cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2394
Views
0
Helpful
1
Replies

2900 series ISR G2 config for dual WAN

abbottscisco
Level 1
Level 1

Hi I was hoping someone could take a look at my current config and help me get this router into production. I have two WANs one primary ADSL2+ and seconday SHDSL.

1. I want traffic to failback to secondary if primary fails.

2. I want https traffic destined for static ip on seconday to exit on seconday. This is a SHDSL gateway for citrix remote access.

3. I have a couple of static IP's that are routed to primary.

I just hope this makes sense. I look forward to any suggestions.

Building configuration...

Current configuration : 9044 bytes
!
! Last configuration change at 08:48:31 PCTime Mon Jul 23 2012 by admin
! NVRAM config last updated at 08:48:53 PCTime Mon Jul 23 2012 by admin
! NVRAM config last updated at 08:48:53 PCTime Mon Jul 23 2012 by admin
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname router
!
boot-start-marker
boot system flash0:c2900-universalk9-mz.SPA.151-4.M4.bin
boot-end-marker
!
!
no logging buffered
enable secret 5 $1$..OT$dtv1TXk8LlHrbLU6NMQbU0
!
no aaa new-model
!
clock timezone PCTime 8 0
!
no ipv6 cef
ip source-route
ip cef
!
!
!
!
!
ip domain name abbotts.local
ip name-server 192.168.10.3
!
multilink bundle-name authenticated
!
parameter-map type regex ccp-regex-nonascii
pattern [^\x00-\x80]

!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-2137416767
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2137416767
revocation-check none
rsakeypair TP-self-signed-2137416767
!
!
crypto pki certificate chain TP-self-signed-2137416767
certificate self-signed 01
  3082023E 308201A7 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 32313337 34313637 3637301E 170D3132 30373035 31323138
  35315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 31333734
  31363736 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100D12A 37F5EF0A 8B37AC10 39C6EF84 69963E70 E9742771 482C4EB1 21FEA24C
  F226D3FB 573AA1BC 64A3EBAE 84C46A46 6EFFD776 5FCEACEF 511C5A0C 47625415
  717ABA8E B4FEF213 391BCAE8 16C93A27 A5837D76 269D2759 FBEC2BF8 47B56A0A
  5123B860 4CE4B67A 93367BEF 5A9CB7C7 1FC47F5C 7B1CCF71 B8891C34 3752ED3D
  E4F70203 010001A3 66306430 0F060355 1D130101 FF040530 030101FF 30110603
  551D1104 0A300882 06726F75 74657230 1F060355 1D230418 30168014 3696FB0F
  2415CE76 791924E5 2EB741F4 7B3E7555 301D0603 551D0E04 16041436 96FB0F24
  15CE7679 1924E52E B741F47B 3E755530 0D06092A 864886F7 0D010104 05000381
  81000A22 A9D9402E 7899A67B 43E92C52 EF97A365 22C16FF5 2DBEDFE2 BE6D4B56
  38F64AE9 06253C57 C341717B 2B421F77 62AEC25C A01BA1CC 3C6A110C A4EF972C
  4D478C10 515CB35A 7EFB0443 B27081C1 BA67E06A 660066E0 DD9C0D71 0FEFA2C4
  68585A6E 3A484CDB 53806C45 369964EE 465FA6B2 88A8D568 B8D8E548 8CAFE9CA E3B4
   quit
license udi pid CISCO2921/K9 sn FGL154510X1
license boot module c2900 technology-package datak9
!
!
username admin privilege 15 password 7 047A07120A201C1E5E
!
redundancy
!
!
!
!
controller SHDSL 0/0/0
dsl-group 0 pairs  0
  shdsl rate auto
!
!
controller VDSL 0/1/0
!
!
track 1 ip sla 1 reachability
!
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any ccp-cls-insp-traffic
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any SDM_SSH
match access-group name SDM_SSH
class-map type inspect match-any SDM_HTTPS
match access-group name SDM_HTTPS
class-map type inspect match-any SDM_SHELL
match access-group name SDM_SHELL
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all ccp-protocol-http
match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
  inspect
class class-default
  pass
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
  drop log
class type inspect ccp-protocol-http
  inspect
class type inspect ccp-insp-traffic
  inspect
class type inspect ccp-sip-inspect
  inspect
class type inspect ccp-h323-inspect
  inspect
class type inspect ccp-h323annexe-inspect
  inspect
class type inspect ccp-h225ras-inspect
  inspect
class type inspect ccp-h323nxg-inspect
  inspect
class type inspect ccp-skinny-inspect
  inspect
policy-map type inspect ccp-permit
class class-default
  drop
!
zone security in-zone
zone security out-zone
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
!
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description LAN interface$FW_INSIDE$
ip address 192.168.10.2 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
ip tcp adjust-mss 1412
ip policy route-map CITRIX
duplex auto
speed auto
!
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
!
interface ATM0/1/0
no ip address
no atm ilmi-keepalive
!
interface ATM0/1/0.1 point-to-point
pvc 8/35
  pppoe-client dial-pool-number 2
!
!
interface Ethernet0/1/0
no ip address
shutdown
!
interface ATM0/0/0
no ip address
no atm ilmi-keepalive
!
interface ATM0/0/0.1 point-to-point
pvc 8/35
  pppoe-client dial-pool-number 1
!
!
interface Dialer0
description To ISP SHDSL$FW_OUTSIDE$
ip address negotiated
ip mtu 1452
ip nat outside
ip virtual-reassembly in
zone-member security out-zone
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname abbottsshdsl
ppp chap password 7 0207065904121B32
!
interface Dialer1
description To ISP ADSL2+$FW_OUTSIDE$
ip address 116.212.218.155 255.255.255.0
ip mtu 1452
ip nat outside
ip virtual-reassembly in
zone-member security out-zone
encapsulation ppp
dialer pool 2
dialer-group 2
ppp authentication chap callin
ppp chap hostname abbottsadsl
ppp chap password 7 1437302923301E7E
!
!
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
!
ip nat inside source route-map Primary interface Dialer1 overload
ip nat inside source route-map Secondary interface Dialer0 overload
ip nat inside source static tcp 192.168.10.3 21 116.212.218.115 21 extendable
ip nat inside source static tcp 192.168.10.22 25 116.212.218.115 25 extendable
ip nat inside source static tcp 192.168.10.3 1723 116.212.218.115 1723 extendable
ip nat inside source static tcp 192.168.10.3 443 203.161.11.229 443 extendable
ip nat inside source static tcp 192.168.10.13 443 203.161.99.236 443 extendable
ip route 0.0.0.0 0.0.0.0 Dialer1 track 1
ip route 0.0.0.0 0.0.0.0 Dialer0 200
ip route 4.2.2.2 255.255.255.255 Dialer1 permanent
!
ip access-list extended CITRIX
permit tcp host 192.168.10.13 eq 443 any
ip access-list extended SDM_HTTPS
remark CCP_ACL Category=1
permit tcp any any eq 443
ip access-list extended SDM_SHELL
remark CCP_ACL Category=1
permit tcp any any eq cmd
ip access-list extended SDM_SSH
remark CCP_ACL Category=1
permit tcp any any eq 22
!
ip sla 1
icmp-echo 4.2.2.2
ip sla schedule 1 life forever start-time now
access-list 1 remark INSIDE_IF=GigabitEthernet0/0
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
dialer-list 1 protocol ip permit
dialer-list 2 protocol ip permit
!
!
!
!
route-map CITRIX permit 10
match ip address CITRIX
set interface Dialer0
!
route-map Primary permit 10
match interface Dialer1
!
route-map Secondary permit 10
match interface Dialer0
!
!
!
control-plane
!
!
!
line con 0
privilege level 15
logging synchronous
login local
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
privilege level 15
password 7 047A07120A201C1E5E
login local
transport input telnet ssh
line vty 5 1114
privilege level 15
password 7 047A07120A201C1E5E
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
end

1 Reply 1

cadet alain
VIP Alumni
VIP Alumni

Hi,

can you try this:

no ip route 4.2.2.2 255.255.255.255 Dialer1 permanent

access-list 101 permit icmp any host 4.2.2.2

ip local policy route-map SLA_PROBE

route-map Primary permit 10

match interface Dialer1

match ip address 1

route-map Secondary permit 10

match interface Dialer0

match ip address 1

route-map SLA_PROBE permit 10

match ip address 101

ip nat inside source static tcp 192.168.10.3 21 116.212.218.115 21 extendable

ip nat inside source static tcp 192.168.10.22 25 116.212.218.115 25 extendable

ip nat inside source static tcp 192.168.10.3 21 int dialer0 21 extendable

ip nat inside source static tcp 192.168.10.22 25 int dialer0 25 extendable

ip nat inside source static tcp 192.168.10.3 1723 116.212.218.115 1723 extendable

ip nat inside source static tcp 192.168.10.3 1723 int dialer0 1723 extendable

no ip nat inside source static tcp 192.168.10.3 443 203.161.11.229 443 extendable

no ip nat inside source static tcp 192.168.10.13 443 203.161.99.236 443 extendable

ip nat inside source static tcp 192.168.10.3 443 int dialer0 443 extendable

ip nat inside source static tcp 192.168.10.13 443 int dialer0 443 extendable

ip nat inside source static tcp 192.168.10.3 443 116.212.218.115 443 extendable

ip nat inside source static tcp 192.168.10.13 443 116.212.218.115 443 extendable

Regards.

Alain.

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
Review Cisco Networking for a $25 gift card