03-23-2014 10:29 AM - edited 03-04-2019 10:38 PM
I'm having issues with setting up a 1921 router with dual ADSL lines for failover. For some reason internet traffic keeps using dialer 1 as primary internet connection, while dialer 2 should be primary. Also when I end my NAT acl with permit any any, it translates the public ip of dialer 2 to dialer 1 before it sends it out in the internet.
This is my config:
!
interface GigabitEthernet0/0
description voice netwerk
ip address 192.168.77.254 255.255.255.0
ip helper-address 192.168.177.1
ip helper-address 192.168.177.254
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1400
duplex auto
speed auto
!
interface GigabitEthernet0/1
description inside interface
ip address 192.168.177.254 255.255.255.0
ip mtu 1492
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1400
duplex auto
speed auto
!
interface ATM0/0/0
description ADSL 1/10 Mb Tele2
no ip address
no atm ilmi-keepalive
pvc 0/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Ethernet0/0/0
no ip address
shutdown
!
interface ATM0/1/0
no ip address
no atm ilmi-keepalive
!
interface Ethernet0/1/0
description VDSL 5/50 Mb KPN
no ip address
!
interface Ethernet0/1/0.6
description KPN VDSL
encapsulation dot1Q 6
pppoe enable group global
pppoe-client dial-pool-number 2
service-policy output parent-policy
!
interface Dialer1
description ADSL Tele2
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1400
dialer pool 1
ppp authentication chap callin
ppp pap sent-username **************
no cdp enable
crypto map SAL_map
!
interface Dialer2
description VDSL KPN
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1400
load-interval 30
dialer pool 2
ppp authentication pap callin
ppp pap sent-username **************************
no cdp enable
crypto map SAL_map_VDSL
!
ip nat inside source route-map nonat interface Dialer1 overload
ip nat inside source route-map nonat2 interface Dialer2 overload
ip route 0.0.0.0 0.0.0.0 Dialer2 track 1
ip route 0.0.0.0 0.0.0.0 Dialer1 254
!
ip sla auto discovery
ip sla 10
icmp-echo 62.69.174.75 source-interface Dialer2
timeout 30000
frequency 30
ip sla schedule 10 life forever start-time now
!
access-list 102 deny ip 192.168.177.0 0.0.0.255 host 192.168.1.249
access-list 102 deny ip 192.168.178.0 0.0.0.255 host 192.168.1.249
access-list 102 deny ip 192.168.179.0 0.0.0.255 host 192.168.1.249
access-list 102 deny ip 192.168.177.0 0.0.0.255 172.28.1.0 0.0.0.255
access-list 102 deny ip any 192.168.255.0 0.0.0.255
access-list 102 deny ip any 192.168.254.0 0.0.0.255
access-list 102 deny ip 192.168.177.0 0.0.0.255 192.168.179.0 0.0.0.255
access-list 102 deny ip 192.168.177.0 0.0.0.255 192.168.178.0 0.0.0.255
access-list 102 deny ip 192.168.177.0 0.0.0.255 192.168.79.0 0.0.0.255
access-list 102 deny ip 192.168.177.0 0.0.0.255 192.168.78.0 0.0.0.255
access-list 102 deny ip 192.168.77.0 0.0.0.255 192.168.179.0 0.0.0.255
access-list 102 deny ip 192.168.77.0 0.0.0.255 192.168.178.0 0.0.0.255
access-list 102 deny ip 192.168.77.0 0.0.0.255 192.168.79.0 0.0.0.255
access-list 102 deny ip 192.168.77.0 0.0.0.255 192.168.78.0 0.0.0.255
access-list 102 permit ip 192.168.177.0 0.0.0.255 any
access-list 102 permit ip 192.168.77.0 0.0.0.255 any
!
dialer-list 1 protocol ip permit
dialer-list 2 protocol ip permit
!
route-map nonat2 permit 10
match ip address 102
set interface Dialer2
!
route-map nonat permit 10
match ip address 102
set interface Dialer1
the ACL is build to exclude some private ips for ipsec VPN destinations.
Any suggestions on what I am missing? It should use dialer 2 as primary internet connection and failover to dialer 1 if IP SLA fails. The SLA config seems to work fine:
sh ip route
S* 0.0.0.0/0 is directly connected, Dialer2
84.0.0.0/32 is subnetted, 1 subnets
C 84.246.25.231 is directly connected, Dialer1
145.131.0.0/32 is subnetted, 1 subnets
C 145.131.131.112 is directly connected, Dialer2
192.168.77.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.77.0/24 is directly connected, GigabitEthernet0/0
L 192.168.77.254/32 is directly connected, GigabitEthernet0/0
192.168.177.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.177.0/24 is directly connected, GigabitEthernet0/1
L 192.168.177.254/32 is directly connected, GigabitEthernet0/1
192.168.254.0/24 is variably subnetted, 2 subnets, 2 masks
S 192.168.254.0/24 is directly connected, Dialer2
S 192.168.254.37/32 [1/0] via 77.241.229.241
S 192.168.255.0/24 is directly connected, Dialer1
212.121.121.0/32 is subnetted, 1 subnets
C 212.121.121.183 is directly connected, Dialer2
213.144.228.0/32 is subnetted, 1 subnets
C 213.144.228.72 is directly connected, Dialer1
Solved! Go to Solution.
03-23-2014 11:47 AM
http://docwiki.cisco.com/wiki/Category:NAT
Document above states "Beware of using ACL for NAT with "permit ip any any" as you can get unpredictable results." I suggest that you use the "route-map nonat/nonat2 permit 20" instead of "permit any any"
For the remaining, modify the config as following -
!
ip sla 10
icmp-echo 8.8.8.8 source-interface Dialer2
timeout 30000
frequency 30
ip sla schedule 10 life forever start-time now
!
ip route 8.8.8.8 255.255.255.255 dialer2 permanent
!
!
route-map nonat2 permit 10
match ip address 102
match interface Dialer2
!
route-map nonat permit 10
match ip address 102
match interface Dialer1
!
ip nat inside source route-map nonat interface Dialer1 overload
ip nat inside source route-map nonat2 interface Dialer2 overload
!
event manager applet NAT-TRACK
event track 1 state any
action 0.1 cli command "enable"
action 0.2 wait 2
action 0.3 cli command "clear ip nat translations forced"
action 0.4 syslog msg "NAT translation cleared after track state change"
!
-Vishesh
03-23-2014 11:47 AM
http://docwiki.cisco.com/wiki/Category:NAT
Document above states "Beware of using ACL for NAT with "permit ip any any" as you can get unpredictable results." I suggest that you use the "route-map nonat/nonat2 permit 20" instead of "permit any any"
For the remaining, modify the config as following -
!
ip sla 10
icmp-echo 8.8.8.8 source-interface Dialer2
timeout 30000
frequency 30
ip sla schedule 10 life forever start-time now
!
ip route 8.8.8.8 255.255.255.255 dialer2 permanent
!
!
route-map nonat2 permit 10
match ip address 102
match interface Dialer2
!
route-map nonat permit 10
match ip address 102
match interface Dialer1
!
ip nat inside source route-map nonat interface Dialer1 overload
ip nat inside source route-map nonat2 interface Dialer2 overload
!
event manager applet NAT-TRACK
event track 1 state any
action 0.1 cli command "enable"
action 0.2 wait 2
action 0.3 cli command "clear ip nat translations forced"
action 0.4 syslog msg "NAT translation cleared after track state change"
!
-Vishesh
03-24-2014 02:27 AM
Hi Vivesh, thx for your reply. I am not. dure what You mean by permit 20 instead of permit any any. I am using acl 102 now and removed permit any any, but still it uses dialer 1 as primary internet link. Do You mean one of route maps should have sequence no 20?
03-25-2014 01:34 AM
I have tried to add the dialer 1 route-map as a permit 20 in the nonat2 and then apply it to both NAT statements, but that does not work. When you use the same route-map for your NAT statement (ip nat inside source nonat....etc) the second statement overwrites the first.
So I do need 2 route-maps. The only thing I am doubting about now is how the dialer is selected, is it possible that dialer 1 is always preferred over dialer 2? So I need to change the sequence number?
04-06-2014 06:44 AM
Ah, I see the difference now. I have used the match interface instead set interface now and it works like a dream. Thx!
03-24-2014 02:23 AM
Hi Vivesh, thx for your reply. I am not. dure what You mean by permit 20 instead of permit any any. I am using acl 102 now and removed permit any any, but still it uses dialer 1 as primary internet link. Do You mean one of route maps should have sequence no 20?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide