cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Anonymous
Not applicable

Two Site with P2P T1 back up VPN. Primary internet with P2P as backup Internet

Jump to solution

Hi Support.  I'm struggling trying to make this work.  I'm on my lab trying to test this.  I have most of it to work except.....1 site backup internet.

I have two Sites.

Site A:

192.168.1.0/24 - Local Area Network

10.10.10.1.0/24 - Point to Point t1
2.2.2.2 - Internet


Site B:
192.168.2.0/24 - Local Area Network
10.10.10.2.0/24 - Point to Point t1
3.3.3.3 - Internet

I want to setup so the the P2P T1 is main connection between the two local network (192.168.1.0 and 192.168.2.0)
If P2P T1 goes down, it automatically fail over to the VPN. - I got this working!

If the internet on Site A goes down - I want it to get secondary internet via P2P - I got this working!

If the internet on Site B goes down - I want it to get secondary internet via P2P.- I can't get this to work......

On site B - I have two problem.  The backup internet via P2P, I can't get this to work. 

Site A configuration:

ip local policy route-map LOCAL

probe WAN1 icmp-echo

  destination 142.254.XX.XX - ISP 2 hop down ip address

  source-address 24.173.SITE A IP address

  period 2

  tolerance consecutive fail 5 pass 5

  no shutdown

!

track WAN1

  snmp trap state-change

  test if probe WAN1

  no shutdown

interface eth 0/1

  ip address  24.173.XX.XX  255.255.255.248

  ip access-policy PUBLIC

  crypto map VPN

  media-gateway ip primary

  no shutdown

interface ppp 1

  ip address  10.10.10.1  255.255.255.0

  ip access-policy P2P

  media-gateway ip primary

  no shutdown

  cross-connect 1 t1 1/1 1 ppp 1

route-map LOCAL permit 10

  match ip address WAN1

  set ip next-hop 24.173.XX.XX

  set interface null 0

ip access-list extended MATCHALL

  remark P2P

  permit ip any  any  

!

ip access-list extended P2P

  remark P2P

  permit ip 192.168.1.0 0.0.0.255  any  

!

ip access-list extended VPN-10-vpn-selectors

  remark VPN

  permit ip 192.168.1.0 0.0.0.255  192.168.2.0 0.0.0.255  

!

ip access-list extended WAN1

  permit icmp host 24.173.XX.XX  host 142.254.XX.XX  

!

ip access-list extended web-acl-4

  remark admin

  permit tcp any  any eq https   log

  permit tcp any  any eq ssh   log

ip policy-class P2P

  allow list MATCHALL stateless

  allow list VPN-10-vpn-selectors stateless

!

ip policy-class PRIVATE

  allow list P2P policy P2P stateless

  allow list VPN-10-vpn-selectors stateless

  nat source list MATCHALL interface eth 0/1 overload

!

no ip policy-class PUBLIC rpf-check

ip policy-class PUBLIC

  allow reverse list VPN-10-vpn-selectors stateless

  allow list web-acl-4 self

ip route 0.0.0.0 0.0.0.0 24.173.XX.XX track WAN1

ip route 0.0.0.0 0.0.0.0 10.10.10.2 10

ip route 192.168.2.0 255.255.255.0 10.10.10.2

Site B Configuration:

ip local policy route-map LOCAL

!

probe VpnKeepAliveCedarPark icmp-echo

  destination 192.168.1.1

  source-address 192.168.2.1

  no shutdown

!

probe WAN1 icmp-echo

  destination 216.16.XX.XX

  source-address 216.16.XX.XX

  period 2

  tolerance consecutive fail 5 pass 5

  no shutdown

!

track WAN1

  snmp trap state-change

  test if probe WAN1

  no shutdown

interface eth 0/1

  description PUBLIC

  ip address  216.16.XX.XX  255.255.255.248

  ip access-policy PUBLIC

  crypto map VPN

  media-gateway ip primary

  no shutdown

interface vlan 1

  ip address  192.168.2.1  255.255.255.0

  ip access-policy PRIVATE

  no shutdown

!

interface ppp 1

  ip address  10.10.10.2  255.255.255.0

  ip access-policy P2P

  no shutdown

  cross-connect 1 t1 1/1 1 ppp 1

!

route-map LOCAL permit 10

  match ip address WAN1

  set ip next-hop 216.16.XX.XX

  set interface null 0

!

ip access-list extended VPN-10-vpn-selectors

  permit ip 192.168.2.0 0.0.0.255  192.168.1.0 0.0.0.255  

!

ip access-list extended web-acl-10

  remark NAT

  permit ip any  any  

!

ip access-list extended web-acl-14

  remark NAT FOR REMOTE

  permit ip any  any  

!

ip access-list extended web-acl-4

  remark admin

  permit tcp any  any eq https   log

  permit tcp any  any eq ssh   log

!

ip policy-class P2P

  allow list VPN-10-vpn-selectors stateless

  nat source list web-acl-14 interface eth 0/1 overload

!

ip policy-class PRIVATE

  allow list VPN-10-vpn-selectors stateless

  nat source list web-acl-10 interface eth 0/1 overload

!

no ip policy-class PUBLIC rpf-check

ip policy-class PUBLIC

  allow reverse list VPN-10-vpn-selectors stateless

  allow list web-acl-4 self

!

ip route 0.0.0.0 0.0.0.0 216.16.XX.XX track WAN1

ip route 0.0.0.0 0.0.0.0 10.10.10.1 10

ip route 192.168.1.0 255.255.255.0 10.10.10.1

!

I definiltey appreciat the HELP!  Thanks much!

Tags (2)
0 Kudos
1 Solution

Accepted Solutions
Anonymous
Not applicable

Re: Two Site with P2P T1 back up VPN. Primary internet with P2P as backup Internet

Jump to solution

- I would suggest making the following changes:


The policy-class P2P should look like this:

ip policy-class P2P

    allow list VPN-10-vpn-selectors stateless

    nat source list MATCHALL interface eth 0/1 overload

In its current configuration state, when internet fails over to the PPP connection, the traffic is not being NATted out. This is why you wouldn't be able to get out to the internet. If this doesn't work, do you see the PPP default route when you do a "show ip route" when the eth 0/1 connection is down? It would also be helpful to see the output of a traceroute out to the internet while it is going over the PPP connection.

Please do not hesitate to let us know if you have any questions.

Thanks,

Noor

View solution in original post

0 Kudos
2 Replies
Anonymous
Not applicable

Re: Two Site with P2P T1 back up VPN. Primary internet with P2P as backup Internet

Jump to solution

- I would suggest making the following changes:


The policy-class P2P should look like this:

ip policy-class P2P

    allow list VPN-10-vpn-selectors stateless

    nat source list MATCHALL interface eth 0/1 overload

In its current configuration state, when internet fails over to the PPP connection, the traffic is not being NATted out. This is why you wouldn't be able to get out to the internet. If this doesn't work, do you see the PPP default route when you do a "show ip route" when the eth 0/1 connection is down? It would also be helpful to see the output of a traceroute out to the internet while it is going over the PPP connection.

Please do not hesitate to let us know if you have any questions.

Thanks,

Noor

0 Kudos
Anonymous
Not applicable

Re: Two Site with P2P T1 back up VPN. Primary internet with P2P as backup Internet

Jump to solution

-

I went ahead and flagged the "Correct Answer" on this post to make it more visible and help other members of the community find solutions more easily. If you don't feel like the answer I marked was correct, feel free to come back to this post to unmark it and select another in its place with the applicable buttons.  If you have any additional information on this that others may benefit from, please come back to this post to provide an update.  If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.


Thanks,

Noor