Cisco dual-ISP line access and link automatic switch Solution

Cisco dual-ISP line access, link automatic switch solution recently received a project, the customer headquarters in Huizhou, the branch in Hong Kong, the Hong Kong Branch has an ERP server and mail server, the Headquarters egress is the leased line (new) of China tietong 10 M optical fiber and China Netcom 1 m ddn. The original Headquarters used the netscreen firewall to connect to the Hong Kong's pix 515 for IPsec VPN, the customer requires that a new China Netcom ddnleased line be added to exclusively run the ERP data service, that is, the data from the headquarters to access the ERP server is usually directed to the ddnleased line, and the data from the email server is directed to ipsecVPN, however, when the two links are interrupted due to a fault, the link can be automatically switched. For example, if the ddnleased line fails, the ERP data of the original line can be automatically switched to the ipsec VPN line, if the line is restored, the system automatically switches. Netscreen is studied to support policy routing, but it does not seem to support line detection (if you know, please provide information and learn ). To meet the customer's requirements, I recommend using a Cisco 1841 router. Cisco supports policy routing and line detection. I have read the relevant documentation but have never implemented it. Solution such as: IP allocation: Headquarters IP segment: 192.168.1.0/24 Gateway: 192.168.1.111/24 netscreen ssg-140 and transparent access, R1 Configuration: fastEthernet0/0 -- 192.168.1.111/24FastEthernet0/1 -- 192.168.2.1/24) -- 192.168.2.2/24Ethernet0 (inside) -- 192.168.4.1/24R2 configuration: FastEthernet0/0 -- 192.168.4.2/24FastEthernet0/1 -- 192.168.5.1/24Serial0/0 -- 192.168.3.2/24 only lists the key parts: VPN configuration R1- --- PIX515R1: Step 1: Define the internal and external interfaces of nat on the vro R1 (config) # int f0/0R1 (config-if) # ip nat insideR1 (config-if) # exitR1 (config) # int f0/1R1 (config-if) # ip nat outsideR1 (config-if) # exit Step 2: define the data stream to be NAT (that is, the data stream transmitted through VPN) R1 (config) # access-list 101 deny ip 192.168.1.0 0.0.255 192.168.4.0 0.0.255r1 (config) # access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255R1 (config) # access-list 101 permit ip any step 3: Define NAT. R1 (config) # ip nat inside source list 101 interface f0/1 overload Step 4: define the data stream of interest, which will be transmitted through VPN encryption. R1 (config) # access-list 102 permit ip 192.168.1.0 0.0.255 192.168.4.0 0.0.0.255R1 (config) # access-list 102 permit ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.255 Step 5: Define the ISAKMP policy. R1 (config) # crypto isakmp enable // enable ISAKMPR1 (config) # crypto isakmp policy 10 R1 (config-isakmp) # authentication pre-share // pre-shared key R1 (config-isakmp) for authentication # encryption des // desR1 (config-isakmp) for encryption) # hash md5 // The hash algorithm uses md5R1 (config-isakmp) # group 2 // DH mode. Step 6: Associate the ISAKMP pre-shared key with the peer, the pre-shared key is "cisco123456 ". R1 (config) # crypto isakmp identity address R1 (config) # crypto isakmp key cisco123456 address 192.168.2.2 Step 7: Set an ipsec conversion set. R1 (config) # crypto ipsec transform-set myvpn esp-des esp-md5-hmac R1 (cfg-crypto-trans) # mode tunnel Step 8: set the encryption graph. R1 (config) # crypto map myvpnmap 10 ipsec-isakmp R1 (config-crypto-map) # match address 102 // load the streams of interest R1 (config-crypto-map) # set peer 192.168.2.2 // set the peer address R1 (config-crypto-map) # set transform-set myvpn // select the conversion set R1 (config-crypto-map) # set pfs group2 // set the perfect forward secrecy. The DH mode length is 1024. Step 9: Apply the encryption graph on the external interface. R1 (config) # int f0/1R1 (config-if) # crypto map myvpnmapPIX: Step 1: define the data stream of interest, which is about to be transmitted through VPN encryption. PIX (config) # access-list no-nat extended permit ip 192.168.5.0 255.255.255.0 192.168.1.0 255.255.255.0PIX (config) # access-list no-nat extended permit ip 192.168.4.0 255.255.255.0 192.168.1.0 255.255.0 Step 2: the packets transmitted through the VPN do not need to be NAT. Therefore, these packets are defined as nat 0, and nat 0 does not perform address translation on the packets. Nat0 is always processed in other nat (such as nat1, nat2, nat3 ......) Before. PIX (config) # nat (inside) 0 access-list no-nat Step 3: Use PAT to access internet data streams. PIX (config) # nat (inside) 1 0 0PIX (config) # global (outside) 1 interface Step 4: Define an ISAKMP policy. PIX (config) # crypto isakmp enable outside // enable ISAKMPPIX (config) on the external interface) # crypto isakmp policy 10 authentication pre-share // pre-shared key used by the authentication method PIX (config) # crypto isakmp policy 10 encryption des // desPIX (config) is used by the encryption method) # crypto isakmp policy 10 hash md5 // The hash algorithm uses md5PIX (config) # crypto isakmp policy 10 group 2 // The DH mode length is 1024 Step 5: associate the ISAKMP pre-shared key with the peer. The pre-shared key is "cisco123456 ". PIX (config) # crypto isakmp identity address PIX (config) # crypto isakmp key cisco123456 address 192.168.2.1 Step 6: Set an ipsec conversion set. PIX (config) # crypto ipsec transform-set myvpn esp-des esp-md5-hmac Step 7: set the encryption graph. PIX (config) # crypto map myvpnmap 10 ipsec-isakmp PIX (config) # crypto map cmyvpnmap 10 match address no-nat // load the interest stream PIX (config) # crypto map myvpnmap 10 set transform-set myvpn // select the conversion set PIX (config) # crypto map myvpnmap 10 set peer 192.168.2.1 // set the peer address PIX (config) # crypto map myvpnmap 10 set pfs group2 // set the perfect forward secrecy. The DH mode length is 1024. Step 8: Apply the encryption graph on the external interface. PIX (config) # crypto map myvpnmap interface outside Step 9: specify that the IPsec traffic is trustworthy. PIX (config) # sysopt connection permit-ipsec next is the focus of this part, that is, Route Selection and link detection configuration: R1: ip access-list extended lan-erppermit ip 192.168.1.0 0.0.255 host 192.168.5.53 (erp ip) ip access-list extended lan-mailpermit ip 192.168.1.0 0.0.255 host 192.168.5.50 (mail IP) flow ip sla monitor 1 type echo protocol ipIcmpEcho 192.168.3.2ip sla monitor schedule 1 life forever start-time nowip sla monitor 2 type echo Protocol ipIcmpEcho 192.168.2.2ip sla monitor schedule 2 life forever start-time nowtrack 123 rtr 1 reachabilitytrack 124 rtr 2 reachability enables Cisco SLA protocol and dynamically detects links. Route-map test permit 10 match ip address lan-erpset ip next-hop verify-availability 192.168.3.2 1 track 123 set ip next-hop verify-availability 192.168.2.2 2 track 124! Route-map test permit 20 match ip address lan-mailset ip next-hop verify-availability 192.168.2.2 1 track 124 set ip next-hop verify-availability 192.168.3.2 2 track 123 enable routermap for Data shunting. R2: ip access-list extended erp-lanpermit ip host 192.168.5.53 192.168.1.0 0.0.255ip access-list extended mail-lanpermit ip host 192.168.5.50 192.168.1.0 0.0.0.255 define a stream of interest in route-map ip sla monitor 1 type echo protocol ipIcmpEcho 192.168.3.1ip sla monitor schedule 1 life forever start-time nowip sla monitor 2 type echo protocol ipIcmpEcho 192.168.2.1ip sla monitor schedule 2 life forever start-time now Track 123 rtr 1 reachabilitytrack 124 rtr 2 reachability enables Cisco SLA and dynamically detects links. Route-map test permit 10 match ip address mail-erpset ip next-hop verify-availability 192.168.3.1 1 track 123 set ip next-hop verify-availability 192.168.4.1 2 track 124! Route-map test permit 20 match ip address erp-mailset ip next-hop verify-availability 192.168.4.1 1 track 124 set ip next-hop verify-availability 192.168.3.1 2 track 123 defines route-map streams of interest.