Access to Internet via satellite and 3G connection(Vodafone) - Cisco 1841

 

 Assumptions:

 

  •  satellite connection has priority over 3G connection
  • 3G(hsdpa,3g,edge,etc) is via Vodafone
  • users are using private IP schema
  • for traffic filtering we use Zone Based Firewall (ZBF)

 

  • 1.Check signal level

 #show cellurar 0/0/0 radio

 

cisco3g-1.png

RSSI should be better than -90 dBm,the best better than-80 dBm.(in our case -61 dBm using external anthena.

 

  •  2.Check modem status and firmware version

#show cellurar 0/0/0 hardware

 

 cisco3g-2.png

 

Based on this output modem has been activated nad is online.

 

  • 3.Create chat-script

(config)#chat-script gsm "" "ATDT*99#" TIMEOUT 60 "CONNECT"

 

  • 4.Configure cellular interface 0/0/0

(config)#interface cellurar 0/0/0

(config-if)#ip address negotiated

(config-if)#ip nat outside

(config-if)#ip virtual-reassembly

(config-if)#encapsulation ppp

(config-if)#dialer idle-timeout 0

(config-if)#dialer in-band

(config-if)#dialer string gsm

(config-if)#dialer-group 1

(config-if)#async mode interactive

(config-if)#ppp chap hostname web

(config-if)#ppp chap password 0 web

(config-if)#ppp ipcp dns request

 

  • 5.Configure line 0/0/0

script dialer gsm

modem InOut

no exec

transport input All

transport output All

  • 6.Permit traffic via 3G

access-list 1 permit remark 3g

access-list 1 permit any

dialer-list 1 protocol ip list 1

  • 7.Configure satellite connection

(config)#interface Gi0/1

(config)#description Satellite

(config)#ip address dhcp

(config)#no ip virtual-reassembly in

(config)#ip nat outside

  • 8.Configure LAN

(config)#interface Gi0/0

(config)#description LAN

ip address 10.44.179.65 255.255.255.224

no shut

ip nat inside

 

  •  9.Configure DHCP server

(config)#ip dhcp pool LAN

(dhcp-config)#network 10.44.179.64 255.255.255.224

(dhcp-config)#dns-server 8.8.8.8

(dhcp-config)#domain-name danpol.net

(dhcp-config)#default-router 10.44.179.65

  • 10.Configure natting

 

(config)#access-list 108 permit ip 10.44.179.64.0.0.0.31 any

access-list for natting

(config)#route-map C permit 10

(config-route-map)#match ip address 108

(config-route-map)#match interface Cellurar0/0/0

(config)#route-map G permit 10

(config-route-map)#match ip address 108

(config-route-map)#match interface GigabitEthernet0/1

(config)#ip nat inside source route-map C interface Cellurar0/0/0 overload

(config)#ip nat inside source route-map C interface GigabitEthernet0/1 overload

We have to use route-map to allow traffic via second connection if first one is broken.

We can also configure pseudo load-balancing by routing some traffic via first circuit and the rest via second.

 

  •  11.Configure routing

(config)#ip route 0.0.0.0 0.0.0.0 192.168.0.1 100

(config)#ip route 0.0.0.0 0.0.0.0 Cellurar0/0/0 200

In my case I could afford to set in that way as I always get the same ip of gateway.

Also for checking interface status in production environment better is to use "track" instead of metric.

 

  •  12.Configure ZBF for lan-internet traffic

(config)#zone security lan

(config-sec-zone)#description Lan_network

(config)#zone security WAN1

(config-sec-zone)#description for_future_adsl

(config)#zone security WAN2

(config-sec-zone)#description satellite

(config)#zone security WAN3

(config-sec-zone)#description 3g

In the future I plan to add ADSL link so WAN1 zone will be for it.

(config)#class-map type inspect match-any internet_access

(config-map)#match protocol icmp

(config-map)#match protocol telnet

(config-map)#match protocol ssh

(config-map)#match protocol http

(config-map)#match protocol https

(config-map)#match protocol dns

(config-map)#match protocol ftp

(config-map)#match protocol citrix

(config-map)#match protocol citriximaclient

Class-map for internet traffic

(config)#policy-map type inspect Internet

(config-pmap)#class type inspect internet_access

(config-pmap-c)#inspect

(config-pmap)#class class-default

(config-pmap-c)#drop log

Policy-map for internet traffic.

Logging can cause high CPU usage.

(config)#zone-pair security LAN-WAN2 source lan destination WAN2

(config-sec-zone-pair)#description lan-to-internet-via-sat

(config-sec-zone-pair)#service-policy type inspect Internet

Assigning policy-map Internet to zone-pair LAN-WAN2(satellite)

 (config)#zone-pair security LAN-WAN3 source lan destination WAN3

(config-sec-zone-pair)#description lan-to-internet-via-3g

(config-sec-zone-pair)#service-policy type inspect Internet

 Assigning policy-map Internet to zone-pair LAN-WAN3(3G)

(config)#interface gi0/0

(config-if)#zone-member security lan

Add interface Gi0/0 to zone lan.

(config)#interface gi0/1

(config-if)#zone-member security WAN2

Add interface Gi0/1 to zone WAN2.

(config)#interface cellurar 0/0/0

(config-if)#zone-member security WAN3

Add interface Cellular0/0/0 to zone WAN3.

  •  13.Configure ZBF for traffic to/from router

(config)#access-list 150 permit ip any any

(config)#class-map type inspect match-any router

(config-map)#match access-group 150

(config)#policy-map type inspect self

(config-pmap)#class type inspect router

(config-pmap-c)#inspect

(config)#zone-pair security self-WAN2 source self destination WAN2

(config-sec-zone-pair)#description self-wan2

(config-sec-zone-pair)#service-policy type inspect self

Traffic can go  from router to Internet via WAN2

(config)#zone-pair security self-WAN3 source self destination WAN3

(config-sec-zone-pair)#description self-wan3

(config-sec-zone-pair)#service-policy type inspect self

Traffic can go  from router to Internet via WAN3

(config)#zone-pair security WAN2-self source WAN2 destination self

(config)#ip access-list extended management_ACL

(config)#permit tcp x.x.x.x 0.0.0.255 any eq telnet

(config)#permit tcp x.x.x.x 0.0.0.255 any eq ssh

(config)#class-map type inspect match-any management_access

(config-map)#match access-group name management_ACL

(config)#policy-map type inspect Mgmt

(config-pmap)#class type inspect management_access

(config-pmap-c)#inspect

(config-sec-zone-pair)#description mgmt-via-satellite

(config-sec-zone-pair)#service-policy type inspect Mgmt

We allow management traffic via WAN2

  •  14.Configure easyvpn server on ASA(hub)

(config)#access-list nonat permit ip 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0

ACL for NAT 0

(config)#access-list r_office permit ip 10.0.0.0 255.0.0.0 10.44.179.64 255.255.255.224

ACL for vpn traffic

(config)#nat (inside) 0 access-list nonat

 Nat 0 definition

(config)#group-policy city internal

(config)#group-policy city attributes

(config-group-policy)#split-tunnel-policy tunnelspecified

(config-group-policy)#split-tunnel-network-list value r_office

(config-group-policy)#nem enable

(config-group-policy)#password-storage enable

(config-group-policy)#webvpn

 Group-policy for remote office. Password-storage allows saving password on easyvpn client,if we do not enable it every time we have to type pwd when we will connect to hub office

(config)#username city password test

login and password for connection to easyvpn server

(config)#crypto ipsec transform-set easyvpn esp-aes esp-sha-hmac

Phase 2 definition

(config)#crypto dynamic-map CPN-DYNAMIC 10 set transform-set easyvpn

Dynamic crypto-map definition

(config)#crypto map CPN 160 ipsec-isakmp dynamic CPN-DYNAMIC

Assing crypto-map to IPSEC

(config)#isakmp enable outside

(config)#isakmp policy 160 authentication pre-share

(config)#isakmp policy 160 encryption des

(config)#isakmp policy 160 hash md5

(config)#isakmp policy 160 group 2

Isakmp policy

(config)#tunnel-group city type ipsec-ra

(config)#tunnel-group city general-attributes

(config-tunnel-general)#default-group-policy city

(config-tunnel-general)#tunnel-group city ipsec-attributes

(config-tunnel-ipsec)#pre-shared-key test

Tunnel-group definition

 

  • 15.Configure easyvpn client in remote office

(config)#crypto ipsec client ezvpn CPN

(config-crypto-ezvpn)#username city password test

(config-crypto-ezvpn)#connect auto

(config-crypto-ezvpn)#group city key test

(config-crypto-ezvpn)#mode network-extension

(config-crypto-ezvpn)#peer x.x.x.x

x.x.x.x Hub IP

Easyvpn client configuration

(config)#interface gi0/1

(config-if)#crypto ipsec client ezvpn CPN

Assing easyvpn profile to interface

 

 

 

dzbanek 2012-10-17

 

This site uses cookies. Some of the cookies we use are essential for parts of the site to operate and have already been set. You may delete and block all cookies from this site, but parts of the site will not work.