0 Replies Latest reply on Jun 28, 2016 11:04 AM by andersenj

    Failover from VPN to NAT - NV3130

    andersenj New Member

      Hello

       

      I have a bit of an odd situation. I have a site with a single ADSL WAN with static IP. My local ISP seems to be treating some of my SIP packets in a suspicious manner, which is causing some VOIP feature problems with the end user's IP phones features. To sidestep this problem, I have elected to route all SIP and RTP traffic for this user over a point-to-point VPN back to a router within an ISP WAN network that I control, and then route their traffic upstream from there. Doing this has resolved the end user's problems.

       

      However, I would like to set up the end user's 3130 such that if the VPN goes down, traffic will be NAT'd out the ADSL/PPP WAN like standard internet traffic. I have done some reading on these forums and found solutions that address multi-WAN failover, but I haven't come across a solution for failing over from a VPN "stateless" policy entry to a NAT.

       

      Below is a copy of the pertinent parts of my configuration, which presently sends my SIP and VOIP bearer traffic over VPN, while allowing my DNS and NTP-type traffic to route out over the NAT. I imagine what I need to change is something in my VOIP-Private policy, and maybe add a track of some sort?

       

      Thanks!

       

      !

      probe VPN-KeepAlive icmp-echo

        destination x.x.x.x

        source-address 172.16.4.1

        period 5

        timeout 200

        no shutdown

      !

      ip crypto

      !

      crypto ike policy 100

        initiate aggressive

        respond aggressive

        local-id fqdn xxxxx

        peer x.x.x.x

        attribute 1

          encryption aes-256-cbc

          hash md5

          authentication pre-share

      !

      crypto ike remote-id fqdn xxxxx preshared-key xxxxx ike-policy 100 crypto map VPN 10 no-mode-config no-xauth

      !

      ip crypto ipsec transform-set esp-aes-256-cbc-esp-md5-hmac esp-aes-256-cbc esp-md5-hmac

        mode tunnel

      !

      ip crypto map VPN 10 ipsec-ike

        description xxxxx

        match address ip VOIP-LAN_to_Public-VOIP

        set peer xxxxx

        set transform-set esp-aes-256-cbc-esp-md5-hmac

        ike-policy 100

      !

      vlan 1

        name "Default"

      !

      vlan 2

        name "VOICE_LAN"

      !

      !

      interface switchport 0/1

        no shutdown

        switchport mode trunk

        switchport trunk allowed vlan 2

      !

      interface switchport 0/2

        no shutdown

        switchport mode trunk

        switchport trunk allowed vlan 2

      !

      interface switchport 0/3

        no shutdown

        switchport mode trunk

        switchport trunk allowed vlan 2

      !

      interface switchport 0/4

        no shutdown

        switchport mode trunk

        switchport trunk allowed vlan 2

      !

      interface vlan 1

        description Data LAN

        ip address  192.168.0.1  255.255.255.0

        no ip proxy-arp

        ip access-policy Private

        no shutdown

      !

      interface vlan 2

        description VOIP LAN

        ip address  172.16.4.1  255.255.255.0

        no ip proxy-arp

        ip access-policy VOIP-Private

        no shutdown

      !

      !

      interface ppp 1

        ip address negotiated no-default

        ip access-policy Public

        ip crypto map VPN

        no fair-queue

        ppp pap sent-username xxxx@xxxx.net password encrypted xxxxxxxxxxx

        no lldp send-and-receive

        no shutdown

        cross-connect 1 atm 1.1 ppp 1

      !

      !

      !

      !

      ip access-list standard ANY

        permit any

      !

      ip access-list standard VTY

        permit x.x.x.x

      !

      ip access-list extended VOIP-LAN_to_Public-VOIP

        permit ip 172.16.4.0 0.0.0.255  x.x.x.x 0.0.0.255

        permit ip 172.16.4.0 0.0.0.255  x.x.x.x 0.0.0.255

      !

      !

      !

      ip policy-class Private

        allow list VTY self

        nat source list ANY interface ppp 1 overload

      !

      ip policy-class Public

        allow reverse list VOIP-LAN_to_Public-VOIP stateless

        allow list VTY self

      !

      ip policy-class VOIP-Private

        allow list VOIP-LAN_to_Public-VOIP stateless

        nat source list ANY interface ppp 1 overload

      !

      !

      ip route 0.0.0.0 0.0.0.0 ppp 1

      !

      !