- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
- Adtran Support Community
- :
- Discussion
- :
- NetVanta
- :
- NetVanta 3100 Series
- :
- Failover from VPN to NAT - NV3130
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Failover from VPN to NAT - NV3130
Hello
I have a bit of an odd situation. I have a site with a single ADSL WAN with static IP. My local ISP seems to be treating some of my SIP packets in a suspicious manner, which is causing some VOIP feature problems with the end user's IP phones features. To sidestep this problem, I have elected to route all SIP and RTP traffic for this user over a point-to-point VPN back to a router within an ISP WAN network that I control, and then route their traffic upstream from there. Doing this has resolved the end user's problems.
However, I would like to set up the end user's 3130 such that if the VPN goes down, traffic will be NAT'd out the ADSL/PPP WAN like standard internet traffic. I have done some reading on these forums and found solutions that address multi-WAN failover, but I haven't come across a solution for failing over from a VPN "stateless" policy entry to a NAT.
Below is a copy of the pertinent parts of my configuration, which presently sends my SIP and VOIP bearer traffic over VPN, while allowing my DNS and NTP-type traffic to route out over the NAT. I imagine what I need to change is something in my VOIP-Private policy, and maybe add a track of some sort?
Thanks!
!
probe VPN-KeepAlive icmp-echo
destination x.x.x.x
source-address 172.16.4.1
period 5
timeout 200
no shutdown
!
ip crypto
!
crypto ike policy 100
initiate aggressive
respond aggressive
local-id fqdn xxxxx
peer x.x.x.x
attribute 1
encryption aes-256-cbc
hash md5
authentication pre-share
!
crypto ike remote-id fqdn xxxxx preshared-key xxxxx ike-policy 100 crypto map VPN 10 no-mode-config no-xauth
!
ip crypto ipsec transform-set esp-aes-256-cbc-esp-md5-hmac esp-aes-256-cbc esp-md5-hmac
mode tunnel
!
ip crypto map VPN 10 ipsec-ike
description xxxxx
match address ip VOIP-LAN_to_Public-VOIP
set peer xxxxx
set transform-set esp-aes-256-cbc-esp-md5-hmac
ike-policy 100
!
vlan 1
name "Default"
!
vlan 2
name "VOICE_LAN"
!
!
interface switchport 0/1
no shutdown
switchport mode trunk
switchport trunk allowed vlan 2
!
interface switchport 0/2
no shutdown
switchport mode trunk
switchport trunk allowed vlan 2
!
interface switchport 0/3
no shutdown
switchport mode trunk
switchport trunk allowed vlan 2
!
interface switchport 0/4
no shutdown
switchport mode trunk
switchport trunk allowed vlan 2
!
interface vlan 1
description Data LAN
ip address 192.168.0.1 255.255.255.0
no ip proxy-arp
ip access-policy Private
no shutdown
!
interface vlan 2
description VOIP LAN
ip address 172.16.4.1 255.255.255.0
no ip proxy-arp
ip access-policy VOIP-Private
no shutdown
!
!
interface ppp 1
ip address negotiated no-default
ip access-policy Public
ip crypto map VPN
no fair-queue
ppp pap sent-username xxxx@xxxx.net password encrypted xxxxxxxxxxx
no lldp send-and-receive
no shutdown
cross-connect 1 atm 1.1 ppp 1
!
!
!
!
ip access-list standard ANY
permit any
!
ip access-list standard VTY
permit x.x.x.x
!
ip access-list extended VOIP-LAN_to_Public-VOIP
permit ip 172.16.4.0 0.0.0.255 x.x.x.x 0.0.0.255
permit ip 172.16.4.0 0.0.0.255 x.x.x.x 0.0.0.255
!
!
!
ip policy-class Private
allow list VTY self
nat source list ANY interface ppp 1 overload
!
ip policy-class Public
allow reverse list VOIP-LAN_to_Public-VOIP stateless
allow list VTY self
!
ip policy-class VOIP-Private
allow list VOIP-LAN_to_Public-VOIP stateless
nat source list ANY interface ppp 1 overload
!
!
ip route 0.0.0.0 0.0.0.0 ppp 1
!
!