Solved: Re: Assistance with NAT overload on more then one WAN interface - Page 2

Travis-Fleming · ‎09-18-2019

Hello, I'm having troubles getting NAT to work with two WAN interfaces dynamically. We don't have a range of IP's to create a pool from each ISP, so was just doing a NAT overload on the individual interface. Below is our configuration with any public IP's removed or crypto map passwords removed. We are running ver 15.5(3)M9 on a 1921 Verizon Cellular Router. We are up and running on the Verizon Cell interface, but we have another WAN interface configured with a static IP from a DSL provider.

Whenever we send traffic down the DSL interface (Gi0/1) it works to ping but when web traffic is generated it stops working, my guess is NAT. I think the trouble lies with the command "ip nat inside source list NAT interface Cellular0/0/0 overload", it's only doing a NAT overload on the Celllular0/0/0 interface when I will need it to do an overload on Cellular0/0/0 and Gi0/1. I have the dynamic routing up and running using metrics, default route metric 1 goes out the DSL, while default route with metric 254 is going out the cellular interface.

What can I do for a NAT overload command for dynamic WAN interfaces? I want the primary to go out Gi0/1, and if that connection goes down, fail over and NAT overload down Cellular0/0/0. Also, we have it forming a site-to-site VPN tunnel back to our corporate office. It works great over Cell currently. Any assistance would help greatly!

Running Configuration

----------------------

hostname at-lte-agent-33
!
boot-start-marker
boot system usbflash0 c1900-universalk9-mz.SPA.155-3.M9.bin
boot-end-marker
!
!
logging queue-limit 10000
logging buffered informational
logging persistent size 22056960
logging rate-limit 10000
logging monitor informational
!
aaa new-model
!
aaa session-id common
ethernet lmi ce
clock timezone CST -6 0
clock summer-time CDT recurring
!
ip dhcp pool LTE_Agent33
network 10.10.33.0 255.255.255.0
default-router 10.10.33.1
option 150 ip 172.17.60.11 172.17.60.10
domain-name ats-inc.com
dns-server 172.17.98.78 172.18.98.78
lease 0 2
!
no ip domain lookup
ip domain name yourdomain.com
ip name-server 172.16.1.161
ip name-server 172.16.1.160
ip inspect WAAS flush-timeout 10
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
chat-script lte "" "AT!CALL1" TIMEOUT 20 "OK"
cts logging verbose
!
!
license udi pid CISCO1921/K9 sn FTX1851807A
license boot module c1900 technology-package datak9 disable
!
!
object-group network remote_networks
172.16.0.0 255.240.0.0
10.0.0.0 255.0.0.0
192.168.0.0 255.255.0.0
!
redundancy
notification-timer 120000
!
crypto ikev2 proposal AES-256_SHA
encryption aes-cbc-256
integrity sha512
group 21
!
crypto ikev2 policy ikev2_policy
proposal AES-256_SHA
!
!
crypto ikev2 profile ikev2_profile1
match identity remote any
authentication local pre-share key XXXX
authentication remote pre-share key XXXX
!
no crypto ikev2 http-url cert
!
!
controller Cellular 0/0
lte sim data-profile 5 attach-profile 5
lte modem link-recovery rssi onset-threshold -110
lte modem link-recovery monitor-timer 20
lte modem link-recovery wait-timer 10
lte modem link-recovery debounce-count 6
!
crypto logging session
crypto logging ikev2
!
crypto isakmp policy 1
encr aes 256
hash sha512
authentication pre-share
group 21
!
crypto ipsec transform-set xform1 esp-aes 256 esp-sha-hmac
mode tunnel
!
crypto map ATS-Tunnel 1 ipsec-isakmp
set peer X.X.X.X
set transform-set xform1
set ikev2-profile ikev2_profile1
match address 101
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/0.1
encapsulation dot1Q 1 native
!
interface GigabitEthernet0/1
ip address 1.2.3.4 255.255.255.0
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map ATS-Tunnel
!
interface GigabitEthernet0/1/0
no ip address
!
interface GigabitEthernet0/1/1
no ip address
!
interface GigabitEthernet0/1/2
no ip address
!
interface GigabitEthernet0/1/3
no ip address
!
interface Cellular0/0/0
description VZ-STATIC6
ip address negotiated
ip nat outside
no ip virtual-reassembly in
encapsulation slip
dialer in-band
dialer idle-timeout 0
dialer string lte
dialer-group 1
crypto map ATS-Tunnel
!
interface Vlan1
ip address 10.10.33.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
ip forward-protocol nd
!
ip tftp source-interface Vlan1
ip nat inside source list NAT interface Cellular0/0/0 overload
ip route 0.0.0.0 0.0.0.0 1.2.3.4 1
ip route 0.0.0.0 0.0.0.0 Cellular0/0/0 254
ip tacacs source-interface Vlan1
ip ssh version 2
!
ip access-list standard Management
permit 209.188.100.0 0.0.0.255
permit 172.16.0.0 0.15.255.255
permit 10.10.33.0 0.0.0.255
!
ip access-list extended NAT
deny ip 10.10.33.0 0.0.0.255 172.16.0.0 0.15.255.255
deny ip 10.10.33.0 0.0.0.255 10.0.0.0 0.255.255.255
deny ip 10.10.33.0 0.0.0.255 192.168.0.0 0.0.255.255
permit ip 10.10.33.0 0.0.0.255 any
permit ip 192.168.33.0 0.0.0.255 any
!
dialer-list 1 protocol ip list 1
!
access-list 1 permit any
access-list 20 permit 172.16.1.166
access-list 101 permit ip 10.10.33.0 0.0.0.255 172.16.0.0 0.15.255.255
access-list 101 permit ip 10.10.33.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 101 permit ip 10.10.33.0 0.0.0.255 192.168.0.0 0.0.255.255

paul driver · ‎09-19-2019

Hello

@Travis-Fleming wrote:

Actually in testing today the first solution does not work. When the primary DSL connection comes up both connections go down. My guess is the nat translations don't clear?

try adjusting the tcp/udp timeouts for nat as by default they can be quite high especially for tcp
ip nat translation tcp-timeout 120
ip nat translation udp-timeout 20
ip nat translation finrst-timeout 20
ip nat translation syn-timeout 20
ip nat translation dns-timeout 20
ip nat translation icmp-timeout 20

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Travis-Fleming · ‎09-19-2019

This did not help. I also tried the event manager applet as well as suggested above and no dice. Currently trying that, and I get the same result, the secondary cell will come up for 3-8 ping replies, then go down, then come back up for 3-8 more, then go down. The primary DSL link never comes up.

Any other suggestions? It's like it switches over to the DSL primary, can't ping 8.8.8.8 per the sla, then swings back to the cell. In swinging back to the cell, the sla then works to ping 8.8.8.8 from the DSL interface.

Georg Pauwen · ‎09-19-2019

Hello,

the last config you posted does not have the EEM script, but it still has the route maps for the NAT in there. Try the EXACT configuration I have posted below. I have also added two actions to the scripts to clear the crypto sessions:

hostname at-lte-agent-33
!
boot-start-marker
boot system usbflash0 c1900-universalk9-mz.SPA.155-3.M9.bin
boot-end-marker
!
logging queue-limit 10000
logging buffered informational
logging persistent size 22056960
logging rate-limit 10000
logging monitor informational
!
aaa new-model
!
aaa session-id common
ethernet lmi ce
clock timezone CST -6 0
clock summer-time CDT recurring
!
ip dhcp excluded-address 10.10.33.1
!
ip dhcp pool LTE_Agent33
network 10.10.33.0 255.255.255.0
default-router 10.10.33.1
option 150 ip 172.17.60.11 172.17.60.10
domain-name ats-inc.com
dns-server 172.17.98.78 172.18.98.78
lease 0 2
!
no ip domain lookup
ip domain name yourdomain.com
ip name-server 172.16.1.161
ip name-server 172.16.1.160
ip inspect WAAS flush-timeout 10
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
chat-script lte "" "AT!CALL1" TIMEOUT 20 "OK"
cts logging verbose
!
license udi pid CISCO1921/K9 sn FTX1851807A
license boot module c1900 technology-package datak9 disable
!
track 1 ip sla 1
!
object-group network remote_networks
172.16.0.0 255.240.0.0
10.0.0.0 255.0.0.0
192.168.0.0 255.255.0.0
!
redundancy
notification-timer 120000
!
crypto ikev2 proposal AES-256_SHA
encryption aes-cbc-256
integrity sha512
group 21
!
crypto ikev2 policy ikev2_policy
proposal AES-256_SHA
!
crypto ikev2 profile ikev2_profile1
match identity remote any
authentication local pre-share key XXXX
authentication remote pre-share key XXXX
!
no crypto ikev2 http-url cert
!
controller Cellular 0/0
lte sim data-profile 5 attach-profile 5
lte modem link-recovery rssi onset-threshold -110
lte modem link-recovery monitor-timer 20
lte modem link-recovery wait-timer 10
lte modem link-recovery debounce-count 6
!
crypto logging session
crypto logging ikev2
!
crypto isakmp policy 1
encr aes 256
hash sha512
authentication pre-share
group 21
!
crypto ipsec transform-set xform1 esp-aes 256 esp-sha-hmac
mode tunnel
!
crypto map ATS-Tunnel 1 ipsec-isakmp
set peer X.X.X.X
set transform-set xform1
set ikev2-profile ikev2_profile1
match address 101
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/0.1
encapsulation dot1Q 1 native
!
interface GigabitEthernet0/1
ip address 1.2.3.4 255.255.255.0
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map ATS-Tunnel
!
interface GigabitEthernet0/1/0
no ip address
!
interface GigabitEthernet0/1/1
no ip address
!
interface GigabitEthernet0/1/2
no ip address
!
interface GigabitEthernet0/1/3
no ip address
!
interface Cellular0/0/0
description VZ-STATIC6
ip address negotiated
ip nat outside
no ip virtual-reassembly in
encapsulation slip
dialer in-band
dialer idle-timeout 0
dialer string lte
dialer-group 1
crypto map ATS-Tunnel
!
interface Vlan1
ip address 10.10.33.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
ip forward-protocol nd
!
ip tftp source-interface Vlan1
ip nat inside source list NAT interface GigabitEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 1.2.3.4 track 1
ip route 0.0.0.0 0.0.0.0 Cellular0/0/0 254
ip tacacs source-interface Vlan1
ip ssh version 2
!
ip access-list standard Management
permit 209.188.100.0 0.0.0.255
permit 172.16.0.0 0.15.255.255
permit 10.10.33.0 0.0.0.255
!
ip access-list extended NAT
deny ip 10.10.33.0 0.0.0.255 172.16.0.0 0.15.255.255
deny ip 10.10.33.0 0.0.0.255 10.0.0.0 0.255.255.255
deny ip 10.10.33.0 0.0.0.255 192.168.0.0 0.0.255.255
permit ip 10.10.33.0 0.0.0.255 any
permit ip 192.168.33.0 0.0.0.255 any
!
dialer-list 1 protocol ip list 1
!
access-list 1 permit any
access-list 20 permit 172.16.1.166
access-list 101 permit ip 10.10.33.0 0.0.0.255 172.16.0.0 0.15.255.255
access-list 101 permit ip 10.10.33.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 101 permit ip 10.10.33.0 0.0.0.255 192.168.0.0 0.0.255.255
!
ip sla 1
icmp-echo 8.8.8.8 source-interface GigabitEthernet0/1
!
ip sla schedule 1 life forever start-time now
!
dialer-list 1 protocol ip list 1
!
event manager applet PRIMARY_DOWN
event track 1 state down
action 1.0 cli command "enable"
action 2.0 cli command "conf t"
action 3.0 cli command "no ip nat inside source list NAT interface GigabitEthernet0/1 overload"
action 4.0 cli command "ip nat inside source list NAT interface Cellular0/0/0 overload"
action 5.0 cli command "end"
action 6.0 cli command "clear ip nat translation *"
action 7.0 cli command "clear crypto sa"
action 8.0 cli command "clear crypto isakmp"
!
event manager applet PRIMARY_UP
event track 1 state up
action 1.0 cli command "enable"
action 2.0 cli command "conf t"
action 3.0 cli command "no ip nat inside source list NAT interface Cellular0/0/0 overload"
action 4.0 cli command "ip nat inside source list NAT interface GigabitEthernet0/1 overload"
action 5.0 cli command "end"
action 6.0 cli command "clear ip nat translation *"
action 7.0 cli command "clear crypto sa"
action 8.0 cli command "clear crypto isakmp"

Travis-Fleming · ‎09-19-2019

This would have worked great too thank you!