The basic setup... Newly installed redundant ISP, thus setting up the 891 with dual WAN, Using PfR to load balance between the two. Did initial config through CCP (not express), but I am familiar with the basics of IOS CLI (not used to the new zone based firewall yet, managed aour old Pix for too long, but that is a different subject!)
The issue - I cannot seem to get anything but Gi0 to be accepted as a WAN interface. I go through the entire setup in CCP, test each connection, etc, and it all looks good until I exit out of CCP and go back in. At that point, I get squat out of Fa8. CCP won't let me test the connection, won't let me edit the connection, wont let me delete the connection. The wizard for a new WAN connection becomes available again (Wanting to set up a "second" WAN on Fa7...)
Looking at the config (pasted below) I don't see any reqason why it shouldn't be working... So I turn here, hoping someone else can see my silly mistake somewhere!
Again, I have verified connections to each ISP line independently, either one works just fine on Gi0, neither ever works on Fa8. This is my first real foray into PfR, so any help would be appreciated!
Building configuration...
Current configuration : 21486 bytes
!
! Last configuration change at 18:59:43 UTC Mon Mar 26 2012 by admin
!
version 15.0
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname KFDA-rtr
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 warnings
enable secret 5 xxscrubbedxx
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authorization exec local_author local
!
!
!
!
!
aaa session-id common
!
!
!
!
crypto pki trustpoint TP-self-signed-118056709
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-118056709
revocation-check none
rsakeypair TP-self-signed-118056709
!
!
crypto pki certificate chain TP-self-signed-118056709
certificate self-signed 01
xxscrubbedxx
quit
no ip source-route
!
!
!
!
ip cef
no ip bootp server
ip domain name newschannel10.local
ip name-server 69.6.190.11
ip name-server 208.180.42.100
ip name-server 8.8.4.4
ip name-server 69.6.190.10
ip name-server 66.76.175.100
ip port-map user-protocol--2 port tcp 5900
ip port-map user-protocol--1 port tcp 20
no ipv6 cef
!
!
multilink bundle-name authenticated
parameter-map type protocol-info yahoo-servers
server name scs.msg.yahoo.com
server name scsa.msg.yahoo.com
server name scsb.msg.yahoo.com
server name scsc.msg.yahoo.com
server name scsd.msg.yahoo.com
server name cs16.msg.dcn.yahoo.com
server name cs19.msg.dcn.yahoo.com
server name cs42.msg.dcn.yahoo.com
server name cs53.msg.dcn.yahoo.com
server name cs54.msg.dcn.yahoo.com
server name ads1.vip.scd.yahoo.com
server name radio1.launch.vip.dal.yahoo.com
server name in1.msg.vip.re2.yahoo.com
server name data1.my.vip.sc5.yahoo.com
server name address1.pim.vip.mud.yahoo.com
server name edit.messenger.yahoo.com
server name messenger.yahoo.com
server name http.pager.yahoo.com
server name privacy.yahoo.com
server name csa.yahoo.com
server name csb.yahoo.com
server name csc.yahoo.com
parameter-map type protocol-info aol-servers
server name login.oscar.aol.com
server name toc.oscar.aol.com
server name oam-d09a.blue.aol.com
parameter-map type protocol-info msn-servers
server name messenger.hotmail.com
server name gateway.messenger.hotmail.com
server name webmessenger.msn.com
!
key chain PfR_DM
key 1
key-string 7 097C483B26213A
oer master
policy-rules PfR_DM_MAP
!
border 10.255.1.1 key-chain PfR_DM
interface GigabitEthernet0 external
interface FastEthernet8 external
interface Vlan1 internal
!
learn
throughput
periodic-interval 1
monitor-period 1
!
oer border
local Loopback100
master 10.255.1.1 key-chain PfR_DM
license udi pid CISCO891-K9 sn FTX154683MX
!
!
username admin privilege 15 secret 5 xxscrubbedxx
!
!
ip tcp synwait-time 10
no ip ftp passive
!
class-map type inspect match-all sdm-nat-user-protocol--2-4
xx-scrubbed firewall classes, etc....
!
!
!
!
!
!
!
interface Loopback100
ip address 10.255.1.1 255.255.255.255
!
!
interface Null0
no ip unreachables
!
interface FastEthernet0
!
!
interface FastEthernet1
!
!
interface FastEthernet2
!
!
interface FastEthernet3
!
!
interface FastEthernet4
!
!
interface FastEthernet5
!
!
interface FastEthernet6
!
!
interface FastEthernet7
!
!
interface FastEthernet8
description AMAtechTel$ETH-WAN$$FW_OUTSIDE$
ip address 69.6.179.14 255.255.255.240
no ip redirects
no ip unreachables
no ip proxy-arp
ip verify unicast reverse-path
ip flow ingress
ip nat outside
ip virtual-reassembly
zone-member security out-zone
duplex auto
speed auto
!
!
interface GigabitEthernet0
description SuddenLink$ETH-WAN$$FW_OUTSIDE$
ip address 173.219.132.66 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip verify unicast reverse-path
ip flow ingress
ip nat outside
ip virtual-reassembly
zone-member security out-zone
duplex auto
speed auto
!
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-FE 1$$FW_INSIDE$
ip address 10.0.0.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip tcp adjust-mss 1452
!
!
interface Async1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation slip
!
!
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source list 1 interface GigabitEthernet0 overload
ip nat inside source list 2 interface FastEthernet8 overload
ip nat inside source static tcp 10.0.0.240 20 69.6.179.11 20 extendable
ip nat inside source static tcp 10.0.0.240 21 69.6.179.11 21 extendable
!
xx-scrubbed NAT rules-xx
!
ip route 0.0.0.0 0.0.0.0 173.219.132.65
ip route 0.0.0.0 0.0.0.0 69.6.179.1 2
!
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 2 remark CCP_ACL Category=2
access-list 2 permit 10.0.0.0 0.0.0.255
access-list 23 permit 10.0.0.0 0.0.0.255
!
xx-scrubbed-ACLs-xx
!
no cdp run
!
!
!
!
!
!
oer-map PfR_DM_MAP 200
match oer learn throughput
set delay relative 30
set mode route control
set mode monitor both
set resolve range priority 1
set resolve delay priority 2 variance 20
!
control-plane
!
!
!
line con 0
login authentication local_authen
transport output telnet
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
login authentication local_authen
transport output telnet
line vty 0 4
access-class 23 in
authorization exec local_author
login authentication local_authen
transport input telnet ssh
line vty 5 15
access-class 23 in
authorization exec local_author
login authentication local_authen
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
