Cisco 1921 example config. sends certain host via PIA, the rest out normally.
i have sat on my config for ages, and thought i should share. i was frustrated early in my attempts to get this working in a way that i wanted. i.e. control which internal hosts used PIA and leaving the rest to go out normally.
i have a Cisco CCNP and it took me a while to crack, i hope the below config will save you the frustration i had to endure
explanation:
the PIA VPN interfaces are Virtual-PPP1 going to London and Virtual-PPP2 going to Southampton.
by default all internet traffic leaves Dialer0 with the exception of my specific host(s) which leaves via Virtual-PPP2 (PIA VPN)
result:
my specific host uses the public IP address of 31.24.231.197 when accessing the internet.
i don't have much time to answer questions. be patient with any queries you may have.
here is the trimmed down config, some superfluous bits as well:
i have a Cisco CCNP and it took me a while to crack, i hope the below config will save you the frustration i had to endure
explanation:
the PIA VPN interfaces are Virtual-PPP1 going to London and Virtual-PPP2 going to Southampton.
by default all internet traffic leaves Dialer0 with the exception of my specific host(s) which leaves via Virtual-PPP2 (PIA VPN)
result:
my specific host uses the public IP address of 31.24.231.197 when accessing the internet.
i don't have much time to answer questions. be patient with any queries you may have.
here is the trimmed down config, some superfluous bits as well:
Current configuration : ********************* bytes
!
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname *****************************
!
boot-start-marker
boot system flash c1900-universalk9-mz.SPA.155-3.M4a.bin
boot-end-marker
!
!
enable secret 8 *********************************************
!
aaa new-model
!
!
!
!
!
!
!
aaa session-id common
ethernet lmi ce
clock timezone GMT 0 0
clock summer-time BST recurring 4 Sun Mar 1:00 4 Sun Oct 2:00
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
ip dhcp excluded-address 172.16.32.1 172.16.32.30
ip dhcp excluded-address 172.16.32.240 172.16.32.254
ip dhcp ping packets 1
!
ip dhcp pool DHCP_SCOPE
network 172.16.32.0 255.255.255.0
default-router 172.16.32.254
domain-name ****************************
dns-server 172.16.32.252
!
!
ip dhcp pool THE_SPECIFIC_HOST
host 172.16.32.102 255.255.255.0
client-identifier ******************* MAC address
default-router 172.16.32.254
domain-name *******************
dns-server 209.222.18.218 209.222.18.222
!
!
!
ip domain name *******************************
ip inspect name INSPECT tcp
ip inspect name INSPECT udp
ip inspect name INSPECT ntp
ip inspect name INSPECT icmp
ip inspect name INSPECT isakmp
ip inspect name INSPECT ipsec-msft
ip inspect name INSPECT ssh
ip cef
ipv6 unicast-routing
ipv6 cef
!
multilink bundle-name authenticated
!
!
!
license udi pid CISCO1921/K9 sn *****************
!
!
archive
log config
logging enable
path scp://********************************************************
write-memory
file prompt quiet
object-group network DMVPN-ENDPOINTS
host 104.238.169.118
host 31.24.231.197
!
!
!
object-group network LOCAL-IP-RANGES
10.0.0.0 255.0.0.0
172.16.0.0 255.255.0.0
192.168.0.0 255.255.0.0
!
object-group network PBR-LOCAL-HOSTS
description //USED BY THE PBR POLICY//
host 172.16.32.102 ############## This is the IP address of your specific host.
!
!
object-group service VPN-PROTOCOLS
udp eq isakmp
udp eq non500-isakmp
gre
esp
ahp
!
username ******************* secret 8 **********************************************
!
redundancy
!
!
!
!
lldp run
!
track 1 interface Virtual-PPP1 line-protocol
carrier-delay
delay down 30 up 180
!
track 2 interface Virtual-PPP2 line-protocol
carrier-delay
delay down 30 up 180
!
pseudowire-class PIA-L2TP
encapsulation l2tpv2
ip local interface Virtual-Template1
!
!
!
crypto vpn anyconnect usbflash0:/webvpn/anyconnect-win-3.1.14018-k9.pkg sequence 3
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
crypto isakmp key mysafety address 104.238.169.118
crypto isakmp key mysafety address 31.24.231.197
!
crypto ipsec security-association replay window-size 1024
!
crypto ipsec transform-set ESP=AES256+AUTH=SHA256 esp-aes 256 esp-sha256-hmac
mode tunnel
crypto ipsec transform-set ESP=AES256+AUTH=SHA esp-aes 256 esp-sha-hmac
mode tunnel
crypto ipsec transform-set PIA-LONDON-ESP=AES256+AUTH=SHA esp-aes 256 esp-sha-hmac
mode transport
crypto ipsec transform-set PIA-SOUTHAMPTON-ESP=AES256+AUTH=SHA esp-aes 256 esp-sha-hmac
mode transport
!
crypto ipsec profile DMVPN-AUTH&ENCRYPTION
set transform-set ESP=AES256+AUTH=SHA256
!
!
!
!
crypto map PIA-VPN 20 ipsec-isakmp
set peer 104.238.169.118
set security-association replay window-size 1024
set transform-set PIA-LONDON-ESP=AES256+AUTH=SHA
match address PIA_LONDON
crypto map PIA-VPN 30 ipsec-isakmp
set peer 31.24.231.197
set security-association replay window-size 1024
set transform-set PIA-SOUTHAMPTON-ESP=AES256+AUTH=SHA
match address PIA_SOUTHAMPTON
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description //FTTP PHYSICAL WAN//
no ip address
no ip unreachables
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
no lldp transmit
no lldp receive
no cdp enable
!
interface GigabitEthernet0/1
ip address 172.16.32.254 255.255.255.0
ip access-group OUT-FIREWALL in
ip nat inside
no ip virtual-reassembly in
ip policy route-map PBR ############### Important
duplex auto
speed auto
!
interface Virtual-PPP1
description ##PIA London##
ip address negotiated
ip access-group WAN-FIREWALL in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect INSPECT out
no ip virtual-reassembly in
shutdown
ppp eap refuse
ppp chap hostname **************** Your L2TP PIA creds
ppp chap password **************** Your L2TP PIA creds
ppp ipcp address accept
no cdp enable
pseudowire 104.238.169.118 1 encapsulation l2tpv2 pw-class PIA-L2TP
!
interface Virtual-PPP2
description ##PIA Southampton##
ip address negotiated
ip access-group WAN-FIREWALL in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect INSPECT out
no ip virtual-reassembly in
ppp eap refuse
ppp chap hostname **************** Your L2TP PIA creds
ppp chap password **************** Your L2TP PIA creds
ppp ipcp address accept
no cdp enable
pseudowire 31.24.231.197 1 encapsulation l2tpv2 pw-class PIA-L2TP
!
!interface Virtual-Template1
description //L2TP VPN//
ip unnumbered Dialer0
!
interface Dialer0
description //DIALER FOR WAN//
mtu 1492
ip address *************** 255.255.255.254
ip access-group WAN-FIREWALL in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect INSPECT out
ip virtual-reassembly in max-reassemblies 64
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer idle-timeout 0
dialer persistent
dialer-group 1
autodetect encapsulation ppp
ipv6 address dhcp
ppp authentication chap callin
ppp chap hostname *********************
ppp chap password *********************
no cdp enable
crypto map PIA-VPN
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
ip http tls-version TLSv1.2
!
ip nat inside source route-map NAT-PERMIT/DENY interface Dialer0 overload
ip nat inside source route-map PIA_NAT-PERMIT/DENY interface Virtual-PPP2 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
ip access-list standard NTP-ALLOW
permit 172.16.32.252
deny any log
!
ip access-list extended NAT
deny ip object-group LOCAL-IP-RANGES object-group LOCAL-IP-RANGES
deny ip object-group PBR-LOCAL-HOSTS any
permit ip any any
ip access-list extended OUT-FIREWALL
deny tcp any any eq smtp log
permit ip any any
ip access-list extended PBR-ABNORMAL-INTERNET
permit ip object-group PBR-LOCAL-HOSTS any
ip access-list extended PBR-NORMAL-INTERNET
deny ip object-group PBR-LOCAL-HOSTS any
permit ip any any
ip access-list extended PIA_LONDON
permit udp host ##YourWANIP## eq 1701 host 104.238.169.118 eq 1701
ip access-list extended PIA_NAT
permit ip object-group PBR-LOCAL-HOSTS any
ip access-list extended PIA_SOUTHAMPTON
permit udp host ##YourWANIP## eq 1701 host 31.24.231.197 eq 1701
ip access-list extended VTY-SSH-RESTRICTIONS
permit ip object-group LOCAL-IP-RANGES any
ip access-list extended WAN-FIREWALL
deny ip object-group LOCAL-IP-RANGES any
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any unreachable
permit object-group VPN-PROTOCOLS object-group DMVPN-ENDPOINTS any
permit icmp any any traceroute
permit icmp any any time-exceeded
permit tcp any any established
!
ip radius source-interface GigabitEthernet0/1
logging trap debugging
logging source-interface GigabitEthernet0/1
logging host 172.16.32.251
!
route-map PBR permit 10
match ip address PBR-NORMAL-INTERNET
set interface Dialer0
!
route-map PBR permit 20
match ip address PBR-ABNORMAL-INTERNET
match track 1
set interface Virtual-PPP1 Virtual-PPP2
!
route-map PBR permit 30
match ip address PBR-ABNORMAL-INTERNET
match track 2
set interface Virtual-PPP2 Virtual-PPP1
!
route-map NAT-PERMIT/DENY permit 10
match ip address NAT
match interface Dialer0
!
route-map PIA_NAT-PERMIT/DENY permit 10
match ip address PIA_NAT
match track 1
match interface Virtual-PPP1 Virtual-PPP2
!
route-map PIA_NAT-PERMIT/DENY permit 20
match ip address PIA_NAT
match track 2
match interface Virtual-PPP2 Virtual-PPP1
!
!
!
!
!
control-plane
!
!
banner incoming ^CYOUR IP HAS BEEN LOGGED. ANY ACCESS ATTEMPTS ARE ALSO LOGGED.
DISCONNECT NOW. NO HARM NO FOUL. GOODBYE^C
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class VTY-SSH-RESTRICTIONS in
transport input ssh
!
scheduler allocate 20000 1000
sntp logging
sntp server 172.16.32.252 version 3
sntp source-interface GigabitEthernet0/1
!
!
!
end
Comments