Solved: Re: cisco 1800 failover and route

domoticity · ‎09-21-2017

Hello

I have a cisco 1811 with double wan.
I would like to configure the latter for failover.
I have a fiber connection on fe0 and a mobile connection (via a 4g router) on fe1.
the router arrives at pinger 8.8.8.8 and my box fiber. But when I put a computer with an ip static on one of the ports, I can ping the port of the vlan, port fe0 (192.168.1.254) but I can not ping the fiber box (192.168.1.1) xterieur.
I can not find my error, help :)

here my configuration :

routeur-cisco1811#sh conf
Using 3032 out of 196600 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname routeur-cisco1811
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
enable secret 5 XXXXXXXXXXXXXX
!
no aaa new-model
!
!
dot11 syslog
ip source-route
!
!
!
!
ip cef
no ip domain lookup
ip domain name XXXXXXXX.com
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
username XXXXXXXX privilege 15 secret 5 XXXXXX
!
!
!
archive
 log config
  hidekeys
!
!
!
track 8 ip sla 1 reachability
!
!
!
interface FastEthernet0
 description Acces principal FTTH
 ip address 192.168.1.254 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet1
 description Acces secour 3/4G
 ip address 10.0.0.254 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet2
 switchport access vlan 2
!
interface FastEthernet3
 switchport access vlan 3
!
interface FastEthernet4
 switchport access vlan 4
!
interface FastEthernet5
 switchport access vlan 5
!
interface FastEthernet6
 switchport access vlan 6
!
interface FastEthernet7
 switchport access vlan 7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
 no ip address
!
interface Vlan2
 description 
 ip address 192.168.2.254 255.255.255.0
 ip access-group 13 out
!
interface Vlan3
 description casa
 ip address 192.168.3.254 255.255.255.0
!
interface Vlan4
 description stockage
 ip address 192.168.4.254 255.255.255.0
!
interface Vlan5
 description domotique et cameras
 ip address 192.168.5.254 255.255.255.0
!
interface Vlan6
 description sentinelle
 ip address 192.168.6.254 255.255.255.0
!
interface Vlan7
 description Monotoring surveillance generale
 ip address 10.1.1.254 255.255.255.0
!
interface Async1
 no ip address
 encapsulation slip
!
ip default-gateway 10.0.0.1
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.1.1 track 8
ip route 0.0.0.0 0.0.0.0 10.0.0.1 10
no ip http server
no ip http secure-server
!
!
!
ip sla 1
 icmp-echo 192.168.1.1 source-ip 192.168.1.254
ip sla schedule 1 life forever start-time now
access-list 13 permit 0.0.0.0
!
!
!
!
!
!
control-plane
!
!
line con 0
line 1
 modem InOut
 stopbits 1
 speed 115200
 flowcontrol hardware
line aux 0
line vty 0 4
 login local
 transport input ssh
!
end

Seb Rupik · ‎09-22-2017

Hi there,

Unless you have configured static routes on the 'fiber box' and 4G router neither will know how to reach your internal VLANs.

You have a partial NAT configuration so I'll assume that is what you want to use. You also have a default route configred with no object tracking implemented, so I'll include that too.

Please edit the access-list 100 and ip nat inside statements, depending on which VLANs you want to have outside acess.

!
access-list 100 permit ip 192.168.2.0 0.0.0.255
access-list 100 permit ip 192.168.3.0 0.0.0.255
access-list 100 permit ip 192.168.4.0 0.0.0.255
access-list 100 permit ip 192.168.5.0 0.0.0.255
access-list 100 permit ip 192.168.6.0 0.0.0.255
access-list 100 permit ip 10.1.1.254 0.0.0.255
!
int vlan 2
  ip nat inside
int vlan 3
  ip nat inside
int vlan 4
  ip nat inside
int vlan 5
  ip nat inside
int vlan 6
  ip nat inside
int vlan 7
  ip nat inside
!
!
ip nat inside source list 100 interface fa0 overload
ip nat inside source list 100 interface fa1 overload
!
track 8 ip sla 1 reachability
!

cheers,

Seb.

View solution in original post

Georg Pauwen · ‎09-22-2017

Hello,

as an alternative, you could also use route maps in combination with the failover. I would also include a simple EEM script to clear the NAT translations in case the main link fails, and equally when it comes back up. For simplicity I have put together the entire config below:

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname routeur-cisco1811
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
enable secret 5 XXXXXXXXXXXXXX
!
no aaa new-model
!
dot11 syslog
ip source-route
!
ip cef
no ip domain lookup
ip domain name XXXXXXXX.com
no ipv6 cef
!
multilink bundle-name authenticated
!
username XXXXXXXX privilege 15 secret 5 XXXXXX
!
archive
log config
hidekeys
!
track 8 ip sla 1 reachability
!
interface FastEthernet0
description Acces principal FTTH
ip address 192.168.1.254 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet1
description Acces secour 3/4G
ip address 10.0.0.254 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet2
switchport access vlan 2
!
interface FastEthernet3
switchport access vlan 3
!
interface FastEthernet4
switchport access vlan 4
!
interface FastEthernet5
switchport access vlan 5
!
interface FastEthernet6
switchport access vlan 6
!
interface FastEthernet7
switchport access vlan 7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
no ip address
!
interface Vlan2
description
ip address 192.168.2.254 255.255.255.0
ip nat inside
!
interface Vlan3
description casa
ip address 192.168.3.254 255.255.255.0
ip nat inside
!
interface Vlan4
description stockage
ip address 192.168.4.254 255.255.255.0
ip nat inside
!
interface Vlan5
description domotique et cameras
ip address 192.168.5.254 255.255.255.0
ip nat inside
!
interface Vlan6
description sentinelle
ip address 192.168.6.254 255.255.255.0
ip nat inside
!
interface Vlan7
description Monotoring surveillance generale
ip address 10.1.1.254 255.255.255.0
ip nat inside
!
interface Async1
no ip address
encapsulation slip
!
ip forward-protocol nd
!
ip nat inside source route-map MAIN_ISP interface FastEthernet0/0 overload
ip nat inside source route-map BACKUP_ISP interface FastEthernet1/0 overload
!
ip route 0.0.0.0 0.0.0.0 192.168.1.1 track 8
ip route 0.0.0.0 0.0.0.0 10.0.0.1 10
!
access-list 100 permit ip 192.168.2.0 0.0.0.255
access-list 100 permit ip 192.168.3.0 0.0.0.255
access-list 100 permit ip 192.168.4.0 0.0.0.255
access-list 100 permit ip 192.168.5.0 0.0.0.255
access-list 100 permit ip 192.168.6.0 0.0.0.255
access-list 100 permit ip 10.1.1.254 0.0.0.255
!
no ip http server
no ip http secure-server
!
ip sla 1
icmp-echo 192.168.1.1 source-ip 192.168.1.254
ip sla schedule 1 life forever start-time now
!
route-map MAIN_ISP permit 10
match ip address 100
match interface FastEthernet0/0
!
route-map BACKUP_ISP permit 10
match ip address 100
match interface FastEthernet1/0
!
event manager applet CLEAR_NAT
event track 1 state down
action 1.0 cli command "enable"
action 2.0 cli command "clear ip nat translations forced"
!
event manager applet CLEAR_NAT
event track 1 state up
action 1.0 cli command "enable"
action 2.0 cli command "clear ip nat translations forced"
!
control-plane
!
line con 0
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
line vty 0 4
login local
transport input ssh
!
end

View solution in original post

Georg Pauwen · ‎09-24-2017

Hello,

you are NATting to a private address (192.168.1.254). There must be another device that translates this to an actual public IP address, is that your firewall ? What firewall, and what is the configuration ?

View solution in original post

Seb Rupik · ‎10-04-2017

Only the ASA and IOS-XE (3E and above) supprt ACLs with FQDNs.

I suppose you could create an EEM script that would fairly regularily ping your noip.com FQDN, scrape the output and update that particular route. If you want to try that I suggest starting a new post on the EEM script board:

https://supportforums.cisco.com/t5/eem-scripting/bd-p/5941-discussions-eem-scripting

:)

View solution in original post

domoticity · ‎10-04-2017

Thank you very much :)

View solution in original post

Seb Rupik · ‎09-22-2017

Hi there,

Unless you have configured static routes on the 'fiber box' and 4G router neither will know how to reach your internal VLANs.

You have a partial NAT configuration so I'll assume that is what you want to use. You also have a default route configred with no object tracking implemented, so I'll include that too.

Please edit the access-list 100 and ip nat inside statements, depending on which VLANs you want to have outside acess.

!
access-list 100 permit ip 192.168.2.0 0.0.0.255
access-list 100 permit ip 192.168.3.0 0.0.0.255
access-list 100 permit ip 192.168.4.0 0.0.0.255
access-list 100 permit ip 192.168.5.0 0.0.0.255
access-list 100 permit ip 192.168.6.0 0.0.0.255
access-list 100 permit ip 10.1.1.254 0.0.0.255
!
int vlan 2
  ip nat inside
int vlan 3
  ip nat inside
int vlan 4
  ip nat inside
int vlan 5
  ip nat inside
int vlan 6
  ip nat inside
int vlan 7
  ip nat inside
!
!
ip nat inside source list 100 interface fa0 overload
ip nat inside source list 100 interface fa1 overload
!
track 8 ip sla 1 reachability
!

cheers,

Seb.

domoticity · ‎09-22-2017

Hy,

Thank you for your response.

I will try this night.

I begin with Cisco and i see i do a lot of error lol

Georg Pauwen · ‎09-22-2017

Hello,

as an alternative, you could also use route maps in combination with the failover. I would also include a simple EEM script to clear the NAT translations in case the main link fails, and equally when it comes back up. For simplicity I have put together the entire config below:

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname routeur-cisco1811
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
enable secret 5 XXXXXXXXXXXXXX
!
no aaa new-model
!
dot11 syslog
ip source-route
!
ip cef
no ip domain lookup
ip domain name XXXXXXXX.com
no ipv6 cef
!
multilink bundle-name authenticated
!
username XXXXXXXX privilege 15 secret 5 XXXXXX
!
archive
log config
hidekeys
!
track 8 ip sla 1 reachability
!
interface FastEthernet0
description Acces principal FTTH
ip address 192.168.1.254 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet1
description Acces secour 3/4G
ip address 10.0.0.254 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet2
switchport access vlan 2
!
interface FastEthernet3
switchport access vlan 3
!
interface FastEthernet4
switchport access vlan 4
!
interface FastEthernet5
switchport access vlan 5
!
interface FastEthernet6
switchport access vlan 6
!
interface FastEthernet7
switchport access vlan 7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
no ip address
!
interface Vlan2
description
ip address 192.168.2.254 255.255.255.0
ip nat inside
!
interface Vlan3
description casa
ip address 192.168.3.254 255.255.255.0
ip nat inside
!
interface Vlan4
description stockage
ip address 192.168.4.254 255.255.255.0
ip nat inside
!
interface Vlan5
description domotique et cameras
ip address 192.168.5.254 255.255.255.0
ip nat inside
!
interface Vlan6
description sentinelle
ip address 192.168.6.254 255.255.255.0
ip nat inside
!
interface Vlan7
description Monotoring surveillance generale
ip address 10.1.1.254 255.255.255.0
ip nat inside
!
interface Async1
no ip address
encapsulation slip
!
ip forward-protocol nd
!
ip nat inside source route-map MAIN_ISP interface FastEthernet0/0 overload
ip nat inside source route-map BACKUP_ISP interface FastEthernet1/0 overload
!
ip route 0.0.0.0 0.0.0.0 192.168.1.1 track 8
ip route 0.0.0.0 0.0.0.0 10.0.0.1 10
!
access-list 100 permit ip 192.168.2.0 0.0.0.255
access-list 100 permit ip 192.168.3.0 0.0.0.255
access-list 100 permit ip 192.168.4.0 0.0.0.255
access-list 100 permit ip 192.168.5.0 0.0.0.255
access-list 100 permit ip 192.168.6.0 0.0.0.255
access-list 100 permit ip 10.1.1.254 0.0.0.255
!
no ip http server
no ip http secure-server
!
ip sla 1
icmp-echo 192.168.1.1 source-ip 192.168.1.254
ip sla schedule 1 life forever start-time now
!
route-map MAIN_ISP permit 10
match ip address 100
match interface FastEthernet0/0
!
route-map BACKUP_ISP permit 10
match ip address 100
match interface FastEthernet1/0
!
event manager applet CLEAR_NAT
event track 1 state down
action 1.0 cli command "enable"
action 2.0 cli command "clear ip nat translations forced"
!
event manager applet CLEAR_NAT
event track 1 state up
action 1.0 cli command "enable"
action 2.0 cli command "clear ip nat translations forced"
!
control-plane
!
line con 0
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
line vty 0 4
login local
transport input ssh
!
end

domoticity · ‎09-22-2017

Thank you very much.

I will try it tonight

domoticity · ‎09-23-2017

Hy again.

So this is my new configuration :

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname routeur-cisco1811
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
enable secret 5 $1$oQhA$Eu5oCOXYqbhFCYRR9x0pH/
!
no aaa new-model
!
!
dot11 syslog
ip source-route
!
!
!
!
ip cef
no ip domain lookup
ip domain name domoticity.com
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
username domoticity privilege 15 secret 5 $1$dSvN$MpTHvWFcIVe7Ydm748fwB1
!
!
!
archive
 log config
  hidekeys
!
!
!
track 8 ip sla 1 reachability
!
!
!
interface FastEthernet0
 description Acces principal FTTH
 ip address 192.168.1.254 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet1
 description Acces secour 3/4G
 ip address 10.0.0.254 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet2
 switchport access vlan 2
!
interface FastEthernet3
 switchport access vlan 3
!
interface FastEthernet4
 switchport access vlan 4
!
interface FastEthernet5
 switchport access vlan 5
!
interface FastEthernet6
 switchport access vlan 6
!
interface FastEthernet7
 switchport access vlan 7
!
interface FastEthernet8
 switchport access vlan 8
!
interface FastEthernet9
!
interface Vlan1
 no ip address
!
interface Vlan2
 description domoticity
 ip address 192.168.2.254 255.255.255.0
 ip access-group 102 in
 ip nat inside
 ip virtual-reassembly
!
interface Vlan3
 description casa
 ip address 192.168.3.254 255.255.255.0
 ip access-group 103 in
 ip nat inside
 ip virtual-reassembly
!
interface Vlan4
 description stockage
 ip address 192.168.4.254 255.255.255.0
 ip access-group 104 in
 ip nat inside
 ip virtual-reassembly
!
interface Vlan5
 description domotique et cameras
 ip address 192.168.5.254 255.255.255.0
 ip access-group 105 in
 ip nat inside
 ip virtual-reassembly
!
interface Vlan6
 description sentinelle
 ip address 192.168.6.254 255.255.255.0
 ip access-group 106 in
 ip nat inside
 ip virtual-reassembly
!
interface Vlan7
 description Monotoring surveillance generale
 ip address 10.1.1.254 255.255.255.0
 ip access-group 107 in
 ip nat inside
 ip virtual-reassembly
!
interface Vlan8
 description Orange travail
 ip address 192.168.8.254 255.255.255.0
 ip access-group 108 in
 ip nat inside
 ip virtual-reassembly
!
interface Async1
 no ip address
 encapsulation slip
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.1.1 track 8
ip route 0.0.0.0 0.0.0.0 10.0.0.1 10
no ip http server
no ip http secure-server
!
!
ip nat inside source route-map BACKUP_ISP interface FastEthernet1 overload
ip nat inside source route-map MAIN_ISP interface FastEthernet0 overload
!
ip sla 1
 icmp-echo 192.168.1.1 source-ip 192.168.1.254
ip sla schedule 1 life forever start-time now
access-list 102 permit ip 192.168.4.0 0.0.0.255 any
access-list 102 permit ip 192.168.6.0 0.0.0.255 any
access-list 102 permit ip 10.1.1.0 0.0.0.255 any
access-list 103 permit ip 192.168.2.0 0.0.0.255 any
access-list 103 permit ip 192.168.4.0 0.0.0.255 any
access-list 103 permit ip 192.168.5.0 0.0.0.255 any
access-list 103 permit ip 192.168.6.0 0.0.0.255 any
access-list 103 permit ip 10.1.1.0 0.0.0.255 any
access-list 104 permit ip 10.1.1.0 0.0.0.255 any
access-list 104 permit ip 192.168.2.0 0.0.0.255 any
access-list 104 permit ip 192.168.3.0 0.0.0.255 any
access-list 104 permit ip 192.168.5.0 0.0.0.255 any
access-list 104 permit ip 192.168.6.0 0.0.0.255 any
access-list 104 permit ip 192.168.8.0 0.0.0.255 any
access-list 105 permit ip 10.1.1.0 0.0.0.255 any
access-list 105 permit ip 192.168.2.0 0.0.0.255 any
access-list 105 permit ip 192.168.3.0 0.0.0.255 any
access-list 105 permit ip 192.168.4.0 0.0.0.255 any
access-list 105 permit ip 192.168.6.0 0.0.0.255 any
access-list 106 permit ip 192.168.2.0 0.0.0.255 any
access-list 106 permit ip 10.1.1.0 0.0.0.255 any
access-list 107 permit ip 192.168.2.0 0.0.0.255 any
access-list 108 permit ip 10.1.1.0 0.0.0.255 any
access-list 108 permit ip 192.168.2.0 0.0.0.255 any
access-list 108 permit ip 192.168.4.0 0.0.0.255 any
access-list 108 permit ip 192.168.6.0 0.0.0.255 any
!
!
!
!
route-map BACKUP_ISP permit 10
 match ip address 100
 match interface FastEthernet1
!
route-map MAIN_ISP permit 10
 match ip address 100
 match interface FastEthernet0
!
!
!
control-plane
!
!
line con 0
line 1
 modem InOut
 stopbits 1
 speed 115200
 flowcontrol hardware
line aux 0
line vty 0 4
 login local
 transport input ssh
!
event manager applet CLEAR_NAT
 event track 1 state up
 action 1.0 cli command "enable"
 action 2.0 cli command "clear ip nat translations forced"
!
end

1- I have seen yours and i have tried to adapted but for this :

event manager applet CLEAR_NAT
 event track 1 state up
 action 1.0 cli command "enable"
 action 2.0 cli command "clear ip nat translations forced"

event manager applet CLEAR_NAT
 event track 1 state down
 action 1.0 cli command "enable"
 action 2.0 cli command "clear ip nat translations forced"

i can't put the both together. Only one is taken into account.

2- I can't go out the Router. I can ping the two Wan ports but not the Fiber Box or my Box 4g.

3- I have adapted the access-list because i would like regualte the connections between vlan for example :

Vlan2 can enter into all vlan

Vlan3 can enter only into vlan 4,5

Vlan 4 into vlan 2,3,5,8

Vlan5 into vlan 3,4

Vlan6 into all vlan except the 8

Vlan7 into all vlan

Vlan8 only the vlan 4.

I have put my Laptop 1 in the vlan2 to ping another Laptop on the vlan 3 and a Camera in the vlan 5

The laptop 1has the ip address 192.168.2.10/24, gateway 192.168.2.254,dns 8.8.8.8

The laptop 2 has the ip address 192.168.3.10/24, gateway 192.168.3.254,dns 8.8.8.8

The ip Camera has the ip address 192.168.5.10/24, gateway 192.168.5.254,dns 8.8.8.8

The laptop 1 can ping the laptop2(its ok) but cant ping the ip address 192.168.1.254 which is the ip address of the vlan.

The laptop 1 can't ping the Ip camera while it should do it.

The laptop 2 cant ping the Laptop1(its ok) but no more the ip camera while he should do it.

Can you help me again please?

I thank you again and a lot.

Julio E. Moisa · ‎09-22-2017

Hi,

What is the IP configured on the laptop?

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

domoticity · ‎09-22-2017

Hello,

It depends the port used.

But if i am in the fastEthernet 2 i use the vlan 2 which have ip address 192.168.2.254 255.255.255.0.

So my Laptop wil have 192.168.2.100 and netmask 255.255.255.0 and the gateway 192.168.2.254. for the dns i put 8.8.8.8 and for the secondary 8.8.4.4.

Thank you for your help.

Georg Pauwen · ‎09-23-2017

Hello,

change the name of the applet, that is probably what the router is complaining about.

In your new configuration, the access lists are mixed up. Get your Internet up first by entering the exact same config as below. Once that is working, we can look at restricting access to the VLANs:

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname routeur-cisco1811
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
enable secret 5 XXXXXXXXXXXXXX
!
no aaa new-model
!
dot11 syslog
ip source-route
!
ip cef
no ip domain lookup
ip domain name XXXXXXXX.com
no ipv6 cef
!
multilink bundle-name authenticated
!
username XXXXXXXX privilege 15 secret 5 XXXXXX
!
archive
log config
hidekeys
!
track 8 ip sla 1 reachability
!
interface FastEthernet0
description Acces principal FTTH
ip address 192.168.1.254 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet1
description Acces secour 3/4G
ip address 10.0.0.254 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet2
switchport access vlan 2
!
interface FastEthernet3
switchport access vlan 3
!
interface FastEthernet4
switchport access vlan 4
!
interface FastEthernet5
switchport access vlan 5
!
interface FastEthernet6
switchport access vlan 6
!
interface FastEthernet7
switchport access vlan 7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
no ip address
!
interface Vlan2
description
ip address 192.168.2.254 255.255.255.0
ip nat inside
!
interface Vlan3
description casa
ip address 192.168.3.254 255.255.255.0
ip nat inside
!
interface Vlan4
description stockage
ip address 192.168.4.254 255.255.255.0
ip nat inside
!
interface Vlan5
description domotique et cameras
ip address 192.168.5.254 255.255.255.0
ip nat inside
!
interface Vlan6
description sentinelle
ip address 192.168.6.254 255.255.255.0
ip nat inside
!
interface Vlan7
description Monotoring surveillance generale
ip address 10.1.1.254 255.255.255.0
ip nat inside
!
interface Async1
no ip address
encapsulation slip
!
ip forward-protocol nd
!
ip nat inside source route-map MAIN_ISP interface FastEthernet0/0 overload
ip nat inside source route-map BACKUP_ISP interface FastEthernet1/0 overload
!
ip route 0.0.0.0 0.0.0.0 192.168.1.1 track 8
ip route 0.0.0.0 0.0.0.0 10.0.0.1 10
!
access-list 100 permit ip 192.168.2.0 0.0.0.255
access-list 100 permit ip 192.168.3.0 0.0.0.255
access-list 100 permit ip 192.168.4.0 0.0.0.255
access-list 100 permit ip 192.168.5.0 0.0.0.255
access-list 100 permit ip 192.168.6.0 0.0.0.255
access-list 100 permit ip 10.1.1.254 0.0.0.255
!
no ip http server
no ip http secure-server
!
ip sla 1
icmp-echo 192.168.1.1 source-ip 192.168.1.254
ip sla schedule 1 life forever start-time now
!
route-map MAIN_ISP permit 10
match ip address 100
match interface FastEthernet0/0
!
route-map BACKUP_ISP permit 10
match ip address 100
match interface FastEthernet1/0
!
event manager applet CLEAR_NAT_DOWN
event track 1 state down
action 1.0 cli command "enable"
action 2.0 cli command "clear ip nat translations forced"
!
event manager applet CLEAR_NAT_UP
event track 1 state up
action 1.0 cli command "enable"
action 2.0 cli command "clear ip nat translations forced"
!
control-plane
!
line con 0
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
line vty 0 4
login local
transport input ssh
!
end

domoticity · ‎09-23-2017

Hy again,

This is the last last configuration lol .

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname routeur-cisco1811
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
enable secret 5 $1$oQhA$Eu5oCOXYqbhFCYRR9x0pH/
!
no aaa new-model
!
!
dot11 syslog
ip source-route
!
!
!
!
ip cef
no ip domain lookup
ip domain name domoticity.com
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
username domoticity privilege 15 secret 5 $1$dSvN$MpTHvWFcIVe7Ydm748fwB1
!
!
!
archive
 log config
  hidekeys
!
!
!
track 8 ip sla 1 reachability
!
!
!
interface FastEthernet0
 description Acces principal FTTH
 ip address 192.168.1.254 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet1
 description Acces secour 3/4G
 ip address 10.0.0.254 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet2
 switchport access vlan 2
!
interface FastEthernet3
 switchport access vlan 3
!
interface FastEthernet4
 switchport access vlan 4
!
interface FastEthernet5
 switchport access vlan 5
!
interface FastEthernet6
 switchport access vlan 6
!
interface FastEthernet7
 switchport access vlan 7
!
interface FastEthernet8
 switchport access vlan 8
!
interface FastEthernet9
!
interface Vlan1
 no ip address
!
interface Vlan2
 description domoticity
 ip address 192.168.2.254 255.255.255.0
 ip access-group 102 in
 ip nat inside
 ip virtual-reassembly
!
interface Vlan3
 description casa
 ip address 192.168.3.254 255.255.255.0
 ip access-group 103 in
 ip nat inside
 ip virtual-reassembly
!
interface Vlan4
 description stockage
 ip address 192.168.4.254 255.255.255.0
 ip access-group 104 in
 ip nat inside
 ip virtual-reassembly
!
interface Vlan5
 description domotique et cameras
 ip address 192.168.5.254 255.255.255.0
 ip access-group 105 in
 ip nat inside
 ip virtual-reassembly
!
interface Vlan6
 description sentinelle
 ip address 192.168.6.254 255.255.255.0
 ip access-group 106 in
 ip nat inside
 ip virtual-reassembly
!
interface Vlan7
 description Monotoring surveillance generale
 ip address 10.1.1.254 255.255.255.0
 ip access-group 107 in
 ip nat inside
 ip virtual-reassembly
!
interface Vlan8
 description Orange travail
 ip address 192.168.8.254 255.255.255.0
 ip access-group 108 in
 ip nat inside
 ip virtual-reassembly
!
interface Async1
 no ip address
 encapsulation slip
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.1.1 track 8
ip route 0.0.0.0 0.0.0.0 10.0.0.1 10
no ip http server
no ip http secure-server
!
!
ip nat inside source route-map BACKUP_ISP interface FastEthernet1 overload
ip nat inside source route-map MAIN_ISP interface FastEthernet0 overload
!
ip sla 1
 icmp-echo 192.168.1.1 source-ip 192.168.1.254
ip sla schedule 1 life forever start-time now
access-list 102 permit ip 192.168.4.0 0.0.0.255 any
access-list 102 permit ip 192.168.6.0 0.0.0.255 any
access-list 102 permit ip 10.1.1.0 0.0.0.255 any
access-list 103 permit ip 192.168.2.0 0.0.0.255 any
access-list 103 permit ip 192.168.4.0 0.0.0.255 any
access-list 103 permit ip 192.168.5.0 0.0.0.255 any
access-list 103 permit ip 192.168.6.0 0.0.0.255 any
access-list 103 permit ip 10.1.1.0 0.0.0.255 any
access-list 104 permit ip 10.1.1.0 0.0.0.255 any
access-list 104 permit ip 192.168.2.0 0.0.0.255 any
access-list 104 permit ip 192.168.3.0 0.0.0.255 any
access-list 104 permit ip 192.168.5.0 0.0.0.255 any
access-list 104 permit ip 192.168.6.0 0.0.0.255 any
access-list 104 permit ip 192.168.8.0 0.0.0.255 any
access-list 105 permit ip 10.1.1.0 0.0.0.255 any
access-list 105 permit ip 192.168.2.0 0.0.0.255 any
access-list 105 permit ip 192.168.3.0 0.0.0.255 any
access-list 105 permit ip 192.168.4.0 0.0.0.255 any
access-list 105 permit ip 192.168.6.0 0.0.0.255 any
access-list 106 permit ip 192.168.2.0 0.0.0.255 any
access-list 106 permit ip 10.1.1.0 0.0.0.255 any
access-list 107 permit ip 192.168.2.0 0.0.0.255 any
access-list 108 permit ip 10.1.1.0 0.0.0.255 any
access-list 108 permit ip 192.168.2.0 0.0.0.255 any
access-list 108 permit ip 192.168.4.0 0.0.0.255 any
access-list 108 permit ip 192.168.6.0 0.0.0.255 any
!
!
!
!
route-map BACKUP_ISP permit 10
 match ip address 100
 match interface FastEthernet1
!
route-map MAIN_ISP permit 10
 match ip address 100
 match interface FastEthernet0
!
!
!
control-plane
!
!
line con 0
line 1
 modem InOut
 stopbits 1
 speed 115200
 flowcontrol hardware
line aux 0
line vty 0 4
 login local
 transport input ssh
!
event manager applet CLEAR_NAT_DOWN
 event track 1 state down
 action 1.0 cli command "enable"
 action 2.0 cli command "clear ip nat translations forced"
event manager applet CLEAR_NAT_UP
 event track 1 state up
 action 1.0 cli command "enable"
 action 2.0 cli command "clear ip nat translations forced"
!
end

I have wrote your configuration and adapted password etc.... in the same order but the configuration stand out like this. And always no internet.

Thank you for your help again

Georg Pauwen · ‎09-23-2017

Hello,

you are missing access list 100. Add the below to your configuration:

access-list 100 permit ip 192.168.2.0 0.0.0.255
access-list 100 permit ip 192.168.3.0 0.0.0.255
access-list 100 permit ip 192.168.4.0 0.0.0.255
access-list 100 permit ip 192.168.5.0 0.0.0.255
access-list 100 permit ip 192.168.6.0 0.0.0.255
access-list 100 permit ip 10.1.1.254 0.0.0.255

domoticity · ‎09-24-2017

Hello.

I have added the access-list 100 :

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname routeur-cisco1811
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
enable secret 5 $1$oQhA$Eu5oCOXYqbhFCYRR9x0pH/
!
no aaa new-model
!
!
dot11 syslog
ip source-route
!
!
!
!
ip cef
no ip domain lookup
ip domain name domoticity.com
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
username domoticity privilege 15 secret 5 $1$dSvN$MpTHvWFcIVe7Ydm748fwB1
!
!
!
archive
 log config
  hidekeys
!
!
!
track 8 ip sla 1 reachability
!
!
!
interface FastEthernet0
 description Acces principal FTTH
 ip address 192.168.1.254 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet1
 description Acces secour 3/4G
 ip address 10.0.0.254 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet2
 switchport access vlan 2
!
interface FastEthernet3
 switchport access vlan 3
!
interface FastEthernet4
 switchport access vlan 4
!
interface FastEthernet5
 switchport access vlan 5
!
interface FastEthernet6
 switchport access vlan 6
!
interface FastEthernet7
 switchport access vlan 7
!
interface FastEthernet8
 switchport access vlan 8
!
interface FastEthernet9
 switchport access vlan 9
!
interface Vlan1
 no ip address
!
interface Vlan2
 description domoticity
 ip address 192.168.2.254 255.255.255.0
 ip access-group 102 in
 ip nat inside
 ip virtual-reassembly
!
interface Vlan3
 description casa
 ip address 192.168.3.254 255.255.255.0
 ip access-group 103 in
 ip nat inside
 ip virtual-reassembly
!
interface Vlan4
 description stockage
 ip address 192.168.4.254 255.255.255.0
 ip access-group 104 in
 ip nat inside
 ip virtual-reassembly
!
interface Vlan5
 description domotique et cameras
 ip address 192.168.5.254 255.255.255.0
 ip access-group 105 in
 ip nat inside
 ip virtual-reassembly
!
interface Vlan6
 description sentinelle
 ip address 192.168.6.254 255.255.255.0
 ip access-group 106 in
 ip nat inside
 ip virtual-reassembly
!
interface Vlan7
 description Monotoring surveillance generale
 ip address 10.1.1.254 255.255.255.0
 ip access-group 107 in
 ip nat inside
 --More--
*Sep 24 07:09:17.883: %TRACKING-5-STATE: 8 ip sla 1 reachabilit ip virtual-reassembly
!
interface Vlan8
 description Orange travail
 ip address 192.168.8.254 255.255.255.0
 ip access-group 108 in
 ip nat inside
 ip virtual-reassembly
!
interface Vlan9
 description Serveurs multimedia
 ip address 192.168.9.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Async1
 no ip address
 encapsulation slip
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.1.1 track 8
ip route 0.0.0.0 0.0.0.0 10.0.0.1 10
no ip http server
no ip http secure-server
!
!
ip nat inside source route-map BACKUP_ISP interface FastEthernet1 overload
ip nat inside source route-map MAIN_ISP interface FastEthernet0 overload
!
ip sla 1
 icmp-echo 192.168.1.1 source-ip 192.168.1.254
ip sla schedule 1 life forever start-time now
access-list 100 permit ip 192.168.2.0 0.0.0.255 any
access-list 100 permit ip 192.168.3.0 0.0.0.255 any
access-list 100 permit ip 192.168.4.0 0.0.0.255 any
access-list 100 permit ip 192.168.5.0 0.0.0.255 any
access-list 100 permit ip 192.168.6.0 0.0.0.255 any
access-list 100 permit ip 192.168.8.0 0.0.0.255 any
access-list 100 permit ip 192.168.9.0 0.0.0.255 any
access-list 100 permit ip 10.1.1.0 0.0.0.255 any
access-list 102 permit ip 192.168.4.0 0.0.0.255 any
access-list 102 permit ip 192.168.6.0 0.0.0.255 any
access-list 102 permit ip 10.1.1.0 0.0.0.255 any
access-list 102 permit ip 192.168.9.0 0.0.0.255 any
access-list 103 permit ip 192.168.2.0 0.0.0.255 any
access-list 103 permit ip 192.168.4.0 0.0.0.255 any
access-list 103 permit ip 192.168.5.0 0.0.0.255 any
access-list 103 permit ip 192.168.6.0 0.0.0.255 any
access-list 103 permit ip 10.1.1.0 0.0.0.255 any
access-list 103 permit ip 192.168.9.0 0.0.0.255 any
access-list 104 permit ip 10.1.1.0 0.0.0.255 any
access-list 104 permit ip 192.168.2.0 0.0.0.255 any
access-list 104 permit ip 192.168.3.0 0.0.0.255 any
access-list 104 permit ip 192.168.5.0 0.0.0.255 any
access-list 104 permit ip 192.168.6.0 0.0.0.255 any
access-list 104 permit ip 192.168.8.0 0.0.0.255 any
access-list 104 permit ip 192.168.9.0 0.0.0.255 any
access-list 105 permit ip 10.1.1.0 0.0.0.255 any
access-list 105 permit ip 192.168.2.0 0.0.0.255 any
access-list 105 permit ip 192.168.3.0 0.0.0.255 any
access-list 105 permit ip 192.168.4.0 0.0.0.255 any
access-list 105 permit ip 192.168.6.0 0.0.0.255 any
access-list 106 permit ip 192.168.2.0 0.0.0.255 any
access-list 106 permit ip 10.1.1.0 0.0.0.255 any
access-list 107 permit ip 192.168.2.0 0.0.0.255 any
access-list 108 permit ip 10.1.1.0 0.0.0.255 any
access-list 108 permit ip 192.168.2.0 0.0.0.255 any
access-list 108 permit ip 192.168.4.0 0.0.0.255 any
access-list 108 permit ip 192.168.6.0 0.0.0.255 any
access-list 109 permit ip 192.168.2.0 0.0.0.255 any
access-list 109 permit ip 192.168.3.0 0.0.0.255 any
access-list 109 permit ip 192.168.4.0 0.0.0.255 any
access-list 109 permit ip 192.168.6.0 0.0.0.255 any
access-list 109 permit ip 10.1.1.0 0.0.0.255 any
!
!
!
!
route-map BACKUP_ISP permit 10
 match ip address 100
 match interface FastEthernet1
!
route-map MAIN_ISP permit 10
 match ip address 100
 match interface FastEthernet0
!
!
!
control-plane
!
!
line con 0
line 1
 modem InOut
 stopbits 1
 speed 115200
 flowcontrol hardware
line aux 0
line vty 0 4
 login local
 transport input ssh
!
event manager applet CLEAR_NAT_DOWN
 event track 1 state down
 action 1.0 cli command "enable"
 action 2.0 cli command "clear ip nat translations forced"
event manager applet CLEAR_NAT_UP
 event track 1 state up
 action 1.0 cli command "enable"
 action 2.0 cli command "clear ip nat translations forced"
!
end

And i have tested to added at the FastEthernet 0 the ip access-group 100 in and out.

I tested without access-group in Fa0.

No internet.

Thank you again for your help.

Georg Pauwen · ‎09-24-2017

As stated before, remove the access lists from your VLAN interfaces, so you get the Internet part right first.

What DNS servers are your clients configured with ?

Try and add:

ip name-server 8.8.8.8

ip name-server 8.8.4.4

domoticity · ‎09-24-2017

Hy again again :)

so i have deleted all access list abut vlan.

I have added name-server

This is my conf :

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname routeur-cisco1811
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
enable secret 5 XXXXXXXXXXX
!
no aaa new-model
!
!
dot11 syslog
ip source-route
!
!
!
!
ip cef
no ip domain lookup
ip domain name domoticity.com
ip name-server 8.8.8.8
ip name-server 8.8.4.4
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
username domoticity privilege 15 secret 5 XXXXXXXXXX
!
!
!
archive
 log config
  hidekeys
!
!
!
track 8 ip sla 1 reachability
!
!
!
interface FastEthernet0
 description Acces principal FTTH
 ip address 192.168.1.254 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet1
 description Acces secour 3/4G
 ip address 10.0.0.254 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet2
 switchport access vlan 2
!
interface FastEthernet3
 switchport access vlan 3
!
interface FastEthernet4
 switchport access vlan 4
!
interface FastEthernet5
 switchport access vlan 5
!
interface FastEthernet6
 switchport access vlan 6
!
interface FastEthernet7
 switchport access vlan 7
!
interface FastEthernet8
 switchport access vlan 8
!
interface FastEthernet9
 switchport access vlan 9
!
interface Vlan1
 no ip address
!
interface Vlan2
 description domoticity
 ip address 192.168.2.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Vlan3
 description casa
 ip address 192.168.3.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Vlan4
 description stockage
 ip address 192.168.4.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Vlan5
 description domotique et cameras
 ip address 192.168.5.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Vlan6
 description sentinelle
 ip address 192.168.6.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Vlan7
 description Monotoring surveillance generale
 ip address 10.1.1.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Vlan8
 description Orange travail
 ip address 192.168.8.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Vlan9
 description Serveurs multimedia
 ip address 192.168.9.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Async1
 no ip address
 encapsulation slip
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.1.1 track 8
ip route 0.0.0.0 0.0.0.0 10.0.0.1 10
no ip http server
no ip http secure-server
!
!
ip nat inside source route-map BACKUP_ISP interface FastEthernet1 overload
ip nat inside source route-map MAIN_ISP interface FastEthernet0 overload
!
ip sla 1
 icmp-echo 192.168.1.1 source-ip 192.168.1.254
ip sla schedule 1 life forever start-time now
access-list 100 permit ip 192.168.2.0 0.0.0.255 any
access-list 100 permit ip 192.168.3.0 0.0.0.255 any
access-list 100 permit ip 192.168.4.0 0.0.0.255 any
access-list 100 permit ip 192.168.5.0 0.0.0.255 any
access-list 100 permit ip 192.168.6.0 0.0.0.255 any
access-list 100 permit ip 192.168.8.0 0.0.0.255 any
access-list 100 permit ip 192.168.9.0 0.0.0.255 any
access-list 100 permit ip 10.1.1.0 0.0.0.255 any
!
!
!
!
route-map BACKUP_ISP permit 10
 match ip address 100
 match interface FastEthernet1
!
route-map MAIN_ISP permit 10
 match ip address 100
 match interface FastEthernet0
!
!
!
control-plane
!
!
line con 0
line 1
 modem InOut
 stopbits 1
 speed 115200
 flowcontrol hardware
line aux 0
line vty 0 4
 login local
 transport input ssh
!
event manager applet CLEAR_NAT_DOWN
 event track 1 state down
 action 1.0 cli command "enable"
 action 2.0 cli command "clear ip nat translations forced"
event manager applet CLEAR_NAT_UP
 event track 1 state up
 action 1.0 cli command "enable"
 action 2.0 cli command "clear ip nat translations forced"
!
end

So now, when i plug only the wan 1 (fiber box) :

i can ping the fiber box (192.168.1.1) but no go throught internet.

when i do an sh ip route :

routeur-cisco1811#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

C    192.168.1.0/24 is directly connected, FastEthernet0
C    192.168.3.0/24 is directly connected, Vlan3

But the failover works, because when i plug wan 1 and wan 2 it balances in wans 2 with the ip route and i have internet.

So i have done an sh ip int brief

routeur-cisco1811#sh ip int brief
Interface                  IP-Address      OK? Method Status                Protocol
Async1                     unassigned      YES NVRAM  down                  down
FastEthernet0              192.168.1.254   YES NVRAM  up                    up
FastEthernet1              10.0.0.254      YES NVRAM  up                    down
FastEthernet2              unassigned      YES unset  up                    down
FastEthernet3              unassigned      YES unset  up                    up
FastEthernet4              unassigned      YES unset  up                    down
FastEthernet5              unassigned      YES unset  up                    down
FastEthernet6              unassigned      YES unset  up                    down
FastEthernet7              unassigned      YES unset  up                    down
FastEthernet8              unassigned      YES unset  up                    down
FastEthernet9              unassigned      YES unset  up                    down
NVI0                       192.168.1.254   YES unset  up                    up
Vlan1                      unassigned      YES NVRAM  up                    down
Vlan2                      192.168.2.254   YES NVRAM  up                    down
Vlan3                      192.168.3.254   YES NVRAM  up                    up
Vlan4                      192.168.4.254   YES NVRAM  up                    down
Vlan5                      192.168.5.254   YES NVRAM  up                    down
Vlan6                      192.168.6.254   YES NVRAM  up                    down
Vlan7                      10.1.1.254      YES NVRAM  up                    down
Vlan8                      192.168.8.254   YES NVRAM  up                    down
Vlan9                      192.168.9.254   YES NVRAM  up                    down

And i see the wan 1 ( fastethernet0 ) is up.

In my fiber box, the ip address cisco is in the DMZ and have and ip static reserved.

The firewall is low.

I'm approching the solution lol.

Thank you again again for your help very very usefull

Georg Pauwen · ‎09-24-2017

Hello,

you are NATting to a private address (192.168.1.254). There must be another device that translates this to an actual public IP address, is that your firewall ? What firewall, and what is the configuration ?