03-23-2014 10:29 AM - edited 03-04-2019 10:38 PM
I'm having issues with setting up a 1921 router with dual ADSL lines for failover. For some reason internet traffic keeps using dialer 1 as primary internet connection, while dialer 2 should be primary. Also when I end my NAT acl with permit any any, it translates the public ip of dialer 2 to dialer 1 before it sends it out in the internet.
This is my config:
!
interface GigabitEthernet0/0
description voice netwerk
ip address 192.168.77.254 255.255.255.0
ip helper-address 192.168.177.1
ip helper-address 192.168.177.254
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1400
duplex auto
speed auto
!
interface GigabitEthernet0/1
description inside interface
ip address 192.168.177.254 255.255.255.0
ip mtu 1492
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1400
duplex auto
speed auto
!
interface ATM0/0/0
description ADSL 1/10 Mb Tele2
no ip address
no atm ilmi-keepalive
pvc 0/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Ethernet0/0/0
no ip address
shutdown
!
interface ATM0/1/0
no ip address
no atm ilmi-keepalive
!
interface Ethernet0/1/0
description VDSL 5/50 Mb KPN
no ip address
!
interface Ethernet0/1/0.6
description KPN VDSL
encapsulation dot1Q 6
pppoe enable group global
pppoe-client dial-pool-number 2
service-policy output parent-policy
!
interface Dialer1
description ADSL Tele2
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1400
dialer pool 1
ppp authentication chap callin
ppp pap sent-username **************
no cdp enable
crypto map SAL_map
!
interface Dialer2
description VDSL KPN
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1400
load-interval 30
dialer pool 2
ppp authentication pap callin
ppp pap sent-username **************************
no cdp enable
crypto map SAL_map_VDSL
!
ip nat inside source route-map nonat interface Dialer1 overload
ip nat inside source route-map nonat2 interface Dialer2 overload
ip route 0.0.0.0 0.0.0.0 Dialer2 track 1
ip route 0.0.0.0 0.0.0.0 Dialer1 254
!
ip sla auto discovery
ip sla 10
icmp-echo 62.69.174.75 source-interface Dialer2
timeout 30000
frequency 30
ip sla schedule 10 life forever start-time now
!
access-list 102 deny ip 192.168.177.0 0.0.0.255 host 192.168.1.249
access-list 102 deny ip 192.168.178.0 0.0.0.255 host 192.168.1.249
access-list 102 deny ip 192.168.179.0 0.0.0.255 host 192.168.1.249
access-list 102 deny ip 192.168.177.0 0.0.0.255 172.28.1.0 0.0.0.255
access-list 102 deny ip any 192.168.255.0 0.0.0.255
access-list 102 deny ip any 192.168.254.0 0.0.0.255
access-list 102 deny ip 192.168.177.0 0.0.0.255 192.168.179.0 0.0.0.255
access-list 102 deny ip 192.168.177.0 0.0.0.255 192.168.178.0 0.0.0.255
access-list 102 deny ip 192.168.177.0 0.0.0.255 192.168.79.0 0.0.0.255
access-list 102 deny ip 192.168.177.0 0.0.0.255 192.168.78.0 0.0.0.255
access-list 102 deny ip 192.168.77.0 0.0.0.255 192.168.179.0 0.0.0.255
access-list 102 deny ip 192.168.77.0 0.0.0.255 192.168.178.0 0.0.0.255
access-list 102 deny ip 192.168.77.0 0.0.0.255 192.168.79.0 0.0.0.255
access-list 102 deny ip 192.168.77.0 0.0.0.255 192.168.78.0 0.0.0.255
access-list 102 permit ip 192.168.177.0 0.0.0.255 any
access-list 102 permit ip 192.168.77.0 0.0.0.255 any
!
dialer-list 1 protocol ip permit
dialer-list 2 protocol ip permit
!
route-map nonat2 permit 10
match ip address 102
set interface Dialer2
!
route-map nonat permit 10
match ip address 102
set interface Dialer1
the ACL is build to exclude some private ips for ipsec VPN destinations.
Any suggestions on what I am missing? It should use dialer 2 as primary internet connection and failover to dialer 1 if IP SLA fails. The SLA config seems to work fine:
sh ip route
S* 0.0.0.0/0 is directly connected, Dialer2
84.0.0.0/32 is subnetted, 1 subnets
C 84.246.25.231 is directly connected, Dialer1
145.131.0.0/32 is subnetted, 1 subnets
C 145.131.131.112 is directly connected, Dialer2
192.168.77.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.77.0/24 is directly connected, GigabitEthernet0/0
L 192.168.77.254/32 is directly connected, GigabitEthernet0/0
192.168.177.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.177.0/24 is directly connected, GigabitEthernet0/1
L 192.168.177.254/32 is directly connected, GigabitEthernet0/1
192.168.254.0/24 is variably subnetted, 2 subnets, 2 masks
S 192.168.254.0/24 is directly connected, Dialer2
S 192.168.254.37/32 [1/0] via 77.241.229.241
S 192.168.255.0/24 is directly connected, Dialer1
212.121.121.0/32 is subnetted, 1 subnets
C 212.121.121.183 is directly connected, Dialer2
213.144.228.0/32 is subnetted, 1 subnets
C 213.144.228.72 is directly connected, Dialer1
Solved! Go to Solution.
03-23-2014 11:47 AM
http://docwiki.cisco.com/wiki/Category:NAT
Document above states "Beware of using ACL for NAT with "permit ip any any" as you can get unpredictable results." I suggest that you use the "route-map nonat/nonat2 permit 20" instead of "permit any any"
For the remaining, modify the config as following -
!
ip sla 10
icmp-echo 8.8.8.8 source-interface Dialer2
timeout 30000
frequency 30
ip sla schedule 10 life forever start-time now
!
ip route 8.8.8.8 255.255.255.255 dialer2 permanent
!
!
route-map nonat2 permit 10
match ip address 102
match interface Dialer2
!
route-map nonat permit 10
match ip address 102
match interface Dialer1
!
ip nat inside source route-map nonat interface Dialer1 overload
ip nat inside source route-map nonat2 interface Dialer2 overload
!
event manager applet NAT-TRACK
event track 1 state any
action 0.1 cli command "enable"
action 0.2 wait 2
action 0.3 cli command "clear ip nat translations forced"
action 0.4 syslog msg "NAT translation cleared after track state change"
!
-Vishesh
03-23-2014 11:47 AM
http://docwiki.cisco.com/wiki/Category:NAT
Document above states "Beware of using ACL for NAT with "permit ip any any" as you can get unpredictable results." I suggest that you use the "route-map nonat/nonat2 permit 20" instead of "permit any any"
For the remaining, modify the config as following -
!
ip sla 10
icmp-echo 8.8.8.8 source-interface Dialer2
timeout 30000
frequency 30
ip sla schedule 10 life forever start-time now
!
ip route 8.8.8.8 255.255.255.255 dialer2 permanent
!
!
route-map nonat2 permit 10
match ip address 102
match interface Dialer2
!
route-map nonat permit 10
match ip address 102
match interface Dialer1
!
ip nat inside source route-map nonat interface Dialer1 overload
ip nat inside source route-map nonat2 interface Dialer2 overload
!
event manager applet NAT-TRACK
event track 1 state any
action 0.1 cli command "enable"
action 0.2 wait 2
action 0.3 cli command "clear ip nat translations forced"
action 0.4 syslog msg "NAT translation cleared after track state change"
!
-Vishesh
03-24-2014 02:27 AM
Hi Vivesh, thx for your reply. I am not. dure what You mean by permit 20 instead of permit any any. I am using acl 102 now and removed permit any any, but still it uses dialer 1 as primary internet link. Do You mean one of route maps should have sequence no 20?
03-25-2014 01:34 AM
I have tried to add the dialer 1 route-map as a permit 20 in the nonat2 and then apply it to both NAT statements, but that does not work. When you use the same route-map for your NAT statement (ip nat inside source nonat....etc) the second statement overwrites the first.
So I do need 2 route-maps. The only thing I am doubting about now is how the dialer is selected, is it possible that dialer 1 is always preferred over dialer 2? So I need to change the sequence number?
04-06-2014 06:44 AM
Ah, I see the difference now. I have used the match interface instead set interface now and it works like a dream. Thx!
03-24-2014 02:23 AM
Hi Vivesh, thx for your reply. I am not. dure what You mean by permit 20 instead of permit any any. I am using acl 102 now and removed permit any any, but still it uses dialer 1 as primary internet link. Do You mean one of route maps should have sequence no 20?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: