1801 router with dual WAN - one subnet for WAN1, other for WAN2

Glenn Matthys · ‎10-19-2011

Hi all

I'm trying to set up an 1801 router with two WAN interfaces, fastethernet0 and fastethernet1. On the LAN side, I have two subnets. One subnet's internet traffic should be routed over fastethernet0, the other over fastethernet1.

I've setup some route maps to accomplish this. I can surf the internet using subnet 192.168.2.0/24 fine, all traffic goes out of fastethernet0. However, and this is where the problem is, if I try to reach the internet using subnet 192.168.3.0/24, all packets go out interface fastethernet0 with the source address of fastethernet1!

When I'm surfing the internet, from subnet 192.168.3.0/24, packets should be going out fastethernet1, now they're going out fastethernet0.

This is my running-config:

version 15.1

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Router

!

boot-start-marker

boot-end-marker

!

no aaa new-model

!

crypto pki token default removal timeout 0

!

dot11 syslog

no ip source-route

!

ip cef

no ipv6 cef

!

multilink bundle-name authenticated

!

license udi pid CISCO1811/K9 sn xxx

vtp version 2

!

interface FastEthernet0

ip address 192.168.0.110 255.255.255.0

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

!

interface FastEthernet1

ip address 192.168.1.2 255.255.255.0

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

!

interface FastEthernet5

!

interface FastEthernet6

!

interface FastEthernet7

!

interface FastEthernet8

!

interface FastEthernet9

!

interface Vlan1

ip address 192.168.3.254 255.255.255.0 secondary

ip address 192.168.2.254 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

interface Async1

no ip address

encapsulation slip

!

ip forward-protocol nd

no ip http server

no ip http secure-server

!

ip nat inside source route-map NAT1 interface FastEthernet0 overload

ip nat inside source route-map NAT2 interface FastEthernet1 overload

ip route 0.0.0.0 0.0.0.0 FastEthernet0

ip route 0.0.0.0 0.0.0.0 FastEthernet1 255

!

logging esm config

access-list 1 permit 192.168.2.0 0.0.0.255

access-list 2 permit 192.168.3.0 0.0.0.255

!

route-map NAT2 permit 10

match ip address 2

set interface FastEthernet1

!

route-map NAT1 permit 10

match ip address 1

set interface FastEthernet0

!

route-map LAN1 permit 10

match ip address 1

set interface FastEthernet0

!

route-map LAN1 permit 20

match ip address 2

set interface FastEthernet1

!

control-plane

!

line con 0

speed 115200

line 1

modem InOut

stopbits 1

speed 115200

flowcontrol hardware

line aux 0

line vty 0 4

login

transport input all

!

end

Thanks,

Best regards,

cadet alain · ‎10-19-2011

Hi,

1) remove second static default route with AD of 255

no ip route 0.0.0.0 0.0.0.0 FastEthernet1 255

ip route 0.0.0.0 0.0.0.0 fastethernet1

You should configure the static routes via next-hop and not outgoing interfaces as these are multipoint

because the router will be arping for every outside destination in your case

2) in your NAT route-maps change the set command by the match command:

route-map NAT2 permit 10

match ip address 2

match interface FastEthernet1

3) you must configure PBR:

if 3.0 must go via f1 and 2.0 via f0

ip prefix-list LAN1 permit 192.168.3.0/24

ip prefix-list LAN2 permit 192.168.2.0/24

route-map PBR permit 10

match ip address prefix-list LAN1

set interface f1

route-map PBR permit 20

match ip prefix-list LAN2

set interface f0

int vlan1

ip policy route-map PBR

Regards.

Alain.

Don't forget to rate helpful posts.

Glenn Matthys · ‎10-19-2011

I tried your modifications, unfortunately the result is the same.

I removed the route-maps for NAT1 & 2 as they are no longer needed this way.

This is my updated configuration:

version 15.1

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Router

!

boot-start-marker

boot-end-marker

!

no aaa new-model

!

crypto pki token default removal timeout 0

!

dot11 syslog

no ip source-route

!

ip cef

no ipv6 cef

!

multilink bundle-name authenticated

!

license udi pid CISCO1811/K9 sn xxx

vtp version 2

!

interface FastEthernet0

ip address 192.168.0.110 255.255.255.0

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

!

interface FastEthernet1

ip address 192.168.1.2 255.255.255.0

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

!

interface FastEthernet5

!

interface FastEthernet6

!

interface FastEthernet7

!

interface FastEthernet8

!

interface FastEthernet9

!

interface Vlan1

ip address 192.168.3.254 255.255.255.0 secondary

ip address 192.168.2.254 255.255.255.0

ip nat inside

ip virtual-reassembly in

ip policy route-map PBR

!

interface Async1

no ip address

encapsulation slip

!

ip forward-protocol nd

no ip http server

no ip http secure-server

!

ip nat inside source list 1 interface FastEthernet0 overload

ip nat inside source list 2 interface FastEthernet1 overload

ip route 0.0.0.0 0.0.0.0 FastEthernet0

!

ip prefix-list LAN1 seq 10 permit 192.168.2.0/24

ip prefix-list LAN2 seq 5 permit 192.168.3.0/24

!

logging esm config

access-list 1 permit 192.168.2.0 0.0.0.255

access-list 2 permit 192.168.3.0 0.0.0.255

!

route-map PBR permit 10

match ip address prefix-list LAN1

set interface FastEthernet0

!

route-map PBR permit 20

match ip address prefix-list LAN2

set interface FastEthernet1

!

control-plane

!

line con 0

speed 115200

line 1

modem InOut

stopbits 1

speed 115200

flowcontrol hardware

line aux 0

line vty 0 4

login

transport input all

!

end

cadet alain · ‎10-19-2011

Hi,

change this in your config:

p nat inside source list 1 interface FastEthernet0 overload

ip nat inside source list 2 interface FastEthernet1 overload

by this:

ip nat inside source route-map NAT1 f0

ip nat inside source route-map NAT2 f1

route-map NAT1

match ip address prefix-list LAN1

match interface f0

route-map NAT2

match ip address prefix-list LAN2

match interface f1

To test it issue some traffic from a PC in vlan1 with ip address in .2 subnet and then with .3 subnet, don't test with locally originated traffic from router

because in this case you need global config ip local-policy route-map PBR command then.

Regards.

Alain.

Don't forget to rate helpful posts.

Glenn Matthys · ‎10-19-2011

Hello

Tried that, now the packets don't get translated at all, they leave with their original source address out f0.

Glenn

cadet alain · ‎10-19-2011

Hi,

how are you testing it?

can you do a debug ip policy as well as debug ip nat when you ping 8.8.8.8 either from a PC in corresponding subnet or

from the router with extended ping sourcing from an address in each corresponding subnet but not the vlan1 address.

Regards.

Alain.

Don't forget to rate helpful posts.

Glenn Matthys · ‎10-22-2011

I'm testing from a computer inside VLAN1 (the LAN side of the router). Testing using a PC that has 192.168.2.5 and one that has 192.168.3.5.

I turned on debug ip policy, these messages endlessly repeat when I keep pinging (which does not work):

*Oct 22 13:33:46.035: IP: s=192.168.2.5 (Vlan1), d=8.8.8.8 (FastEthernet0), len 84, FIB policy routed

*Oct 22 13:33:47.035: IP: s=192.168.2.5 (Vlan1), d=8.8.8.8, len 84, PBR Counted

*Oct 22 13:33:48.035: IP: s=192.168.2.5 (Vlan1), d=8.8.8.8, len 84, PBR Counted

*Oct 22 13:33:48.035: IP: s=192.168.2.5 (Vlan1), d=8.8.8.8 (FastEthernet0), len 84, FIB policy routed

*Oct 22 13:33:49.035: IP: s=192.168.2.5 (Vlan1), d=8.8.8.8, len 84, FIB policy match

*Oct 22 13:33:49.035: IP: s=192.168.2.5 (Vlan1), d=8.8.8.8, len 84, PBR Counted

*Oct 22 13:33:49.035: IP: s=192.168.2.5 (Vlan1), d=8.8.8.8 (FastEthernet0), len 84, FIB policy routed

*Oct 22 13:33:50.035: IP: s=192.168.2.5 (Vlan1), d=8.8.8.8, len 84, FIB policy match

*Oct 22 13:33:50.035: IP: s=192.168.2.5 (Vlan1), d=8.8.8.8, len 84, PBR Counted

Turning on debug ip nat doesn't show any output, probably because the packets don't get translated at all this time.

I can see the packets aren't being translated because I've connected a switch to the f0 port and set up a SPAN session. The packets leave from the router's f0 interface with their original source address.

This is my current configuration:

!

version 15.1

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Router

!

boot-start-marker

boot-end-marker

!

no aaa new-model

!

crypto pki token default removal timeout 0

!

dot11 syslog

no ip source-route

!

ip cef

no ipv6 cef

!

multilink bundle-name authenticated

!

license udi pid CISCO1811/K9 sn FHK1209233N

vtp version 2

!

interface FastEthernet0

ip address 192.168.0.110 255.255.255.0

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

!

interface FastEthernet1

ip address 192.168.1.2 255.255.255.0

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

!

interface FastEthernet5

!

interface FastEthernet6

!

interface FastEthernet7

!

interface FastEthernet8

!

interface FastEthernet9

!

interface Vlan1

ip address 192.168.3.254 255.255.255.0 secondary

ip address 192.168.2.254 255.255.255.0

ip nat inside

ip virtual-reassembly in

ip policy route-map PBR

!

interface Async1

no ip address

encapsulation slip

!

ip forward-protocol nd

no ip http server

no ip http secure-server

!

ip nat inside source route-map NAT1 interface FastEthernet0 overload

ip nat inside source route-map NAT2 interface FastEthernet1 overload

ip route 0.0.0.0 0.0.0.0 FastEthernet0

!

ip prefix-list LAN1 seq 10 permit 192.168.2.0/24

!

ip prefix-list LAN2 seq 5 permit 192.168.3.0/24

logging esm config

access-list 1 permit 192.168.2.0 0.0.0.255

access-list 2 permit 192.168.3.0 0.0.0.255

!

route-map PBR permit 10

match ip address prefix-list LAN1

set interface FastEthernet0

!

route-map PBR permit 20

match ip address prefix-list LAN2

set interface FastEthernet1

!

route-map NAT2 permit 10

match ip address prefix-list LAN2

match interface FastEthernet1

!

route-map NAT1 permit 10

match ip address prefix-list LAN1

match interface FastEthernet0

!

control-plane

!

line con 0

speed 115200

line 1

modem InOut

stopbits 1

speed 115200

flowcontrol hardware

line aux 0

line vty 0 4

login

transport input all

!

end

Thanks,

Best regards,

Glenn

cadet alain · ‎10-22-2011

Hi,

gonna lab it up but it should work, I don't see why it is failing.

ok I got it; the NAT won't work with a prefix-list, just use the ACL instead. I'm really sorry I made such a mistake.

so change the NAT stements

no route-map NAT1

no route-map NAT2

route-map NAT2 permit 10

match ip address 2

match interface FastEthernet1

route-map NAT1 permit 10

match ip address 1

match interface FastEthernet0

Regards.

Alain.

Don't forget to rate helpful posts.

Marwan ALshawi · ‎10-22-2011

Hi Glenn

see the bellow document which will help you to do the setup also you can use IP SLA with the PBR for redundancy of both links in the case one ink is down ( optional )

https://supportforums.cisco.com/docs/DOC-8313

hope this help

if helpful Rate