 1025 65535 any permit udp 192.168.5.0 0.0.0.255 range 1025 65535 any permit icmp 192.168.5.0 0.0.0.255 any permit tcp 10.10.0.0 0.0.0.255 range 1025 65535 any permit udp 10.10.0.0 0.0.0.255 range 1025 65535 any permit icmp 10.10.0.0 0.0.0.255 any ip access-list extended REDIRECT-VIA-FAST-WAN deny tcp host 10.10.0.43 eq 443 9675 192.168.5.0 0.0.0.255 permit tcp host 10.10.0.43 eq 443 9675 any ip access-list extended SLOW-WAN-NAT permit ip 192.168.5.0 0.0.0.255 any permit ip 10.10.0.0 0.0.0.255 any ! ! route-map FAST-WAN-NAT-RMAP permit 10 match ip address FAST-WAN-NAT match interface FastEthernet0/0.3 ! route-map REDIRECT-VIA-FAST-WAN permit 10 match ip address REDIRECT-VIA-FAST-WAN set ip next-hop 88.XX.XX.73 ! route-map SLOW-WAN-NAT-RMAP permit 10 match ip address SLOW-WAN-NAT match interface FastEthernet0/0.4 ! ! P.S. Also feel free to suggest a better name (more descriptive name) for this post