Solved: Cisco 1100 ISP Failover

InSysProllc · ‎10-23-2025

Dear Forum,

I'm reaching out for an issue I'm having with a Cisco 1100 running IOS 9.17.09.05. The router is connected to 2 WAN ports with a simple failover config. The primary WAN is on G0/0/0 and the backup is on G0/0/1. When ISP1 (ATT) drops, the default route is changing to ISP 2 (Comcast) but it will not route past the gateway. Nat tables don't show any entries on the tables when it cuts over.

Troubleshooting steps I've tried:

1. Verified static IP information and route on the ISP 2.

2. Tried forcing a network out directly to ISP 2 with policy mapping on a single VLAN.

3. Tried adding track 10 and track 10 with SLA's on both interfaces.

4. Tried standard ACL's to see if there is anything blocking the outbound.

I have a single site to site VPN that's not applied right now but it's only on the primary interface. For the config I have:

boot system bootflash:c1100-universalk9.17.09.05a.SPA.bin

ip name-server 1.1.1.1 8.8.8.8 10.17.1.200

!

track 10 ip sla 10 reachability

!

crypto isakmp policy 1

encryption 3des

hash md5

authentication pre-share

group 2

crypto isakmp key XXXXXXX address XXX.XXX.XXX

crypto isakmp keepalive 60 30

!

crypto ipsec transform-set SRAWH esp-3des esp-md5-hmac

mode tunnel

!

crypto ipsec profile XXX

set transform-set XXX

!

crypto map XXX 10 ipsec-isakmp

set peer X.X.X.X

set transform-set XXX

match address XXXX

!

interface Tunnel0

ip address 10.19.1.250 255.255.255.240

tunnel source X.X.X.X

tunnel destination X.X.X.X

tunnel protection ipsec profile XXXX

!

interface GigabitEthernet0/0/0

description ATT

ip address X.X.X.X 255.255.255.248

ip nat outside

negotiation auto

!

interface GigabitEthernet0/0/1

description COMCAST

ip address X.X.X.X 255.255.255.248

ip nat outside

negotiation auto

!

interface GigabitEthernet0/1/0

description Link to LAN

switchport mode trunk

!

interface GigabitEthernet0/1/1

description Link to PBX

switchport access vlan 30

switchport mode access

!

interface GigabitEthernet0/1/2

switchport access vlan 10

switchport mode access

!

interface GigabitEthernet0/1/3

description Monitoring System

switchport mode access

!

interface Vlan1

ip address 10.1.1.250 255.255.255.0

ip nat inside

!

interface Vlan10

ip address 10.17.1.206 255.255.255.240

ip nat inside

!

interface Vlan11

description MGMT

ip address 10.17.1.14 255.255.255.240

ip helper-address 10.17.1.200

ip nat inside

!

interface Vlan12

description REGULATORY

ip address 10.17.1.30 255.255.255.240

ip helper-address 10.17.1.200

ip nat inside

!

interface Vlan14

description BUSDEV

ip address 10.17.1.46 255.255.255.240

ip nat inside

!

interface Vlan15

description ACCOUNTING

ip address 10.17.1.62 255.255.255.240

ip helper-address 10.17.1.200

ip nat inside

!

interface Vlan20

description CLINOPS

ip address 10.17.2.250 255.255.255.0

ip helper-address 10.17.1.200

ip nat inside

!

interface Vlan30

description VOICE

ip address 10.17.3.250 255.255.255.0

ip nat inside

!

interface Vlan40

description CAMERAS

ip address 10.17.4.250 255.255.255.0

ip nat inside

!

interface Vlan50

description GUEST

ip address 10.17.5.250 255.255.255.0

ip nat inside

!

interface Vlan60

description ACCESSCNTRL

ip address 10.17.6.250 255.255.255.0

ip nat inside

!

interface Vlan70

description DATALOGGER

ip address 10.17.7.250 255.255.255.0

ip nat inside

!

ip local policy route-map IPSLA10

no ip http server

ip http authentication local

no ip http secure-server

ip forward-protocol nd

ip nat settings interface-overload block port tcp 5150

ip nat settings interface-overload block port tcp 5160

ip nat inside source static tcp 10.17.4.200 5150 X.X.X.X 5150 extendable

ip nat inside source static tcp 10.17.4.200 5160 X.X.X.X 5160 extendable

ip nat inside source list 101 interface GigabitEthernet0/0/0 overload

ip nat inside source list 102 interface GigabitEthernet0/0/1 overload

ip route 0.0.0.0 0.0.0.0 X.X.X.X track 10 (ATT)

ip route 0.0.0.0 0.0.0.0 X.X.X.X 2 (Comcast)

ip route 10.12.1.0 255.255.255.0 Tunnel0

ip route 10.12.2.0 255.255.255.0 Tunnel0

ip route 10.12.3.0 255.255.255.0 Tunnel0

!

ip access-list extended IPSLA10

10 permit icmp X.X.X.X (ATT) 0.0.0.7 8.8.8.8 0.0.0.3

ip access-list extended SRAWHVPN

10 permit ip 10.17.1.0 0.0.0.255 10.12.1.0 0.0.0.255

20 permit ip 10.17.2.0 0.0.0.255 10.12.2.0 0.0.0.255

30 permit ip 10.17.3.0 0.0.0.255 10.12.3.0 0.0.0.255

!

ip sla 10

icmp-echo 8.8.8.8 source-interface GigabitEthernet0/0/0

timeout 6000

frequency 10

ip sla schedule 10 life forever start-time now

ip access-list extended 101

10 deny ip 10.1.1.0 0.0.0.255 10.12.1.0 0.0.0.255

20 deny ip 10.17.1.0 0.0.0.255 10.12.1.0 0.0.0.255

30 deny ip 10.17.2.0 0.0.0.255 10.12.2.0 0.0.0.255

40 deny ip 10.17.3.0 0.0.0.255 10.12.3.0 0.0.0.255

50 deny ip 10.17.4.0 0.0.0.255 10.12.4.0 0.0.0.255

60 deny ip 10.17.5.0 0.0.0.255 10.12.5.0 0.0.0.255

70 deny ip 10.17.6.0 0.0.0.255 10.12.2.0 0.0.0.255

80 deny ip 10.17.7.0 0.0.0.255 10.12.2.0 0.0.0.255

90 permit ip 10.1.1.0 0.0.0.255 any

100 permit ip 10.17.1.0 0.0.0.255 any

110 permit ip 10.17.2.0 0.0.0.255 any

120 permit ip 10.17.3.0 0.0.0.255 any

130 permit ip 10.17.4.0 0.0.0.255 any

140 permit ip 10.17.5.0 0.0.0.255 any

150 permit ip 10.17.6.0 0.0.0.255 any

160 permit ip 10.17.7.0 0.0.0.255 any

ip access-list extended 102

1 deny ip 10.1.1.0 0.0.0.255 10.12.1.0 0.0.0.255

2 deny ip 10.17.1.0 0.0.0.255 10.12.1.0 0.0.0.255

3 deny ip 10.17.2.0 0.0.0.255 10.12.2.0 0.0.0.255

4 deny ip 10.17.3.0 0.0.0.255 10.12.3.0 0.0.0.255

5 deny ip 10.17.4.0 0.0.0.255 10.12.4.0 0.0.0.255

10 deny ip 10.17.5.0 0.0.0.255 10.12.5.0 0.0.0.255

20 deny ip 10.17.6.0 0.0.0.255 10.12.6.0 0.0.0.255

30 deny ip 10.17.7.0 0.0.0.255 10.12.7.0 0.0.0.255

40 permit ip 10.1.1.0 0.0.0.255 any

50 permit ip 10.17.1.0 0.0.0.255 any

60 permit ip 10.17.2.0 0.0.0.255 any

70 permit ip 10.17.3.0 0.0.0.255 any

80 permit ip 10.17.4.0 0.0.0.255 any

90 permit ip 10.17.5.0 0.0.0.255 any

100 permit ip 10.17.6.0 0.0.0.255 any

110 permit ip 10.17.7.0 0.0.0.255 any

!

route-map IPSLA10 permit 10

match ip address IPSLA10

set ip next-hop X.X.X.X (ATT GW)

sho ip route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2, m - OMP

n - NAT, Ni - NAT inside, No - NAT outside, Nd - NAT DIA

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

H - NHRP, G - NHRP registered, g - NHRP registration summary

o - ODR, P - periodic downloaded static route, l - LISP

a - application route

+ - replicated route, % - next hop override, p - overrides from PfR

& - replicated local route overrides by connected

Gateway of last resort is X.X.X.X (ATT) to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via X.X.X.X (ATT)

10.0.0.0/8 is variably subnetted, 24 subnets, 3 masks

C 10.1.1.0/24 is directly connected, Vlan1

L 10.1.1.250/32 is directly connected, Vlan1

C 10.17.1.0/28 is directly connected, Vlan11

L 10.17.1.14/32 is directly connected, Vlan11

C 10.17.1.16/28 is directly connected, Vlan12

L 10.17.1.30/32 is directly connected, Vlan12

C 10.17.1.32/28 is directly connected, Vlan14

L 10.17.1.46/32 is directly connected, Vlan14

C 10.17.1.48/28 is directly connected, Vlan15

L 10.17.1.62/32 is directly connected, Vlan15

C 10.17.1.192/28 is directly connected, Vlan10

L 10.17.1.206/32 is directly connected, Vlan10

C 10.17.2.0/24 is directly connected, Vlan20

L 10.17.2.250/32 is directly connected, Vlan20

C 10.17.3.0/24 is directly connected, Vlan30

L 10.17.3.250/32 is directly connected, Vlan30

C 10.17.4.0/24 is directly connected, Vlan40

L 10.17.4.250/32 is directly connected, Vlan40

C 10.17.5.0/24 is directly connected, Vlan50

L 10.17.5.250/32 is directly connected, Vlan50

C 10.17.6.0/24 is directly connected, Vlan60

L 10.17.6.250/32 is directly connected, Vlan60

C 10.17.7.0/24 is directly connected, Vlan70

L 10.17.7.250/32 is directly connected, Vlan70

50.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

C X.X.X.X (Comcast)/29 is directly connected, GigabitEthernet0/0/1

L X.X.X.X (Comcast)/32 is directly connected, GigabitEthernet0/0/1

107.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

C X.X.X.X (ATT)/29 is directly connected, GigabitEthernet0/0/0

L X.X.X.X (ATT)/32 is directly connected, GigabitEthernet0/0/0

Any suggestions would be greatly appreciated. I've been battling with this for a week now. I've even tried the solution in another thread:

https://community.cisco.com/t5/routing/cisco-1100-router-dual-wan-configuration/td-p/4754796

But it doesn't seem to properly fail over.

Thank you everyone for an suggestions

Giuseppe Larosa · ‎10-24-2025

Hello @InSysProllc ,

when dealing with NAT over multiple WAN L3 uplinks the NAT configuration needs to use route-maps in NAT statement like

route-map ISP_1 permit 10
match ip address 101
match interface GigabitEthernet0/0/0
!
route-map ISP_2 permit 10
match ip address 101
match interface GigabitEthernet0/0/1

please notice that the match interface in this case matches the outgoing interface and this is the key to make NAT to work.

In this way when you are using the first WAN interface only the first route-map matches. If using the second WAN the second route-map matches making NAT to work without ambiguity.

ip nat inside source route-map ISP_1 interface GigabitEthernet0/0/0 overload
ip nat inside source route-map ISP_2 interface GigabitEthernet0/0/1 overload

I have taken this example from the thread you have linked

You should change your NAT config to use something like the above example.

Hope to help

Giuseppe

View solution in original post

Giuseppe Larosa · ‎10-24-2025

Hello @InSysProllc ,

when dealing with NAT over multiple WAN L3 uplinks the NAT configuration needs to use route-maps in NAT statement like

route-map ISP_1 permit 10
match ip address 101
match interface GigabitEthernet0/0/0
!
route-map ISP_2 permit 10
match ip address 101
match interface GigabitEthernet0/0/1

please notice that the match interface in this case matches the outgoing interface and this is the key to make NAT to work.

In this way when you are using the first WAN interface only the first route-map matches. If using the second WAN the second route-map matches making NAT to work without ambiguity.

ip nat inside source route-map ISP_1 interface GigabitEthernet0/0/0 overload
ip nat inside source route-map ISP_2 interface GigabitEthernet0/0/1 overload

I have taken this example from the thread you have linked

You should change your NAT config to use something like the above example.

Hope to help

Giuseppe

InSysProllc · ‎10-24-2025

Hello Giuseppe,

Thank you very much for suggestion. I have some downtime on the site tomorrow so I can test and provide feedback.

Thanks!!

InSysProllc · ‎10-25-2025

That solution worked! Thank you for the suggestion!

I've posted the updated brief config for anyone who may encounter the same issue:

track 10 ip sla 10 reachability

!

ip local policy route-map IPSLA10

!

ip nat inside source route-map ISP_1 interface GigabitEthernet0/0/0 overload

!

ip nat inside source list route-map ISP_2 interface GigabitEthernet0/0/1 overload

!

ip route 0.0.0.0 0.0.0.0 X.X.X.X track 10 (ISP_1)

ip route 0.0.0.0 0.0.0.0 X.X.X.X 2 (ISP_2)

!

ip access-list extended IPSLA10

10 permit icmp X.X.X.X (ISP_1) 0.0.0.7 8.8.8.8 0.0.0.3

!

ip sla 10

icmp-echo 8.8.8.8 source-interface GigabitEthernet0/0/0

timeout 6000

frequency 10

ip sla schedule 10 life forever start-time now

!

ip access-list extended 101 (Example)

!

route-map ISP_1 permit 10

match ip address 101

match interface GigabitEthernet0/0/0

!

route-map ISP_2 permit 10

match ip address 101

match interface GigabitEthernet0/0/1

!

route-map IPSLA10 permit 10

match ip address IPSLA10

set ip next-hop X.X.X.X (Primary GW)

The only other note was adding an ACL to send the icmp through the primary gateway only to prevent mismatches on the ISP side.

Thank you Giuseppe for the assistance!