Microsoft
Software
Hardware
Network
Question : Two different ISP's on cisco 2821!
Dear All,
I have a situation with a cisco 2821 router and three interfaces : 2 Gigabit ethernet and one serial.
One Gigabit is connected to the lan!
The other Gibabit is on wireless link to ISP A
The serial connection is connected through Frame Relay to ISP B
I will include the configuration later!Right now there is one tunnel configured through the wireless
link connection.In that case i will need all other traffic than vpn to be routed through the frame relay connection
as also to be backup for the existing vpn connection .
Here is the configuration :
hostname cy-2821
!
boot-start-marker
boot-end-marker
!
logging buffered 52000 debugging
!
!
resource policy
!
clock timezone PCTime 2
clock summer-time PCTime date Mar 30 2003 3:00 Oct 26 2003 4:00
ip subnet-zero
!
!
no ip cef
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW vdolive
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.99
!
ip dhcp pool Cisco_Pool
network 192.168.1.0 255.255.255.0
dns-server 172.16.254.1 217.27.32.196
default-router 192.168.1.15
lease 2
!
!
no ip ips sdf builtin
no ip ips deny-action ips-interface
ip ips notify SDEE
no ip ips notify log
ip name-server 172.16.254.1
ip name-server 172.16.254.3
ip name-server 217.27.32.196
!
!
!
crypto pki trustpoint TP-self-signed-3390076426
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
cate-33900
76426
revocation-check none
rsakeypair TP-self-signed-3390076426
!
!
crypto pki certificate chain TP-self-signed-3390076426
certificate self-signed 01
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 3600
crypto isakmp key Priv_key address 194.xxx.xxx.xxx
crypto isakmp xauth timeout 15
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to194.xxx.xxx.xxx
set peer 194.xxx.xxx.xxx
set security-association lifetime kilobytes 4099445
set transform-set ESP-3DES-SHA
match address 100
!
!
!
interface GigabitEthernet0/0
description $ETH-LAN$$FW_INSIDE$
ip address 192.168.1.15 255.255.255.0
ip access-group 101 in
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface GigabitEthernet0/1
description THUNDER-FAST$ETH-WAN$$FW_O
UTSIDE$
ip address 217.yyy.yyy.yyy 255.255.255.252
ip access-group 103 in
ip inspect SDM_LOW out
ip nat outside
ip virtual-reassembly
duplex auto
speed 100
crypto map SDM_CMAP_1
!
interface Serial0/0/0
no ip address
encapsulation frame-relay
no fair-queue
frame-relay lmi-type q933a
!
interface Serial0/0/0.1 point-to-point
description CYTANET CONNECTION$FW_OUTSIDE$
ip address 195.aaa.aaa.aaa 255.255.255.252
ip access-group 105 in
ip inspect SDM_LOW out
ip nat outside
ip virtual-reassembly
no ip route-cache same-interface
frame-relay interface-dlci 20 IETF
!
ip classless
ip route 0.0.0.0 0.0.0.0 217.zzz.zzz.zzz <--- DG for wireless Link (ISPA)
ip route 0.0.0.0 0.0.0.0 195.zzz.zzz.zzz 2 <--- DG for FR (ISPB)
ip http server
ip http access-class 1
ip http authentication local
ip http secure-server
ip nat inside source route-map cytanet interface Serial0/0/0.1 overload
ip nat inside source route-map thunderfast interface GigabitEthernet0/1 overload
!
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 3 permit any
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.1.0 0.0.0.255 172.16.254.0 0.0.0.255
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit ip host 80.bb.bb.bb any
access-list 101 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.15 eq telnet
access-list 101 permit tcp 172.16.254.0 0.0.0.255 host 192.168.1.15 eq 22
access-list 101 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.15 eq 22
access-list 101 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.15 eq www
access-list 101 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.15 eq 443
access-list 101 permit tcp 172.16.254.0 0.0.0.255 host 192.168.1.15 eq 443
access-list 101 permit tcp 172.16.254.0 0.0.0.255 host 192.168.1.15 eq cmd
access-list 101 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.15 eq cmd
access-list 101 permit ip 172.16.254.0 0.0.0.255 any
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 deny tcp any host 192.168.1.15 eq telnet
access-list 101 deny tcp any host 192.168.1.15 eq 22
access-list 101 deny tcp any host 192.168.1.15 eq www
access-list 101 deny tcp any host 192.168.1.15 eq 443
access-list 101 deny tcp any host 192.168.1.15 eq cmd
access-list 101 deny udp any host 192.168.1.15 eq snmp
access-list 101 deny ip 195.xx.xx.xx 0.0.0.3 any
access-list 101 deny ip 217.yy.yy.yy 0.0.0.3 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip any any
access-list 102 remark SDM_ACL Category=2
access-list 102 remark IPSec Rule
access-list 102 deny ip 192.168.1.0 0.0.0.255 172.16.254.0 0.0.0.255
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
access-list 103 remark auto generated by SDM firewall configuration
access-list 103 remark SDM_ACL Category=1
access-list 103 permit udp host 172.16.254.3 eq domain any
access-list 103 permit udp host 172.168.254.3 eq domain any
access-list 103 permit udp host 172.16.254.1 eq domain any
access-list 103 permit udp host 217.xxx.xxx.xxx eq domain any
access-list 103 permit tcp host 80.xx.xx.xx host 217.dd.dd.dd eq 22
access-list 103 permit tcp host 80.xx.xx.xx host 217.dd.dd.dd eq 443
access-list 103 permit tcp host 80.xx.xx.xx host 217.dd.dd.dd eq cmd
access-list 103 deny tcp any host 217.ff.ff.ff eq telnet
access-list 103 deny tcp any host 217.ff.ff.ff eq www
access-list 103 deny udp any host 217.ff.ff.ff eq snmp
access-list 103 permit tcp any host 217.ff.ff.ff eq 3389
access-list 103 permit tcp any host 217.ff.ff.ff eq 443
access-list 103 permit udp host 217.xx.xx.xx eq domain host 217.xx.xx.xx
access-list 103 permit ahp host 194.cc.cc.cc host 217.bb.bb.bb
access-list 103 permit esp host 194.cc.cc.cc host 217.bb.bb.bb
access-list 103 permit udp host 194.cc.cc.cc host 217.bb.bb.bb eq isakmp
access-list 103 permit udp host 194.cc.cc.cc host 217.bb.bb.bb eq non500-isakmp
access-list 103 remark IPSec Rule
access-list 103 permit ip 172.16.254.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 103 deny ip 195.14.129.36 0.0.0.3 any
access-list 103 deny ip 192.168.1.0 0.0.0.255 any
access-list 103 permit icmp any host 217.aaa.aaa.aaa echo-reply
access-list 103 permit icmp any host 217.aaa.aaa.aaa time-exceeded
access-list 103 permit icmp any host 217.aaa.aaa.aaa unreachable
access-list 103 permit tcp any host 217.aaa.aaa.aaa eq 443
access-list 103 permit tcp any host 217.aaa.aaa.aaa eq 22
access-list 103 permit tcp any host 217.aaa.aaa.aaa eq cmd
access-list 103 deny ip 10.0.0.0 0.255.255.255 any
access-list 103 deny ip 172.16.0.0 0.15.255.255 any
access-list 103 deny ip 192.168.0.0 0.0.255.255 any
access-list 103 deny ip 127.0.0.0 0.255.255.255 any
access-list 103 deny ip host 255.255.255.255 any
access-list 103 deny ip host 0.0.0.0 any
access-list 103 deny ip any any log
access-list 104 remark SDM_ACL Category=2
access-list 104 remark IPSec Rule
access-list 104 deny ip 192.168.1.0 0.0.0.255 172.16.254.0 0.0.0.255
access-list 104 permit tcp 192.168.1.0 0.0.0.255 any eq www
access-list 104 permit tcp 192.168.1.0 0.0.0.255 any eq ftp
access-list 104 permit tcp 192.168.1.0 0.0.0.255 any eq ftp-data
access-list 104 permit udp 192.168.1.0 0.0.0.255 any eq domain
access-list 104 permit tcp 192.168.1.0 0.0.0.255 any eq pop3
access-list 104 permit tcp 192.168.1.0 0.0.0.255 any eq smtp
access-list 104 permit tcp 192.168.1.0 0.0.0.255 any eq 123
access-list 104 permit tcp 192.168.1.0 0.0.0.255 any eq 3389
access-list 104 permit tcp 192.168.1.0 0.0.0.255 any eq 1723
access-list 104 permit gre 192.168.1.0 0.0.0.255 any
access-list 104 permit tcp 192.168.1.0 0.0.0.255 any eq 143
access-list 104 permit tcp 192.168.1.0 0.0.0.255 any eq 993
access-list 104 permit tcp 192.168.1.0 0.0.0.255 any eq 995
access-list 104 permit tcp 192.168.1.0 0.0.0.255 any eq 443
access-list 104 permit tcp 192.168.1.0 0.0.0.255 any eq 465
access-list 104 permit tcp 192.168.1.0 0.0.0.255 any eq 1701
access-list 104 permit tcp 192.168.1.0 0.0.0.255 any eq 4000
access-list 104 permit icmp 192.168.1.0 0.0.0.255 any
access-list 105 remark auto generated by SDM firewall configuration
access-list 105 remark SDM_ACL Category=1
access-list 105 permit udp any host 195.yyy.yyy.yyy eq non500-isakmp
access-list 105 permit udp any host 195.yyy.yyy.yyy eq isakmp
access-list 105 permit esp any host 195.yyy.yyy.yyy
access-list 105 permit ahp any host 195.yyy.yyy.yyy
access-list 105 deny ip 217.yyy.yyy.yyy 0.0.0.3 any
access-list 105 deny ip 192.168.1.0 0.0.0.255 any
access-list 105 permit tcp any host 217.yyy.yyy.yyy eq 443
access-list 105 permit icmp any host 195.yyy.yyy.yyy echo-reply
access-list 105 permit icmp any host 195.aaa.aaa.aaa time-exceeded
access-list 105 permit icmp any host 195.aaa.aaa.aaa unreachable
access-list 105 permit tcp any host 195.aaa.aaa.aaa eq 443
access-list 105 permit tcp any host 195.aaa.aaa.aaa eq 22
access-list 105 permit tcp any host 195.aaa.aaa.aaa eq cmd
access-list 105 deny ip 10.0.0.0 0.255.255.255 any
access-list 105 deny ip 172.16.0.0 0.15.255.255 any
access-list 105 deny ip 192.168.0.0 0.0.255.255 any
access-list 105 deny ip 127.0.0.0 0.255.255.255 any
access-list 105 deny ip host 255.255.255.255 any
access-list 105 deny ip host 0.0.0.0 any
access-list 105 deny ip any any log
access-list 110 remark SDM_ACL Category=18
access-list 110 permit tcp 192.168.1.0 0.0.0.255 any eq www
access-list 110 permit tcp 192.168.1.0 0.0.0.255 any eq 3389
access-list 110 deny ip any any
route-map cytanet permit 10
match ip address 110
match interface Serial0/0/0.1
!
route-map thunderfast permit 10
match ip address 104
match interface GigabitEthernet0/1
!
I also want to make static nat to internal hosts through wireless connection if possible.
Any suggestions?
Thanks!
Answer : Two different ISP's on cisco 2821!
Just set up nat and configure your wireless interface with "ip nat inside", you must also configure the outside interface interface facing the internet): "ip nat outside"
ip nat inside source static
>
e> --- do this for each translation
harbor235 ;}
Random Solutions
Dial-up Modem connectivity issues
Bundling ISDN with ADSL?
Random network crashes in domain...
How to setup a printer that routes, not to another printer, but to an IP and Port#?
Difference between Auto Detect and Auto-negotiate 1000Mbps
The list of servers for this workgroup is not currently available
PCs randomly unable to resolve server names
Sporadic LAN Disconnects
The system is short on memory and operations may fail netware 4.11
Restricting Bandwidth Usage on a Home Network