09-18-2019 10:17 AM
Hello, I'm having troubles getting NAT to work with two WAN interfaces dynamically. We don't have a range of IP's to create a pool from each ISP, so was just doing a NAT overload on the individual interface. Below is our configuration with any public IP's removed or crypto map passwords removed. We are running ver 15.5(3)M9 on a 1921 Verizon Cellular Router. We are up and running on the Verizon Cell interface, but we have another WAN interface configured with a static IP from a DSL provider.
Whenever we send traffic down the DSL interface (Gi0/1) it works to ping but when web traffic is generated it stops working, my guess is NAT. I think the trouble lies with the command "ip nat inside source list NAT interface Cellular0/0/0 overload", it's only doing a NAT overload on the Celllular0/0/0 interface when I will need it to do an overload on Cellular0/0/0 and Gi0/1. I have the dynamic routing up and running using metrics, default route metric 1 goes out the DSL, while default route with metric 254 is going out the cellular interface.
What can I do for a NAT overload command for dynamic WAN interfaces? I want the primary to go out Gi0/1, and if that connection goes down, fail over and NAT overload down Cellular0/0/0. Also, we have it forming a site-to-site VPN tunnel back to our corporate office. It works great over Cell currently. Any assistance would help greatly!
Running Configuration
----------------------
hostname at-lte-agent-33
!
boot-start-marker
boot system usbflash0 c1900-universalk9-mz.SPA.155-3.M9.bin
boot-end-marker
!
!
logging queue-limit 10000
logging buffered informational
logging persistent size 22056960
logging rate-limit 10000
logging monitor informational
!
aaa new-model
!
aaa session-id common
ethernet lmi ce
clock timezone CST -6 0
clock summer-time CDT recurring
!
ip dhcp pool LTE_Agent33
network 10.10.33.0 255.255.255.0
default-router 10.10.33.1
option 150 ip 172.17.60.11 172.17.60.10
domain-name ats-inc.com
dns-server 172.17.98.78 172.18.98.78
lease 0 2
!
no ip domain lookup
ip domain name yourdomain.com
ip name-server 172.16.1.161
ip name-server 172.16.1.160
ip inspect WAAS flush-timeout 10
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
chat-script lte "" "AT!CALL1" TIMEOUT 20 "OK"
cts logging verbose
!
!
license udi pid CISCO1921/K9 sn FTX1851807A
license boot module c1900 technology-package datak9 disable
!
!
object-group network remote_networks
172.16.0.0 255.240.0.0
10.0.0.0 255.0.0.0
192.168.0.0 255.255.0.0
!
redundancy
notification-timer 120000
!
crypto ikev2 proposal AES-256_SHA
encryption aes-cbc-256
integrity sha512
group 21
!
crypto ikev2 policy ikev2_policy
proposal AES-256_SHA
!
!
crypto ikev2 profile ikev2_profile1
match identity remote any
authentication local pre-share key XXXX
authentication remote pre-share key XXXX
!
no crypto ikev2 http-url cert
!
!
controller Cellular 0/0
lte sim data-profile 5 attach-profile 5
lte modem link-recovery rssi onset-threshold -110
lte modem link-recovery monitor-timer 20
lte modem link-recovery wait-timer 10
lte modem link-recovery debounce-count 6
!
crypto logging session
crypto logging ikev2
!
crypto isakmp policy 1
encr aes 256
hash sha512
authentication pre-share
group 21
!
crypto ipsec transform-set xform1 esp-aes 256 esp-sha-hmac
mode tunnel
!
crypto map ATS-Tunnel 1 ipsec-isakmp
set peer X.X.X.X
set transform-set xform1
set ikev2-profile ikev2_profile1
match address 101
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/0.1
encapsulation dot1Q 1 native
!
interface GigabitEthernet0/1
ip address 1.2.3.4 255.255.255.0
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map ATS-Tunnel
!
interface GigabitEthernet0/1/0
no ip address
!
interface GigabitEthernet0/1/1
no ip address
!
interface GigabitEthernet0/1/2
no ip address
!
interface GigabitEthernet0/1/3
no ip address
!
interface Cellular0/0/0
description VZ-STATIC6
ip address negotiated
ip nat outside
no ip virtual-reassembly in
encapsulation slip
dialer in-band
dialer idle-timeout 0
dialer string lte
dialer-group 1
crypto map ATS-Tunnel
!
interface Vlan1
ip address 10.10.33.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
ip forward-protocol nd
!
ip tftp source-interface Vlan1
ip nat inside source list NAT interface Cellular0/0/0 overload
ip route 0.0.0.0 0.0.0.0 1.2.3.4 1
ip route 0.0.0.0 0.0.0.0 Cellular0/0/0 254
ip tacacs source-interface Vlan1
ip ssh version 2
!
ip access-list standard Management
permit 209.188.100.0 0.0.0.255
permit 172.16.0.0 0.15.255.255
permit 10.10.33.0 0.0.0.255
!
ip access-list extended NAT
deny ip 10.10.33.0 0.0.0.255 172.16.0.0 0.15.255.255
deny ip 10.10.33.0 0.0.0.255 10.0.0.0 0.255.255.255
deny ip 10.10.33.0 0.0.0.255 192.168.0.0 0.0.255.255
permit ip 10.10.33.0 0.0.0.255 any
permit ip 192.168.33.0 0.0.0.255 any
!
dialer-list 1 protocol ip list 1
!
access-list 1 permit any
access-list 20 permit 172.16.1.166
access-list 101 permit ip 10.10.33.0 0.0.0.255 172.16.0.0 0.15.255.255
access-list 101 permit ip 10.10.33.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 101 permit ip 10.10.33.0 0.0.0.255 192.168.0.0 0.0.255.255
Solved! Go to Solution.
09-18-2019 10:57 AM - edited 09-18-2019 11:05 AM
Hello
A couple of things your two defaults static routes dont have a condition set for them meaning is the primary interface went down that primary static will still be applied to the rib and thus could black hole traffic.
Also in your NAT acl i see a subnet for 192.168.33.0/24 but i dont see any L3 interface for this so i am assuming it hanging off the lan interface, if so you'll need a static route on the rtr to point to that subnet
Could try the possible config:
conf t
no ip nat inside source list NAT interface Cellular0/0/0 overload
no ip route 0.0.0.0 0.0.0.0 1.2.3.4 1
ip sla 1
icmp-echo 8.8.8.8 source-interface gig0/1
ip sla schedule 1 life forever start-time now
track 1 rtr 1 reachability
ip route 8.8.8.8 255.255.255.255 null 2
ip route 0.0.0.0 0.0.0.0 1.2.3.4 1 track 1
ip route 192.168.33.0 255.255.255.0 vlan 1<---where ever this subnet resides assumption is its off lan interface?
route-map LAN permit 10
match ip address NAT
match interface gig0/1
route-map LAN2 permit 10
match ip address NAT
match interface Cellular0/0/0
ip nat inside source route-map LAN interface gig0/1 overload
ip nat inside source route-map LAN2 interface Cellular0/0/0 overload
09-18-2019 10:57 AM - edited 09-18-2019 11:05 AM
Hello
A couple of things your two defaults static routes dont have a condition set for them meaning is the primary interface went down that primary static will still be applied to the rib and thus could black hole traffic.
Also in your NAT acl i see a subnet for 192.168.33.0/24 but i dont see any L3 interface for this so i am assuming it hanging off the lan interface, if so you'll need a static route on the rtr to point to that subnet
Could try the possible config:
conf t
no ip nat inside source list NAT interface Cellular0/0/0 overload
no ip route 0.0.0.0 0.0.0.0 1.2.3.4 1
ip sla 1
icmp-echo 8.8.8.8 source-interface gig0/1
ip sla schedule 1 life forever start-time now
track 1 rtr 1 reachability
ip route 8.8.8.8 255.255.255.255 null 2
ip route 0.0.0.0 0.0.0.0 1.2.3.4 1 track 1
ip route 192.168.33.0 255.255.255.0 vlan 1<---where ever this subnet resides assumption is its off lan interface?
route-map LAN permit 10
match ip address NAT
match interface gig0/1
route-map LAN2 permit 10
match ip address NAT
match interface Cellular0/0/0
ip nat inside source route-map LAN interface gig0/1 overload
ip nat inside source route-map LAN2 interface Cellular0/0/0 overload
09-18-2019 11:12 AM
Ah I follow. That 192.168.33.0 subnet I believe was an old loopback interface that's not in use so I will disregaurd.
In terms of your track commands, I'm having troubles putting that in, see below.
In theory if I remove the overload statement in use now on the cell interface, and do a route-map instead it should work dynamically is what you are saying?
track command troubles output:
at-lte-agent-33(config)#track 1 ?
interface Select an interface to track
ip                   IP protocol
ipv6               IPv6 protocol
list                 Group objects in a list
stub-object    Stub tracking object
at-lte-agent-33(config)#track 1 rtr ?
% Unrecognized command
09-18-2019 11:15 AM
09-18-2019 11:56 AM
Hello
I didnt take into account that your administrating this remotely and given that you need to remove the primary default route and re-add it with a track i would suggest adding the new default first and then removing the old one later.
Perform this part at the end of your change instead at the beginning
no ip nat inside source list NAT interface Cellular0/0/0 overload
no ip route 0.0.0.0 0.0.0.0 1.2.3.4 1
09-19-2019 10:29 AM
I got it working with this config, as well as the nat time outs from another post. I also updated the sla policy to have a frequency of every 10 seconds. That 10 second sla was the fix for me for it to stay on the secondary route map. Below is the winning config for those who are curious.
hostname at-lte-agent-33
!
boot-start-marker
boot system usbflash0 c1900-universalk9-mz.SPA.155-3.M9.bin
boot-end-marker
!
!
logging queue-limit 10000
logging buffered informational
logging persistent size 22056960
logging rate-limit 10000
logging monitor informational
!
aaa new-model
!
!
!
!
!
!
!
!
aaa session-id common
ethernet lmi ce
clock timezone CST -6 0
clock summer-time CDT recurring
!
!
!
!
!
!
!
!
!
!
!
ip dhcp excluded-address 10.10.33.1
!
ip dhcp pool LTE_Agent33
network 10.10.33.0 255.255.255.0
default-router 10.10.33.1
option 150 ip 172.17.60.11 172.17.60.10
domain-name ats-inc.com
dns-server 172.17.98.78 172.18.98.78
lease 0 2
!
!
!
no ip domain lookup
ip domain name yourdomain.com
ip name-server 172.16.1.161
ip name-server 172.16.1.160
ip inspect WAAS flush-timeout 10
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
chat-script lte "" "AT!CALL1" TIMEOUT 20 "OK"
cts logging verbose
!
!
license udi pid CISCO1921/K9 sn FTX1851807A
license boot module c1900 technology-package datak9 disable
!
!
object-group network remote_networks
172.16.0.0 255.240.0.0
10.0.0.0 255.0.0.0
192.168.0.0 255.255.0.0
!
redundancy
notification-timer 120000
!
crypto ikev2 proposal AES-256_SHA
encryption aes-cbc-256
integrity sha512
group 21
!
crypto ikev2 policy ikev2_policy
proposal AES-256_SHA
!
!
crypto ikev2 profile ikev2_profile1
match identity remote any
authentication local pre-share key keyhere
authentication remote pre-share key keyhere
!
no crypto ikev2 http-url cert
!
!
controller Cellular 0/0
lte sim data-profile 5 attach-profile 5
lte modem link-recovery rssi onset-threshold -110
lte modem link-recovery monitor-timer 20
lte modem link-recovery wait-timer 10
lte modem link-recovery debounce-count 6
!
track 1 ip sla 1 reachability
!
!
crypto logging session
crypto logging ikev2
!
crypto isakmp policy 1
encr aes 256
hash sha512
authentication pre-share
group 21
!
!
crypto ipsec transform-set xform1 esp-aes 256 esp-sha-hmac
mode tunnel
!
!
!
crypto map ATS-Tunnel 1 ipsec-isakmp
set peer X.X.X.X
set transform-set xform1
set ikev2-profile ikev2_profile1
match address 101
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/0.1
encapsulation dot1Q 1 native
!
interface GigabitEthernet0/1
ip address 1.2.3.4 255.255.255.0
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map ATS-Tunnel
!
interface GigabitEthernet0/1/0
no ip address
!
interface GigabitEthernet0/1/1
no ip address
!
interface GigabitEthernet0/1/2
no ip address
!
interface GigabitEthernet0/1/3
no ip address
!
interface Cellular0/0/0
description VZ-STATIC
ip address negotiated
ip nat outside
no ip virtual-reassembly in
encapsulation slip
dialer in-band
dialer idle-timeout 0
dialer string lte
dialer-group 1
crypto map ATS-Tunnel
!
interface Vlan1
ip address 10.10.33.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip tftp source-interface Vlan1
ip nat translation tcp-timeout 120
ip nat translation udp-timeout 20
ip nat translation finrst-timeout 20
ip nat translation syn-timeout 20
ip nat translation dns-timeout 20
ip nat translation icmp-timeout 20
ip nat inside source route-map CELL interface Cellular0/0/0 overload
ip nat inside source route-map DSL interface GigabitEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 4.3.2.1 track 1
ip route 0.0.0.0 0.0.0.0 Cellular0/0/0 254
ip tacacs source-interface Vlan1
ip ssh version 2
!
ip access-list standard Management
permit 172.16.0.0 0.15.255.255
permit 10.10.33.0 0.0.0.255
!
ip access-list extended NAT
deny ip 10.10.33.0 0.0.0.255 172.16.0.0 0.15.255.255
deny ip 10.10.33.0 0.0.0.255 10.0.0.0 0.255.255.255
deny ip 10.10.33.0 0.0.0.255 192.168.0.0 0.0.255.255
permit ip 10.10.33.0 0.0.0.255 any
permit ip 192.168.33.0 0.0.0.255 any
!
ip sla 1
icmp-echo 8.8.8.8 source-interface GigabitEthernet0/1
frequency 10
dialer-list 1 protocol ip list 1
!
route-map CELL permit 10
match ip address NAT
match interface Cellular0/0/0
!
route-map DSL permit 10
match ip address NAT
match interface GigabitEthernet0/1
!
!
access-list 1 permit any
access-list 20 permit 172.16.1.166
access-list 101 permit ip 10.10.33.0 0.0.0.255 172.16.0.0 0.15.255.255
access-list 101 permit ip 10.10.33.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 101 permit ip 10.10.33.0 0.0.0.255 192.168.0.0 0.0.255.255
!
!
!
control-plane
!
!
line con 0
logging synchronous
transport preferred none
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line 0/0/0
script dialer lte
no exec
speed 144000
line vty 0 4
access-class Management in
exec-timeout 120 0
privilege level 15
logging synchronous
length 0
transport preferred none
transport input ssh
line vty 5 15
transport preferred none
transport input none
!
scheduler allocate 20000 1000
ntp server 172.16.1.160 source Vlan1
ntp server 172.16.1.161 source Vlan1
!
end
09-19-2019 10:38 AM
Good stuff ! Does the VPN failover work as well ?
09-19-2019 10:56 AM
Good to hear -
 
					
				
		
09-18-2019 12:25 PM
Hello,
you could also use two EEM scripts in conjunction with the IP SLA that would simply remove the NAT overload statement for the unused interface. The configuration would look like below (important parts marked in bold). Also, exclude the IP address of the default router from the DHCP pool:
hostname at-lte-agent-33
!
boot-start-marker
boot system usbflash0 c1900-universalk9-mz.SPA.155-3.M9.bin
boot-end-marker
!
logging queue-limit 10000
logging buffered informational
logging persistent size 22056960
logging rate-limit 10000
logging monitor informational
!
aaa new-model
!
aaa session-id common
ethernet lmi ce
clock timezone CST -6 0
clock summer-time CDT recurring
!
ip dhcp excluded-address 10.10.33.1
!
ip dhcp pool LTE_Agent33
network 10.10.33.0 255.255.255.0
default-router 10.10.33.1
option 150 ip 172.17.60.11 172.17.60.10
domain-name ats-inc.com
dns-server 172.17.98.78 172.18.98.78
lease 0 2
!
no ip domain lookup
ip domain name yourdomain.com
ip name-server 172.16.1.161
ip name-server 172.16.1.160
ip inspect WAAS flush-timeout 10
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
chat-script lte "" "AT!CALL1" TIMEOUT 20 "OK"
cts logging verbose
!
license udi pid CISCO1921/K9 sn FTX1851807A
license boot module c1900 technology-package datak9 disable
!
track 1 ip sla 1
!
object-group network remote_networks
172.16.0.0 255.240.0.0
10.0.0.0 255.0.0.0
192.168.0.0 255.255.0.0
!
redundancy
notification-timer 120000
!
crypto ikev2 proposal AES-256_SHA
encryption aes-cbc-256
integrity sha512
group 21
!
crypto ikev2 policy ikev2_policy
proposal AES-256_SHA
!
crypto ikev2 profile ikev2_profile1
match identity remote any
authentication local pre-share key XXXX
authentication remote pre-share key XXXX
!
no crypto ikev2 http-url cert
!
controller Cellular 0/0
lte sim data-profile 5 attach-profile 5
lte modem link-recovery rssi onset-threshold -110
lte modem link-recovery monitor-timer 20
lte modem link-recovery wait-timer 10
lte modem link-recovery debounce-count 6
!
crypto logging session
crypto logging ikev2
!
crypto isakmp policy 1
encr aes 256
hash sha512
authentication pre-share
group 21
!
crypto ipsec transform-set xform1 esp-aes 256 esp-sha-hmac
mode tunnel
!
crypto map ATS-Tunnel 1 ipsec-isakmp
set peer X.X.X.X
set transform-set xform1
set ikev2-profile ikev2_profile1
match address 101
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/0.1
encapsulation dot1Q 1 native
!
interface GigabitEthernet0/1
ip address 1.2.3.4 255.255.255.0
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map ATS-Tunnel
!
interface GigabitEthernet0/1/0
no ip address
!
interface GigabitEthernet0/1/1
no ip address
!
interface GigabitEthernet0/1/2
no ip address
!
interface GigabitEthernet0/1/3
no ip address
!
interface Cellular0/0/0
description VZ-STATIC6
ip address negotiated
ip nat outside
no ip virtual-reassembly in
encapsulation slip
dialer in-band
dialer idle-timeout 0
dialer string lte
dialer-group 1
crypto map ATS-Tunnel
!
interface Vlan1
ip address 10.10.33.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
ip forward-protocol nd
!
ip tftp source-interface Vlan1
ip nat inside source list NAT interface GigabitEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 1.2.3.4 track 1
ip route 0.0.0.0 0.0.0.0 Cellular0/0/0 254
ip tacacs source-interface Vlan1
ip ssh version 2
!
ip access-list standard Management
permit 209.188.100.0 0.0.0.255
permit 172.16.0.0 0.15.255.255
permit 10.10.33.0 0.0.0.255
!
ip access-list extended NAT
deny ip 10.10.33.0 0.0.0.255 172.16.0.0 0.15.255.255
deny ip 10.10.33.0 0.0.0.255 10.0.0.0 0.255.255.255
deny ip 10.10.33.0 0.0.0.255 192.168.0.0 0.0.255.255
permit ip 10.10.33.0 0.0.0.255 any
permit ip 192.168.33.0 0.0.0.255 any
!
dialer-list 1 protocol ip list 1
!
access-list 1 permit any
access-list 20 permit 172.16.1.166
access-list 101 permit ip 10.10.33.0 0.0.0.255 172.16.0.0 0.15.255.255
access-list 101 permit ip 10.10.33.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 101 permit ip 10.10.33.0 0.0.0.255 192.168.0.0 0.0.255.255
!
ip sla 1
icmp-echo 8.8.8.8 source-interface gig0/1
ip sla schedule 1 life forever start-time now
!
event manager applet PRIMARY_DOWN
event track 1 state down
action 1.0 cli command "enable"
action 2.0 cli command "conf t"
action 3.0 cli command "no ip nat inside source list NAT interface GigabitEthernet0/1 overload"
action 4.0 cli command "ip nat inside source list NAT interface Cellular0/0/0 overload"
action 5.0 cli command "end"
action 6.0 cli command "clear ip nat translation *"
!
event manager applet PRIMARY_UP
event track 1 state up
action 1.0 cli command "enable"
action 2.0 cli command "conf t"
action 3.0 cli command "no ip nat inside source list NAT interface Cellular0/0/0 overload"
action 4.0 cli command "ip nat inside source list NAT interface GigabitEthernet0/1 overload"
action 5.0 cli command "end"
action 6.0 cli command "clear ip nat translation *"
09-19-2019 02:08 AM
Hello,
one more thing: since you want the VPN to fail over as well when the primary link goes down, a similar configuration needs to be applied to the other end of the VPN, as the peer addresses won't be accessible anymore. Can you post the running configuration of the other end as well ?
09-19-2019 06:11 AM
09-19-2019 06:18 AM
Hello,
I don't know what you have configured now on your local router (if possible post the full final running config again here), but the FW at the remote end probably has set some sort of static peering with your local router. If the VPN fails over to the cellular, that peering needs to change at both ends...
Are you administering the FW at the remote end as well ?
09-19-2019 06:56 AM
Actually in testing today the first solution does not work. When the primary DSL connection comes up both connections go down. My guess is the nat translations don't clear? I shall try the 2nd offered solution to see if that will work as it will clear the nat translations.
09-19-2019 07:32 AM
Hello,
post what you have configured. I notice that there is no secondary default route, did you actually configure that ?
ip route 0.0.0.0 0.0.0.0 1.2.3.4 1 track 1
ip route 0.0.0.0 0.0.0.0 Cellular0/0/0 20
09-19-2019 07:48 AM
Yes I didn't have that. Below is my current running config. I had the local guy restart the router as well with this config and neither interface would come up remotely until the DSL modem was disconnected. Then the Cellular0/0/0 interface would come up and the VPN was established. An active ping was showing the public of the cell coming up for maybe a reply or two, then dropping, then coming back up in a pattern.
at-lte-agent-33#sh run
Building configuration...
Current configuration : 6305 bytes
!
! Last configuration change at 15:04:15 CDT Wed Sep 18 2019 by travifle
! NVRAM config last updated at 16:30:18 CDT Wed Sep 18 2019 by travifle
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service internal
!
hostname at-lte-agent-33
!
boot-start-marker
boot system usbflash0 c1900-universalk9-mz.SPA.155-3.M9.bin
boot-end-marker
!
!
logging queue-limit 10000
logging buffered informational
logging persistent size 22056960
logging rate-limit 10000
logging monitor informational
enable secret 4 supersecret
!
aaa new-model
!
!
aaa group server tacacs+ ATS
server-private 172.17.98.80 timeout 3 key 123456
!
aaa authentication login default group ATS local
aaa authentication login network group ATS local
aaa authorization network default group ATS local
aaa accounting exec default start-stop group ATS
aaa accounting commands 1 default start-stop group ATS
aaa accounting commands 15 default start-stop group ATS
aaa accounting network default start-stop group ATS
!
!
!
!
!
!
aaa session-id common
ethernet lmi ce
clock timezone CST -6 0
clock summer-time CDT recurring
!
!
!
!
!
!
!
!
!
!
!
ip dhcp excluded-address 10.10.33.1
!
ip dhcp pool LTE_Agent33
network 10.10.33.0 255.255.255.0
default-router 10.10.33.1
option 150 ip 172.17.60.11 172.17.60.10
domain-name yourdomain.com
dns-server 172.17.98.78 172.18.98.78
lease 0 2
!
!
!
no ip domain lookup
ip domain name yourdomain.com
ip name-server 172.16.1.161
ip name-server 172.16.1.160
ip inspect WAAS flush-timeout 10
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
chat-script lte "" "AT!CALL1" TIMEOUT 20 "OK"
cts logging verbose
!
!
license udi pid CISCO1921/K9 sn FTX1851807A
license boot module c1900 technology-package datak9 disable
!
!
object-group network remote_networks
172.16.0.0 255.240.0.0
10.0.0.0 255.0.0.0
192.168.0.0 255.255.0.0
!
username admin password 7 supersecrret
!
redundancy
notification-timer 120000
!
crypto ikev2 proposal AES-256_SHA
encryption aes-cbc-256
integrity sha512
group 21
!
crypto ikev2 policy ikev2_policy
proposal AES-256_SHA
!
!
crypto ikev2 profile ikev2_profile1
match identity remote any
authentication local pre-share key supersecret
authentication remote pre-share key supersecret
!
no crypto ikev2 http-url cert
!
!
controller Cellular 0/0
lte sim data-profile 5 attach-profile 5
lte modem link-recovery rssi onset-threshold -110
lte modem link-recovery monitor-timer 20
lte modem link-recovery wait-timer 10
lte modem link-recovery debounce-count 6
!
track 1 ip sla 1 reachability
!
!
crypto logging session
crypto logging ikev2
!
crypto isakmp policy 1
encr aes 256
hash sha512
authentication pre-share
group 21
!
!
crypto ipsec transform-set xform1 esp-aes 256 esp-sha-hmac
mode tunnel
!
!
!
crypto map ATS-Tunnel 1 ipsec-isakmp
set peer X.X.X.X
set transform-set xform1
set ikev2-profile ikev2_profile1
match address 101
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/0.1
encapsulation dot1Q 1 native
!
interface GigabitEthernet0/1
ip address 1.2.3.4 255.255.255.0
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map ATS-Tunnel
!
interface GigabitEthernet0/1/0
no ip address
!
interface GigabitEthernet0/1/1
no ip address
!
interface GigabitEthernet0/1/2
no ip address
!
interface GigabitEthernet0/1/3
no ip address
!
interface Cellular0/0/0
description VZ-STATIC
ip address negotiated
ip nat outside
no ip virtual-reassembly in
encapsulation slip
dialer in-band
dialer idle-timeout 0
dialer string lte
dialer-group 1
crypto map ATS-Tunnel
!
interface Vlan1
ip address 10.10.33.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip tftp source-interface Vlan1
ip nat inside source route-map CELL interface Cellular0/0/0 overload
ip nat inside source route-map DSL interface GigabitEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 4.3.2.1 track 1  <----this is DSL default gateway
ip route 0.0.0.0 0.0.0.0 Cellular0/0/0 254
ip tacacs source-interface Vlan1
ip ssh version 2
!
ip access-list standard Management
permit 172.16.0.0 0.15.255.255
permit 10.10.33.0 0.0.0.255
!
ip access-list extended NAT
deny ip 10.10.33.0 0.0.0.255 172.16.0.0 0.15.255.255
deny ip 10.10.33.0 0.0.0.255 10.0.0.0 0.255.255.255
deny ip 10.10.33.0 0.0.0.255 192.168.0.0 0.0.255.255
permit ip 10.10.33.0 0.0.0.255 any
permit ip 192.168.33.0 0.0.0.255 any
!
ip sla 1
icmp-echo 8.8.8.8 source-interface GigabitEthernet0/1
ip sla schedule 1 life forever start-time now
dialer-list 1 protocol ip list 1
!
route-map CELL permit 10
match ip address NAT
match interface Cellular0/0/0
!
route-map DSL permit 10
match ip address NAT
match interface GigabitEthernet0/1
!
!
access-list 1 permit any
access-list 20 permit 172.16.1.166
access-list 101 permit ip 10.10.33.0 0.0.0.255 172.16.0.0 0.15.255.255
access-list 101 permit ip 10.10.33.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 101 permit ip 10.10.33.0 0.0.0.255 192.168.0.0 0.0.255.255
!
!
!
control-plane
!
!
scheduler allocate 20000 1000
ntp server 172.16.1.160 source Vlan1
ntp server 172.16.1.161 source Vlan1
!
end
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide