2 Replies Latest reply on Nov 7, 2013 8:44 AM by noor

    Two Site with P2P T1 back up VPN.  Primary internet with P2P as backup Internet

    touristsis Visitor

      Hi Support.  I'm struggling trying to make this work.  I'm on my lab trying to test this.  I have most of it to work except.....1 site backup internet.

       

      I have two Sites.

       

      Site A:

      192.168.1.0/24 - Local Area Network

      10.10.10.1.0/24 - Point to Point t1
      2.2.2.2 - Internet


      Site B:
      192.168.2.0/24 - Local Area Network
      10.10.10.2.0/24 - Point to Point t1
      3.3.3.3 - Internet

       

      I want to setup so the the P2P T1 is main connection between the two local network (192.168.1.0 and 192.168.2.0)
      If P2P T1 goes down, it automatically fail over to the VPN. - I got this working!

       

      If the internet on Site A goes down - I want it to get secondary internet via P2P - I got this working!

      If the internet on Site B goes down - I want it to get secondary internet via P2P.- I can't get this to work......

       

      On site B - I have two problem.  The backup internet via P2P, I can't get this to work. 

       

      Site A configuration:

       

      ip local policy route-map LOCAL

       

      probe WAN1 icmp-echo

        destination 142.254.XX.XX - ISP 2 hop down ip address

        source-address 24.173.SITE A IP address

        period 2

        tolerance consecutive fail 5 pass 5

        no shutdown

      !

      track WAN1

        snmp trap state-change

        test if probe WAN1

        no shutdown

       

      interface eth 0/1

        ip address  24.173.XX.XX  255.255.255.248

        ip access-policy PUBLIC

        crypto map VPN

        media-gateway ip primary

        no shutdown

       

      interface ppp 1

        ip address  10.10.10.1  255.255.255.0

        ip access-policy P2P

        media-gateway ip primary

        no shutdown

        cross-connect 1 t1 1/1 1 ppp 1

       

      route-map LOCAL permit 10

        match ip address WAN1

        set ip next-hop 24.173.XX.XX

        set interface null 0

      ip access-list extended MATCHALL

        remark P2P

        permit ip any  any  

      !

      ip access-list extended P2P

        remark P2P

        permit ip 192.168.1.0 0.0.0.255  any  

      !

      ip access-list extended VPN-10-vpn-selectors

        remark VPN

        permit ip 192.168.1.0 0.0.0.255  192.168.2.0 0.0.0.255  

      !

      ip access-list extended WAN1

        permit icmp host 24.173.XX.XX  host 142.254.XX.XX  

      !

      ip access-list extended web-acl-4

        remark admin

        permit tcp any  any eq https   log

        permit tcp any  any eq ssh   log

       

      ip policy-class P2P

        allow list MATCHALL stateless

        allow list VPN-10-vpn-selectors stateless

      !

      ip policy-class PRIVATE

        allow list P2P policy P2P stateless

        allow list VPN-10-vpn-selectors stateless

        nat source list MATCHALL interface eth 0/1 overload

      !

      no ip policy-class PUBLIC rpf-check

      ip policy-class PUBLIC

        allow reverse list VPN-10-vpn-selectors stateless

        allow list web-acl-4 self

      ip route 0.0.0.0 0.0.0.0 24.173.XX.XX track WAN1

      ip route 0.0.0.0 0.0.0.0 10.10.10.2 10

      ip route 192.168.2.0 255.255.255.0 10.10.10.2

       

      Site B Configuration:

       

      ip local policy route-map LOCAL

      !

      probe VpnKeepAliveCedarPark icmp-echo

        destination 192.168.1.1

        source-address 192.168.2.1

        no shutdown

      !

      probe WAN1 icmp-echo

        destination 216.16.XX.XX

        source-address 216.16.XX.XX

        period 2

        tolerance consecutive fail 5 pass 5

        no shutdown

      !

      track WAN1

        snmp trap state-change

        test if probe WAN1

        no shutdown

      interface eth 0/1

        description PUBLIC

        ip address  216.16.XX.XX  255.255.255.248

        ip access-policy PUBLIC

        crypto map VPN

        media-gateway ip primary

        no shutdown

       

      interface vlan 1

        ip address  192.168.2.1  255.255.255.0

        ip access-policy PRIVATE

        no shutdown

      !

      interface ppp 1

        ip address  10.10.10.2  255.255.255.0

        ip access-policy P2P

        no shutdown

        cross-connect 1 t1 1/1 1 ppp 1

      !

      route-map LOCAL permit 10

        match ip address WAN1

        set ip next-hop 216.16.XX.XX

        set interface null 0

      !

      ip access-list extended VPN-10-vpn-selectors

        permit ip 192.168.2.0 0.0.0.255  192.168.1.0 0.0.0.255  

      !

      ip access-list extended web-acl-10

        remark NAT

        permit ip any  any  

      !

      ip access-list extended web-acl-14

        remark NAT FOR REMOTE

        permit ip any  any  

      !

      ip access-list extended web-acl-4

        remark admin

        permit tcp any  any eq https   log

        permit tcp any  any eq ssh   log

      !

      ip policy-class P2P

        allow list VPN-10-vpn-selectors stateless

        nat source list web-acl-14 interface eth 0/1 overload

      !

      ip policy-class PRIVATE

        allow list VPN-10-vpn-selectors stateless

        nat source list web-acl-10 interface eth 0/1 overload

      !

      no ip policy-class PUBLIC rpf-check

      ip policy-class PUBLIC

        allow reverse list VPN-10-vpn-selectors stateless

        allow list web-acl-4 self

      !

      ip route 0.0.0.0 0.0.0.0 216.16.XX.XX track WAN1

      ip route 0.0.0.0 0.0.0.0 10.10.10.1 10

      ip route 192.168.1.0 255.255.255.0 10.10.10.1

      !

      I definiltey appreciat the HELP!  Thanks much!

        • Re: Two Site with P2P T1 back up VPN.  Primary internet with P2P as backup Internet
          Employee

          touristsis - I would suggest making the following changes:


          The policy-class P2P should look like this:

           

          ip policy-class P2P

              allow list VPN-10-vpn-selectors stateless

              nat source list MATCHALL interface eth 0/1 overload

           

          In its current configuration state, when internet fails over to the PPP connection, the traffic is not being NATted out. This is why you wouldn't be able to get out to the internet. If this doesn't work, do you see the PPP default route when you do a "show ip route" when the eth 0/1 connection is down? It would also be helpful to see the output of a traceroute out to the internet while it is going over the PPP connection.

           

          Please do not hesitate to let us know if you have any questions.

           

          Thanks,

          Noor

            • Re: Two Site with P2P T1 back up VPN.  Primary internet with P2P as backup Internet
              Employee

              touristsis -

              I went ahead and flagged the "Correct Answer" on this post to make it more visible and help other members of the community find solutions more easily. If you don't feel like the answer I marked was correct, feel free to come back to this post to unmark it and select another in its place with the applicable buttons.  If you have any additional information on this that others may benefit from, please come back to this post to provide an update.  If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.


              Thanks,

              Noor