cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
andersenj
New Contributor

Failover from VPN to NAT - NV3130

Hello

I have a bit of an odd situation. I have a site with a single ADSL WAN with static IP. My local ISP seems to be treating some of my SIP packets in a suspicious manner, which is causing some VOIP feature problems with the end user's IP phones features. To sidestep this problem, I have elected to route all SIP and RTP traffic for this user over a point-to-point VPN back to a router within an ISP WAN network that I control, and then route their traffic upstream from there. Doing this has resolved the end user's problems.

However, I would like to set up the end user's 3130 such that if the VPN goes down, traffic will be NAT'd out the ADSL/PPP WAN like standard internet traffic. I have done some reading on these forums and found solutions that address multi-WAN failover, but I haven't come across a solution for failing over from a VPN "stateless" policy entry to a NAT.

Below is a copy of the pertinent parts of my configuration, which presently sends my SIP and VOIP bearer traffic over VPN, while allowing my DNS and NTP-type traffic to route out over the NAT. I imagine what I need to change is something in my VOIP-Private policy, and maybe add a track of some sort?

Thanks!

!

probe VPN-KeepAlive icmp-echo

  destination x.x.x.x

  source-address 172.16.4.1

  period 5

  timeout 200

  no shutdown

!

ip crypto

!

crypto ike policy 100

  initiate aggressive

  respond aggressive

  local-id fqdn xxxxx

  peer x.x.x.x

  attribute 1

    encryption aes-256-cbc

    hash md5

    authentication pre-share

!

crypto ike remote-id fqdn xxxxx preshared-key xxxxx ike-policy 100 crypto map VPN 10 no-mode-config no-xauth

!

ip crypto ipsec transform-set esp-aes-256-cbc-esp-md5-hmac esp-aes-256-cbc esp-md5-hmac

  mode tunnel

!

ip crypto map VPN 10 ipsec-ike

  description xxxxx

  match address ip VOIP-LAN_to_Public-VOIP

  set peer xxxxx

  set transform-set esp-aes-256-cbc-esp-md5-hmac

  ike-policy 100

!

vlan 1

  name "Default"

!

vlan 2

  name "VOICE_LAN"

!

!

interface switchport 0/1

  no shutdown

  switchport mode trunk

  switchport trunk allowed vlan 2

!

interface switchport 0/2

  no shutdown

  switchport mode trunk

  switchport trunk allowed vlan 2

!

interface switchport 0/3

  no shutdown

  switchport mode trunk

  switchport trunk allowed vlan 2

!

interface switchport 0/4

  no shutdown

  switchport mode trunk

  switchport trunk allowed vlan 2

!

interface vlan 1

  description Data LAN

  ip address  192.168.0.1  255.255.255.0

  no ip proxy-arp

  ip access-policy Private

  no shutdown

!

interface vlan 2

  description VOIP LAN

  ip address  172.16.4.1  255.255.255.0

  no ip proxy-arp

  ip access-policy VOIP-Private

  no shutdown

!

!

interface ppp 1

  ip address negotiated no-default

  ip access-policy Public

  ip crypto map VPN

  no fair-queue

  ppp pap sent-username xxxx@xxxx.net password encrypted xxxxxxxxxxx

  no lldp send-and-receive

  no shutdown

  cross-connect 1 atm 1.1 ppp 1

!

!

!

!

ip access-list standard ANY

  permit any

!

ip access-list standard VTY

  permit x.x.x.x

!

ip access-list extended VOIP-LAN_to_Public-VOIP

  permit ip 172.16.4.0 0.0.0.255  x.x.x.x 0.0.0.255

  permit ip 172.16.4.0 0.0.0.255  x.x.x.x 0.0.0.255

!

!

!

ip policy-class Private

  allow list VTY self

  nat source list ANY interface ppp 1 overload

!

ip policy-class Public

  allow reverse list VOIP-LAN_to_Public-VOIP stateless

  allow list VTY self

!

ip policy-class VOIP-Private

  allow list VOIP-LAN_to_Public-VOIP stateless

  nat source list ANY interface ppp 1 overload

!

!

ip route 0.0.0.0 0.0.0.0 ppp 1

!

!

Labels (3)
0 Kudos