cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1309
Views
0
Helpful
5
Replies

1921 router with dual ADSL nat problem

svansteensel
Level 1
Level 1

I'm having issues with setting up a 1921 router with dual ADSL lines for failover. For some reason internet traffic keeps using dialer 1 as primary internet connection, while dialer 2 should be primary. Also when I end my NAT acl with permit any any, it translates the public ip of dialer 2 to dialer 1 before it sends it out in the internet.

This is my config:

!
interface GigabitEthernet0/0
 description voice netwerk
 ip address 192.168.77.254 255.255.255.0
 ip helper-address 192.168.177.1
 ip helper-address 192.168.177.254
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1400
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 description inside interface
 ip address 192.168.177.254 255.255.255.0
 ip mtu 1492
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1400
 duplex auto
 speed auto
!
interface ATM0/0/0
 description ADSL 1/10 Mb Tele2
 no ip address
 no atm ilmi-keepalive
 pvc 0/35
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface Ethernet0/0/0
 no ip address
 shutdown
!
interface ATM0/1/0
 no ip address
 no atm ilmi-keepalive
!
interface Ethernet0/1/0
 description VDSL 5/50 Mb KPN
 no ip address
!
interface Ethernet0/1/0.6
 description KPN VDSL
 encapsulation dot1Q 6
 pppoe enable group global
 pppoe-client dial-pool-number 2
 service-policy output parent-policy
!
interface Dialer1
 description ADSL Tele2 
 ip address negotiated
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip mtu 1492
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 ip tcp adjust-mss 1400
 dialer pool 1
 ppp authentication chap callin
 ppp pap sent-username **************
 no cdp enable
 crypto map SAL_map
!
interface Dialer2
 description VDSL KPN 
 ip address negotiated
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip mtu 1492
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 ip tcp adjust-mss 1400
 load-interval 30
 dialer pool 2
 ppp authentication pap callin
 ppp pap sent-username **************************
 no cdp enable
 crypto map SAL_map_VDSL

!

ip nat inside source route-map nonat interface Dialer1 overload
ip nat inside source route-map nonat2 interface Dialer2 overload
ip route 0.0.0.0 0.0.0.0 Dialer2 track 1
ip route 0.0.0.0 0.0.0.0 Dialer1 254
!

ip sla auto discovery
ip sla 10
 icmp-echo 62.69.174.75 source-interface Dialer2
 timeout 30000
 frequency 30
ip sla schedule 10 life forever start-time now
!

access-list 102 deny   ip 192.168.177.0 0.0.0.255 host 192.168.1.249
access-list 102 deny   ip 192.168.178.0 0.0.0.255 host 192.168.1.249
access-list 102 deny   ip 192.168.179.0 0.0.0.255 host 192.168.1.249
access-list 102 deny   ip 192.168.177.0 0.0.0.255 172.28.1.0 0.0.0.255
access-list 102 deny   ip any 192.168.255.0 0.0.0.255
access-list 102 deny   ip any 192.168.254.0 0.0.0.255
access-list 102 deny   ip 192.168.177.0 0.0.0.255 192.168.179.0 0.0.0.255
access-list 102 deny   ip 192.168.177.0 0.0.0.255 192.168.178.0 0.0.0.255
access-list 102 deny   ip 192.168.177.0 0.0.0.255 192.168.79.0 0.0.0.255
access-list 102 deny   ip 192.168.177.0 0.0.0.255 192.168.78.0 0.0.0.255
access-list 102 deny   ip 192.168.77.0 0.0.0.255 192.168.179.0 0.0.0.255
access-list 102 deny   ip 192.168.77.0 0.0.0.255 192.168.178.0 0.0.0.255
access-list 102 deny   ip 192.168.77.0 0.0.0.255 192.168.79.0 0.0.0.255
access-list 102 deny   ip 192.168.77.0 0.0.0.255 192.168.78.0 0.0.0.255
access-list 102 permit ip 192.168.177.0 0.0.0.255 any
access-list 102 permit ip 192.168.77.0 0.0.0.255 any
!

dialer-list 1 protocol ip permit
dialer-list 2 protocol ip permit
!
route-map nonat2 permit 10
 match ip address 102
 set interface Dialer2
!
route-map nonat permit 10
 match ip address 102
 set interface Dialer1
 

the ACL is build to exclude some private ips for ipsec VPN destinations.

 

Any suggestions on what I am missing? It should use dialer 2 as primary internet connection and failover to dialer 1 if IP SLA fails. The SLA config seems to work fine:

sh ip route

S*    0.0.0.0/0 is directly connected, Dialer2
      84.0.0.0/32 is subnetted, 1 subnets
C        84.246.25.231 is directly connected, Dialer1
      145.131.0.0/32 is subnetted, 1 subnets
C        145.131.131.112 is directly connected, Dialer2
      192.168.77.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.77.0/24 is directly connected, GigabitEthernet0/0
L        192.168.77.254/32 is directly connected, GigabitEthernet0/0
      192.168.177.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.177.0/24 is directly connected, GigabitEthernet0/1
L        192.168.177.254/32 is directly connected, GigabitEthernet0/1
      192.168.254.0/24 is variably subnetted, 2 subnets, 2 masks
S        192.168.254.0/24 is directly connected, Dialer2
S        192.168.254.37/32 [1/0] via 77.241.229.241
S     192.168.255.0/24 is directly connected, Dialer1
      212.121.121.0/32 is subnetted, 1 subnets
C        212.121.121.183 is directly connected, Dialer2
      213.144.228.0/32 is subnetted, 1 subnets
C        213.144.228.72 is directly connected, Dialer1
 

 

1 Accepted Solution

Accepted Solutions

Vishesh Verma
Level 1
Level 1

http://docwiki.cisco.com/wiki/Category:NAT

Document above states "Beware of using ACL for NAT with "permit ip any any" as you can get unpredictable results." I suggest that you use the "route-map nonat/nonat2 permit 20" instead of "permit any any"

 

For the remaining, modify the config as following -

!

ip sla 10
 icmp-echo 8.8.8.8 source-interface Dialer2
 timeout 30000
 frequency 30
ip sla schedule 10 life forever start-time now

!

ip route 8.8.8.8 255.255.255.255 dialer2 permanent

!

!
route-map nonat2 permit 10
 match ip address 102
 match interface Dialer2
!
route-map nonat permit 10
 match ip address 102
 match interface Dialer1

!

ip nat inside source route-map nonat interface Dialer1 overload
ip nat inside source route-map nonat2 interface Dialer2 overload

!

event manager applet NAT-TRACK

event track 1 state any

action 0.1 cli command "enable"

action 0.2 wait 2

action 0.3 cli command "clear ip nat translations forced"

action 0.4 syslog msg "NAT translation cleared after track state change"

!

 

-Vishesh

View solution in original post

5 Replies 5

Vishesh Verma
Level 1
Level 1

http://docwiki.cisco.com/wiki/Category:NAT

Document above states "Beware of using ACL for NAT with "permit ip any any" as you can get unpredictable results." I suggest that you use the "route-map nonat/nonat2 permit 20" instead of "permit any any"

 

For the remaining, modify the config as following -

!

ip sla 10
 icmp-echo 8.8.8.8 source-interface Dialer2
 timeout 30000
 frequency 30
ip sla schedule 10 life forever start-time now

!

ip route 8.8.8.8 255.255.255.255 dialer2 permanent

!

!
route-map nonat2 permit 10
 match ip address 102
 match interface Dialer2
!
route-map nonat permit 10
 match ip address 102
 match interface Dialer1

!

ip nat inside source route-map nonat interface Dialer1 overload
ip nat inside source route-map nonat2 interface Dialer2 overload

!

event manager applet NAT-TRACK

event track 1 state any

action 0.1 cli command "enable"

action 0.2 wait 2

action 0.3 cli command "clear ip nat translations forced"

action 0.4 syslog msg "NAT translation cleared after track state change"

!

 

-Vishesh

 

Hi Vivesh, thx for your reply. I am not. dure what You mean by permit 20 instead of permit any any. I am using acl 102 now and removed permit any any, but still it uses dialer 1 as primary internet link. Do You mean one of route maps should have sequence no 20?

 

I have tried to add the dialer 1 route-map as a permit 20 in the nonat2 and then apply it to both NAT statements, but that does not work. When you use the same route-map for your NAT statement  (ip nat inside source nonat....etc) the second statement overwrites the first.

So I do need 2 route-maps. The only thing I am doubting about now is how the dialer is selected, is it possible that dialer 1 is always preferred over dialer 2? So I need to change the sequence number?

Ah, I see the difference now. I have used the match interface instead set interface now and it works like a dream. Thx!

svansteensel
Level 1
Level 1

 

Hi Vivesh, thx for your reply. I am not. dure what You mean by permit 20 instead of permit any any. I am using acl 102 now and removed permit any any, but still it uses dialer 1 as primary internet link. Do You mean one of route maps should have sequence no 20?

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco