Thanks for the reply Shanky.

I'm unfamiliar with the term "floating static route", if you mean does it fail over, no it does not. Could it be something in the PIX? I've, looked over the config on it and I don't see anything that would prevent.

The config that you pasted belongs to 2651 or 2610 ? I believe its the 2651.

Wireless Backup---|Cisco 2651---PIX---Cisco 2610---

Serial T1---------|

Is this the way your network is setup ? Is the PIX doing NAT for you ? Do you have two different blocks of Public IP allocated by your ISP ?

A floating static route is a static route which has been configured with a higher administrative distance. For example,

ip route 0.0.0.0 0.0.0.0 Serial0/0

ip route 0.0.0.0 0.0.0.0 FastEthernet0/1 200 (ADDED BY ME) <---- this is floating static default route.

This config is for the 2651.

Both ISPs (T1 and Wireless) are on the 2651. Yes the PIX is doing NAT. I have a block of public IP for the T1 but only 1 IP for the wireless.

Thanks for defining floating static route for me. The answer is no, it doesn't appear to kick in.

Just got me thinking about NAT on the PIX and if that was my issue. Here is a copy of my PIX config.

PIX Version 6.3(1)

interface ethernet0 10baset

interface ethernet1 10baset

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxx

passwd xxxxx

hostname PIX

domain-name technology.net

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

access-list inside_access_in deny udp any any eq 109

access-list inside_access_in deny udp any any eq 110

access-list inside_access_in deny udp any any eq 220

access-list inside_access_in deny udp any any eq 993

access-list inside_access_in deny udp any any eq 995

access-list inside_access_in deny tcp any any eq pop2

access-list inside_access_in deny tcp any any eq pop3

access-list inside_access_in deny tcp any any eq 220

access-list inside_access_in deny tcp any any eq 993

access-list inside_access_in deny tcp any any eq 995

access-list inside_access_in permit udp any any

access-list inside_access_in permit tcp any any

access-list inside_access_in permit gre any host 166.39.161.79

access-list mailserver permit tcp any host 53.150.135.243 eq smtp

access-list mailserver permit udp host 53.150.135.254 host 53.150.135.243 eq syslog

pager lines 24

logging on

logging timestamp

logging trap warnings

logging facility 3

logging host inside 172.21.1.7 6/49205

mtu outside 1500

mtu inside 1500

ip address outside 53.150.x.x.x.255.128

ip address inside 172.21.1.253 255.255.240.0

ip audit info action alarm

ip audit attack action alarm

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 53.x.x.x.150.135.240 netmask 255.255.255.128

global (outside) 1 53.x.x.241 netmask 255.255.255.128

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 53.150.x.x.x.1.1 netmask 255.255.255.255 0 0

static (inside,outside) 53.150.x.x.x.1.7 netmask 255.255.255.255 0 0

static (inside,outside) 53.150.x.x x.x.1.101 netmask 255.255.255.255 0 0

static (inside,outside) 53.150.x.x.x.1.100 netmask 255.255.255.255 0 0

access-group inside_access_in in interface inside

conduit permit udp host 53.150.135.248 eq ntp any

conduit permit tcp host 53.150.135.243 eq https any

conduit permit gre host 53.150.135.244 host 166.39.161.79

conduit permit tcp host 53.150.135.243 eq imap4 any

conduit permit udp host 53.150.135.243 eq syslog host 53.150.135.254

conduit permit tcp host 53.150.135.243 eq smtp any

route outside 0.0.0.0 0.0.0.0 53.150.135.254 0

timeout xlate 0:10:00

timeout conn 0:20:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

url-cache dst 128KB

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

sysopt ipsec pl-compatible

service resetinbound

telnet 53.150.x.x.x.255.255 outside

telnet 53.150.135.254 255.255.255.255 inside

telnet 172.21.0.0 255.255.240.0 inside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh timeout 60

console timeout 0

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

terminal width 80

Cryptochecksum:xxxx

: end

Is the Internet service on the wireless network and the serial T1 network provided by the same ISP? You mentioned that you only had one IP address for the wireless ISP so I assume that they are different.

If your T1 ISP is advertising your 53.150.135.x network to the Internet and you attempt to send packets to another ISP using that same IP block the Internet will probably return the traffic to the T1 ISP which is down so the packets will not make it back to your network. Additionally your wireless ISP may not accept your 53.150.135.x IP addresses.

You might want to NAT/PAT the outbound traffic on the wireless link. If the only route off your network happens to be the wireless link AND you only have one IP address provided by your ISP - Port Address Translation is probably your best method of hitting the Internet and having packets find their way back to your network.

Good luck

I agree with Rick that in case the backup is from a different provider your public ip subnet routing is probably the cause of the problem here. Like he suggested do a PAT on the failover link rather than just letting your public IP addresses through.I would take off the access-lists to start with and try the PAT approach and once everything works put the access-lists back on.

I would also incorporate Richard Burt's suggestion to use the ip address of the next hop device rather than just Fastethernet0/1 to avoid proxy-arp related issues.

Thank you all for the replies.

Yes, the backup link is from a different provider.

Richard Burts - What is an easy way from the router to identify the next hop off of that interface?

Rick Martin - Researching how to enable PAT on the interface for the backup link but having trouble finding a guide. Do you have a link to anything that may help?

Thank you all very very much!

There are several approaches to find the address of the next hop.

- ask the wireless provider. its their device and they should easily be able to tell you.

- depending on the interface config you may be able to deduce the address. In particular if it is a fairly specific mask (ideally a 255.255.255.252) you should be able to find the address.

- if the connection is over Ethernet there should be an ARP entry for the other device. Do a show ARP and look for an address associated with that interface.

HTH

Rick

Thanks Rick. I forgot about the show command. I really need to learn more IOS. It's been rough going from a department of 2 to a department of 1.

I've got the route configured with the next hop. Now all I need to do is figure out the NAT/PAT piece. Been researching poking around all morning but not finding much. It's confusing since the PIX is NATing with the block of IP from my "primary" provider. I'd rather not go away from that since I'm really just looking for some Internet failover and not load balancing. How to get the end router to NAT out of the "backup" interface is my hangup I think.

Thanks for your help.

Below is a link to a good document to get you started down the road to NAT or PAT. The difference in Cisco terms is overload. You will want to configure NAT in your environment to use the overload option. This will translate your 127 existing public IP addresses into the single IP address provided by your wireless ISP.

Basically you will create a NAT pool using the single IP address provided by your ISP, assign IP NAT inside to the inside interface and NAT outside to the wireless ethernet interface. Create a one line access list to permit 53.150.135.128 0.0.0.127 and assign that ACL to your NAT pool.

When this is setup correctly all packets that leave the Ethernet interface destined to the wireless link will be translated to the single IP address your ISP has provided to you. While on the normal ISP link no translation will take place. The obvious drawback to this scenario is that you cannot have outside access to any device on your network while you are operating on the wireless connection (from outside to inside). If you have an email server or web server they cannot be accessed from the outside, but these devices will be able to hit the outside via the address translation.

Here is the NAT get started link;

http://www.cisco.com/en/US/customer/tech/tk648/tk361/technologies_tech_note09186a0080094e77.shtml