Introduction
This document provides a sample configuration for an IOS router that terminates redundant ISP connections. In some cases, a company may require the router to service SSL VPN connections via ISP1 IP and ISP2 IP in an active/active fashion. As the router can only have one default route active at a time, local policy routing can be used to modify the next hop interface for SSL traffic sourced from the ISP2 interface IP.
The sample configuration below satisfies the above requirement for dual active SSL VPN gateways on a single router terminating primary and secondary ISPs. This configuration also addresses the need to automate default route selection using IP SLA and tracking. Policy routing is used to provide for NAT overloading via the primary and secondary ISPs respectively. Local policy routing is used to modify the next hop of the router generated TCP 443 traffic sourced from the ISP2 interface.
Network Diagram
Configurations
aaa new-model
!
!
aaa group server radius myServer
server 10.10.10.10 auth-port 1645 acct-port 1646
!
aaa authentication login default local group myServer
!
crypto pki trustpoint sslisp1
enrollment terminal
fqdn none
ip-address 1.1.1.1
subject-name CN=sslvpn1.vpn.com
revocation-check none
rsakeypair sslisp1
!
crypto pki trustpoint sslisp2
enrollment terminal
fqdn none
ip-address 2.2.2.1
subject-name CN=sslvpn2.vpn.com
revocation-check none
rsakeypair sslisp2
track 1 rtr 1 reachability
delay down 15 up 15
interface FastEthernet0/0
description To ISP1
ip address 1.1.1.1 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
description To ISP2
ip address 2.2.2.1 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/0/0
description Internal LAN
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
ip local policy route-map SSL-REDIRECT
ip local pool webvpn 192.168.100.10 192.168.100.15
ip local pool webvpn2 192.168.200.10 192.168.200.15
ip route 0.0.0.0 0.0.0.0 1.1.1.2 track 1
ip route 0.0.0.0 0.0.0.0 2.2.2.2 240
ip route 192.168.200.0 255.255.255.0 2.2.2.2
ip nat inside source route-map ISP1 interface FastEthernet0/0 overload
ip nat inside source route-map ISP2 interface FastEthernet0/1 overload
ip access-list extended SSL
permit tcp host 2.2.2.1 eq 443 any
ip sla 1
icmp-echo 73.2.224.1 source-interface FastEthernet0/0
timeout 1000
threshold 40
frequency 5
ip sla schedule 1 life forever start-time now
access-list 101 deny ip 10.10.10.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 101 deny ip 10.10.10.0 0.0.0.255 192.168.200.0 0.0.0.255
access-list 101 permit ip 10.10.10.0 0.0.0.255 any
route-map SSL-REDIRECT permit 10
match ip address SSL
match interface FastEthernet0/1
set ip next-hop 2.2.2.2
route-map ISP1 permit 10
match ip address 101
match interface FastEthernet0/0
route-map ISP2 permit 10
match ip address 101
match interface FastEthernet0/1
!
radius-server host 10.10.10.10 auth-port 1645 acct-port 1646 key sslvpn
!
webvpn gateway ssl-isp1
hostname sslvpn1.vpn.com
ip address 1.1.1.1 port 443
http-redirect port 80
ssl trustpoint sslisp1
inservice
!
webvpn gateway ssl-isp2
hostname sslvpn2.vpn.com
ip address 2.2.2.1 port 443
http-redirect port 80
ssl trustpoint sslisp2
inservice
!
webvpn install svc flash:/webvpn/anyconnect-win-2.4.1012-k9.pkg sequence 1
!
webvpn context ciscossl
ssl authenticate verify all
!
policy group default
functions svc-enabled
svc address-pool "webvpn"
svc keep-client-installed
svc split include 10.0.0.0 255.0.0.0
svc dns-server primary 4.4.2.2
svc wins-server primary 4.4.2.2
default-group-policy default
aaa authentication list default
gateway ssl-isp1
inservice
!
!
webvpn context ciscossl2
ssl authenticate verify all
!
!
policy group default
functions svc-enabled
svc address-pool "webvpn2"
svc keep-client-installed
svc split include 10.0.0.0 255.0.0.0
svc dns-server primary 4.4.2.2
svc wins-server primary 4.4.2.2
default-group-policy default
aaa authentication list default
gateway ssl-isp2
inservice
!
end
Authored by Todd Pula CCIE #19383