Let me know any update.

Thank you.

Hello Bhadresh,

I have had a look at your configuration. I do not see any obvious problems with it.

Let me make sure I understand your problem correctly: when your outside IP addresses are being pinged, they do not respond reliably - sometimes they do, sometimes they don't. Is my understanding correct?

Is it possible that your provider is blocking/dropping the pings from outside?

Would it be possible to obtain the debug outputs I have suggested? I believe we should investigate whether the pings reach your router at all.

Best regards,

Peter

We get two ip address by PPPoE and both are working fine.

We can see traffic on both interfaces. And they are working.

But out of two only one we can ping from outside. And the one we can ping from outside we can ssh or dial in by VPN.

But from internal machine we can ping both ip address.

Thank you.

Bhadresh,

One of my concerns is the dual default-route configured on your router. It may be theoretically possible that while you contact one of the IP addresses, the replies are sent through the second Dialer out, possibly creating issues with asymmetrical routing or stateful firewalls.

Please tell me: if you shutdown any of the Dialer interfaces, is the second Dialer interface that remains up, and its IP address, pingable and reachable correctly?

Are your addresses assigned temporarily, i.e. do they change over time, or do you have always the same IP addresses assigned by your ISP?

Best regards,

Peter

The Address is static but they fetch by PPPoE ( they are static over PPPoE ), they never change.

If we shutdown one interface the other working fine.

Thank you.

Hello Bhadresh,

If your IP addresses really do not change then I suggest the following change to your configuration:

Assume that the IP address assigned to the Dialer0 interface is X.X.X.X, the IP address on Dialer1 is Y.Y.Y.Y. Try to add the following lines to your configuration as follows while leaving the existing ACL 120 and 121 entries in configuration (i.e. just add these two lines, do not remove anything):

access-list 120 permit ip host X.X.X.X any
access-list 121 permit ip host Y.Y.Y.Y any

This will make all packets sourced from the IP address X.X.X.X go out through the interface Dialer0 only, and similarly, packets sourced from Y.Y.Y.Y will be sent out the interface Dialer1 only. This assumes that your route-map LOCAL-POLICY-icmp-outbound is still in place and used as an ip local-policy.

Please back up your current configuration and be prepared to revert back to it should anything go wrong. Then please test the connectivity to the both IP addresses from outside.

Best regards,

Peter

Hi Peter,

Thank you for help, I apply only on one interface and it is working.

I think the solution and the concept behind it is perfect.

Hi Bhadresh,

You are welcome. I do not fully understand what you mean by "I apply only on one interface". For this solution to work correctly, both ACL entries should be added as I indicated in my previous post.

Best regards,

Peter

I apply only one access-list on the gi0/1 which is access-list 121 and now both ip I can ping from outside

Thank you

I apply now ACL to both interface it is working fine.

now i can apply both interface from outside and also i can use vpn client to get in.

Thank you for your help.