09-21-2017 11:19 PM - edited 03-05-2019 09:10 AM
Hello
I have a cisco 1811 with double wan.
I would like to configure the latter for failover.
I have a fiber connection on fe0 and a mobile connection (via a 4g router) on fe1.
the router arrives at pinger 8.8.8.8 and my box fiber. But when I put a computer with an ip static on one of the ports, I can ping the port of the vlan, port fe0 (192.168.1.254) but I can not ping the fiber box (192.168.1.1) xterieur.
I can not find my error, help :)
here my configuration :
routeur-cisco1811#sh conf Using 3032 out of 196600 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname routeur-cisco1811 ! boot-start-marker boot-end-marker ! logging message-counter syslog enable secret 5 XXXXXXXXXXXXXX ! no aaa new-model ! ! dot11 syslog ip source-route ! ! ! ! ip cef no ip domain lookup ip domain name XXXXXXXX.com no ipv6 cef ! multilink bundle-name authenticated ! ! ! username XXXXXXXX privilege 15 secret 5 XXXXXX ! ! ! archive log config hidekeys ! ! ! track 8 ip sla 1 reachability ! ! ! interface FastEthernet0 description Acces principal FTTH ip address 192.168.1.254 255.255.255.0 ip nat outside ip virtual-reassembly duplex auto speed auto ! interface FastEthernet1 description Acces secour 3/4G ip address 10.0.0.254 255.255.255.0 ip nat outside ip virtual-reassembly duplex auto speed auto ! interface FastEthernet2 switchport access vlan 2 ! interface FastEthernet3 switchport access vlan 3 ! interface FastEthernet4 switchport access vlan 4 ! interface FastEthernet5 switchport access vlan 5 ! interface FastEthernet6 switchport access vlan 6 ! interface FastEthernet7 switchport access vlan 7 ! interface FastEthernet8 ! interface FastEthernet9 ! interface Vlan1 no ip address ! interface Vlan2 description ip address 192.168.2.254 255.255.255.0 ip access-group 13 out ! interface Vlan3 description casa ip address 192.168.3.254 255.255.255.0 ! interface Vlan4 description stockage ip address 192.168.4.254 255.255.255.0 ! interface Vlan5 description domotique et cameras ip address 192.168.5.254 255.255.255.0 ! interface Vlan6 description sentinelle ip address 192.168.6.254 255.255.255.0 ! interface Vlan7 description Monotoring surveillance generale ip address 10.1.1.254 255.255.255.0 ! interface Async1 no ip address encapsulation slip ! ip default-gateway 10.0.0.1 ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 192.168.1.1 track 8 ip route 0.0.0.0 0.0.0.0 10.0.0.1 10 no ip http server no ip http secure-server ! ! ! ip sla 1 icmp-echo 192.168.1.1 source-ip 192.168.1.254 ip sla schedule 1 life forever start-time now access-list 13 permit 0.0.0.0 ! ! ! ! ! ! control-plane ! ! line con 0 line 1 modem InOut stopbits 1 speed 115200 flowcontrol hardware line aux 0 line vty 0 4 login local transport input ssh ! end
Solved! Go to Solution.
09-22-2017 12:29 AM
Hi there,
Unless you have configured static routes on the 'fiber box' and 4G router neither will know how to reach your internal VLANs.
You have a partial NAT configuration so I'll assume that is what you want to use. You also have a default route configred with no object tracking implemented, so I'll include that too.
Please edit the access-list 100 and ip nat inside statements, depending on which VLANs you want to have outside acess.
! access-list 100 permit ip 192.168.2.0 0.0.0.255 access-list 100 permit ip 192.168.3.0 0.0.0.255 access-list 100 permit ip 192.168.4.0 0.0.0.255 access-list 100 permit ip 192.168.5.0 0.0.0.255 access-list 100 permit ip 192.168.6.0 0.0.0.255 access-list 100 permit ip 10.1.1.254 0.0.0.255 ! int vlan 2 ip nat inside int vlan 3 ip nat inside int vlan 4 ip nat inside int vlan 5 ip nat inside int vlan 6 ip nat inside int vlan 7 ip nat inside ! ! ip nat inside source list 100 interface fa0 overload ip nat inside source list 100 interface fa1 overload ! track 8 ip sla 1 reachability !
cheers,
Seb.
09-22-2017 09:07 AM - edited 09-22-2017 09:11 AM
Hello,
as an alternative, you could also use route maps in combination with the failover. I would also include a simple EEM script to clear the NAT translations in case the main link fails, and equally when it comes back up. For simplicity I have put together the entire config below:
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname routeur-cisco1811
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
enable secret 5 XXXXXXXXXXXXXX
!
no aaa new-model
!
dot11 syslog
ip source-route
!
ip cef
no ip domain lookup
ip domain name XXXXXXXX.com
no ipv6 cef
!
multilink bundle-name authenticated
!
username XXXXXXXX privilege 15 secret 5 XXXXXX
!
archive
log config
hidekeys
!
track 8 ip sla 1 reachability
!
interface FastEthernet0
description Acces principal FTTH
ip address 192.168.1.254 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet1
description Acces secour 3/4G
ip address 10.0.0.254 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet2
switchport access vlan 2
!
interface FastEthernet3
switchport access vlan 3
!
interface FastEthernet4
switchport access vlan 4
!
interface FastEthernet5
switchport access vlan 5
!
interface FastEthernet6
switchport access vlan 6
!
interface FastEthernet7
switchport access vlan 7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
no ip address
!
interface Vlan2
description
ip address 192.168.2.254 255.255.255.0
ip nat inside
!
interface Vlan3
description casa
ip address 192.168.3.254 255.255.255.0
ip nat inside
!
interface Vlan4
description stockage
ip address 192.168.4.254 255.255.255.0
ip nat inside
!
interface Vlan5
description domotique et cameras
ip address 192.168.5.254 255.255.255.0
ip nat inside
!
interface Vlan6
description sentinelle
ip address 192.168.6.254 255.255.255.0
ip nat inside
!
interface Vlan7
description Monotoring surveillance generale
ip address 10.1.1.254 255.255.255.0
ip nat inside
!
interface Async1
no ip address
encapsulation slip
!
ip forward-protocol nd
!
ip nat inside source route-map MAIN_ISP interface FastEthernet0/0 overload
ip nat inside source route-map BACKUP_ISP interface FastEthernet1/0 overload
!
ip route 0.0.0.0 0.0.0.0 192.168.1.1 track 8
ip route 0.0.0.0 0.0.0.0 10.0.0.1 10
!
access-list 100 permit ip 192.168.2.0 0.0.0.255
access-list 100 permit ip 192.168.3.0 0.0.0.255
access-list 100 permit ip 192.168.4.0 0.0.0.255
access-list 100 permit ip 192.168.5.0 0.0.0.255
access-list 100 permit ip 192.168.6.0 0.0.0.255
access-list 100 permit ip 10.1.1.254 0.0.0.255
!
no ip http server
no ip http secure-server
!
ip sla 1
icmp-echo 192.168.1.1 source-ip 192.168.1.254
ip sla schedule 1 life forever start-time now
!
route-map MAIN_ISP permit 10
match ip address 100
match interface FastEthernet0/0
!
route-map BACKUP_ISP permit 10
match ip address 100
match interface FastEthernet1/0
!
event manager applet CLEAR_NAT
event track 1 state down
action 1.0 cli command "enable"
action 2.0 cli command "clear ip nat translations forced"
!
event manager applet CLEAR_NAT
event track 1 state up
action 1.0 cli command "enable"
action 2.0 cli command "clear ip nat translations forced"
!
control-plane
!
line con 0
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
line vty 0 4
login local
transport input ssh
!
end
09-24-2017 12:41 PM
Hello,
you are NATting to a private address (192.168.1.254). There must be another device that translates this to an actual public IP address, is that your firewall ? What firewall, and what is the configuration ?
10-04-2017 12:27 AM
Only the ASA and IOS-XE (3E and above) supprt ACLs with FQDNs.
I suppose you could create an EEM script that would fairly regularily ping your noip.com FQDN, scrape the output and update that particular route. If you want to try that I suggest starting a new post on the EEM script board:
https://supportforums.cisco.com/t5/eem-scripting/bd-p/5941-discussions-eem-scripting
:)
10-04-2017 02:00 AM
Thank you very much :)
09-22-2017 12:29 AM
Hi there,
Unless you have configured static routes on the 'fiber box' and 4G router neither will know how to reach your internal VLANs.
You have a partial NAT configuration so I'll assume that is what you want to use. You also have a default route configred with no object tracking implemented, so I'll include that too.
Please edit the access-list 100 and ip nat inside statements, depending on which VLANs you want to have outside acess.
! access-list 100 permit ip 192.168.2.0 0.0.0.255 access-list 100 permit ip 192.168.3.0 0.0.0.255 access-list 100 permit ip 192.168.4.0 0.0.0.255 access-list 100 permit ip 192.168.5.0 0.0.0.255 access-list 100 permit ip 192.168.6.0 0.0.0.255 access-list 100 permit ip 10.1.1.254 0.0.0.255 ! int vlan 2 ip nat inside int vlan 3 ip nat inside int vlan 4 ip nat inside int vlan 5 ip nat inside int vlan 6 ip nat inside int vlan 7 ip nat inside ! ! ip nat inside source list 100 interface fa0 overload ip nat inside source list 100 interface fa1 overload ! track 8 ip sla 1 reachability !
cheers,
Seb.
09-22-2017 08:29 AM
Hy,
Thank you for your response.
I will try this night.
I begin with Cisco and i see i do a lot of error lol
09-22-2017 09:07 AM - edited 09-22-2017 09:11 AM
Hello,
as an alternative, you could also use route maps in combination with the failover. I would also include a simple EEM script to clear the NAT translations in case the main link fails, and equally when it comes back up. For simplicity I have put together the entire config below:
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname routeur-cisco1811
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
enable secret 5 XXXXXXXXXXXXXX
!
no aaa new-model
!
dot11 syslog
ip source-route
!
ip cef
no ip domain lookup
ip domain name XXXXXXXX.com
no ipv6 cef
!
multilink bundle-name authenticated
!
username XXXXXXXX privilege 15 secret 5 XXXXXX
!
archive
log config
hidekeys
!
track 8 ip sla 1 reachability
!
interface FastEthernet0
description Acces principal FTTH
ip address 192.168.1.254 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet1
description Acces secour 3/4G
ip address 10.0.0.254 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet2
switchport access vlan 2
!
interface FastEthernet3
switchport access vlan 3
!
interface FastEthernet4
switchport access vlan 4
!
interface FastEthernet5
switchport access vlan 5
!
interface FastEthernet6
switchport access vlan 6
!
interface FastEthernet7
switchport access vlan 7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
no ip address
!
interface Vlan2
description
ip address 192.168.2.254 255.255.255.0
ip nat inside
!
interface Vlan3
description casa
ip address 192.168.3.254 255.255.255.0
ip nat inside
!
interface Vlan4
description stockage
ip address 192.168.4.254 255.255.255.0
ip nat inside
!
interface Vlan5
description domotique et cameras
ip address 192.168.5.254 255.255.255.0
ip nat inside
!
interface Vlan6
description sentinelle
ip address 192.168.6.254 255.255.255.0
ip nat inside
!
interface Vlan7
description Monotoring surveillance generale
ip address 10.1.1.254 255.255.255.0
ip nat inside
!
interface Async1
no ip address
encapsulation slip
!
ip forward-protocol nd
!
ip nat inside source route-map MAIN_ISP interface FastEthernet0/0 overload
ip nat inside source route-map BACKUP_ISP interface FastEthernet1/0 overload
!
ip route 0.0.0.0 0.0.0.0 192.168.1.1 track 8
ip route 0.0.0.0 0.0.0.0 10.0.0.1 10
!
access-list 100 permit ip 192.168.2.0 0.0.0.255
access-list 100 permit ip 192.168.3.0 0.0.0.255
access-list 100 permit ip 192.168.4.0 0.0.0.255
access-list 100 permit ip 192.168.5.0 0.0.0.255
access-list 100 permit ip 192.168.6.0 0.0.0.255
access-list 100 permit ip 10.1.1.254 0.0.0.255
!
no ip http server
no ip http secure-server
!
ip sla 1
icmp-echo 192.168.1.1 source-ip 192.168.1.254
ip sla schedule 1 life forever start-time now
!
route-map MAIN_ISP permit 10
match ip address 100
match interface FastEthernet0/0
!
route-map BACKUP_ISP permit 10
match ip address 100
match interface FastEthernet1/0
!
event manager applet CLEAR_NAT
event track 1 state down
action 1.0 cli command "enable"
action 2.0 cli command "clear ip nat translations forced"
!
event manager applet CLEAR_NAT
event track 1 state up
action 1.0 cli command "enable"
action 2.0 cli command "clear ip nat translations forced"
!
control-plane
!
line con 0
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
line vty 0 4
login local
transport input ssh
!
end
09-22-2017 04:07 PM
Thank you very much.
I will try it tonight
09-23-2017 02:25 PM
Hy again.
So this is my new configuration :
version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname routeur-cisco1811 ! boot-start-marker boot-end-marker ! logging message-counter syslog enable secret 5 $1$oQhA$Eu5oCOXYqbhFCYRR9x0pH/ ! no aaa new-model ! ! dot11 syslog ip source-route ! ! ! ! ip cef no ip domain lookup ip domain name domoticity.com no ipv6 cef ! multilink bundle-name authenticated ! ! ! username domoticity privilege 15 secret 5 $1$dSvN$MpTHvWFcIVe7Ydm748fwB1 ! ! ! archive log config hidekeys ! ! ! track 8 ip sla 1 reachability ! ! ! interface FastEthernet0 description Acces principal FTTH ip address 192.168.1.254 255.255.255.0 ip nat outside ip virtual-reassembly duplex auto speed auto ! interface FastEthernet1 description Acces secour 3/4G ip address 10.0.0.254 255.255.255.0 ip nat outside ip virtual-reassembly duplex auto speed auto ! interface FastEthernet2 switchport access vlan 2 ! interface FastEthernet3 switchport access vlan 3 ! interface FastEthernet4 switchport access vlan 4 ! interface FastEthernet5 switchport access vlan 5 ! interface FastEthernet6 switchport access vlan 6 ! interface FastEthernet7 switchport access vlan 7 ! interface FastEthernet8 switchport access vlan 8 ! interface FastEthernet9 ! interface Vlan1 no ip address ! interface Vlan2 description domoticity ip address 192.168.2.254 255.255.255.0 ip access-group 102 in ip nat inside ip virtual-reassembly ! interface Vlan3 description casa ip address 192.168.3.254 255.255.255.0 ip access-group 103 in ip nat inside ip virtual-reassembly ! interface Vlan4 description stockage ip address 192.168.4.254 255.255.255.0 ip access-group 104 in ip nat inside ip virtual-reassembly ! interface Vlan5 description domotique et cameras ip address 192.168.5.254 255.255.255.0 ip access-group 105 in ip nat inside ip virtual-reassembly ! interface Vlan6 description sentinelle ip address 192.168.6.254 255.255.255.0 ip access-group 106 in ip nat inside ip virtual-reassembly ! interface Vlan7 description Monotoring surveillance generale ip address 10.1.1.254 255.255.255.0 ip access-group 107 in ip nat inside ip virtual-reassembly ! interface Vlan8 description Orange travail ip address 192.168.8.254 255.255.255.0 ip access-group 108 in ip nat inside ip virtual-reassembly ! interface Async1 no ip address encapsulation slip ! ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 192.168.1.1 track 8 ip route 0.0.0.0 0.0.0.0 10.0.0.1 10 no ip http server no ip http secure-server ! ! ip nat inside source route-map BACKUP_ISP interface FastEthernet1 overload ip nat inside source route-map MAIN_ISP interface FastEthernet0 overload ! ip sla 1 icmp-echo 192.168.1.1 source-ip 192.168.1.254 ip sla schedule 1 life forever start-time now access-list 102 permit ip 192.168.4.0 0.0.0.255 any access-list 102 permit ip 192.168.6.0 0.0.0.255 any access-list 102 permit ip 10.1.1.0 0.0.0.255 any access-list 103 permit ip 192.168.2.0 0.0.0.255 any access-list 103 permit ip 192.168.4.0 0.0.0.255 any access-list 103 permit ip 192.168.5.0 0.0.0.255 any access-list 103 permit ip 192.168.6.0 0.0.0.255 any access-list 103 permit ip 10.1.1.0 0.0.0.255 any access-list 104 permit ip 10.1.1.0 0.0.0.255 any access-list 104 permit ip 192.168.2.0 0.0.0.255 any access-list 104 permit ip 192.168.3.0 0.0.0.255 any access-list 104 permit ip 192.168.5.0 0.0.0.255 any access-list 104 permit ip 192.168.6.0 0.0.0.255 any access-list 104 permit ip 192.168.8.0 0.0.0.255 any access-list 105 permit ip 10.1.1.0 0.0.0.255 any access-list 105 permit ip 192.168.2.0 0.0.0.255 any access-list 105 permit ip 192.168.3.0 0.0.0.255 any access-list 105 permit ip 192.168.4.0 0.0.0.255 any access-list 105 permit ip 192.168.6.0 0.0.0.255 any access-list 106 permit ip 192.168.2.0 0.0.0.255 any access-list 106 permit ip 10.1.1.0 0.0.0.255 any access-list 107 permit ip 192.168.2.0 0.0.0.255 any access-list 108 permit ip 10.1.1.0 0.0.0.255 any access-list 108 permit ip 192.168.2.0 0.0.0.255 any access-list 108 permit ip 192.168.4.0 0.0.0.255 any access-list 108 permit ip 192.168.6.0 0.0.0.255 any ! ! ! ! route-map BACKUP_ISP permit 10 match ip address 100 match interface FastEthernet1 ! route-map MAIN_ISP permit 10 match ip address 100 match interface FastEthernet0 ! ! ! control-plane ! ! line con 0 line 1 modem InOut stopbits 1 speed 115200 flowcontrol hardware line aux 0 line vty 0 4 login local transport input ssh ! event manager applet CLEAR_NAT event track 1 state up action 1.0 cli command "enable" action 2.0 cli command "clear ip nat translations forced" ! end
1- I have seen yours and i have tried to adapted but for this :
event manager applet CLEAR_NAT event track 1 state up action 1.0 cli command "enable" action 2.0 cli command "clear ip nat translations forced" event manager applet CLEAR_NAT event track 1 state down action 1.0 cli command "enable" action 2.0 cli command "clear ip nat translations forced"
i can't put the both together. Only one is taken into account.
2- I can't go out the Router. I can ping the two Wan ports but not the Fiber Box or my Box 4g.
3- I have adapted the access-list because i would like regualte the connections between vlan for example :
Vlan2 can enter into all vlan
Vlan3 can enter only into vlan 4,5
Vlan 4 into vlan 2,3,5,8
Vlan5 into vlan 3,4
Vlan6 into all vlan except the 8
Vlan7 into all vlan
Vlan8 only the vlan 4.
I have put my Laptop 1 in the vlan2 to ping another Laptop on the vlan 3 and a Camera in the vlan 5
The laptop 1has the ip address 192.168.2.10/24, gateway 192.168.2.254,dns 8.8.8.8
The laptop 2 has the ip address 192.168.3.10/24, gateway 192.168.3.254,dns 8.8.8.8
The ip Camera has the ip address 192.168.5.10/24, gateway 192.168.5.254,dns 8.8.8.8
The laptop 1 can ping the laptop2(its ok) but cant ping the ip address 192.168.1.254 which is the ip address of the vlan.
The laptop 1 can't ping the Ip camera while it should do it.
The laptop 2 cant ping the Laptop1(its ok) but no more the ip camera while he should do it.
Can you help me again please?
I thank you again and a lot.
09-22-2017 03:49 AM
Hi,
What is the IP configured on the laptop?
09-22-2017 08:31 AM
Hello,
It depends the port used.
But if i am in the fastEthernet 2 i use the vlan 2 which have ip address 192.168.2.254 255.255.255.0.
So my Laptop wil have 192.168.2.100 and netmask 255.255.255.0 and the gateway 192.168.2.254. for the dns i put 8.8.8.8 and for the secondary 8.8.4.4.
Thank you for your help.
09-23-2017 02:35 PM
Hello,
change the name of the applet, that is probably what the router is complaining about.
In your new configuration, the access lists are mixed up. Get your Internet up first by entering the exact same config as below. Once that is working, we can look at restricting access to the VLANs:
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname routeur-cisco1811
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
enable secret 5 XXXXXXXXXXXXXX
!
no aaa new-model
!
dot11 syslog
ip source-route
!
ip cef
no ip domain lookup
ip domain name XXXXXXXX.com
no ipv6 cef
!
multilink bundle-name authenticated
!
username XXXXXXXX privilege 15 secret 5 XXXXXX
!
archive
log config
hidekeys
!
track 8 ip sla 1 reachability
!
interface FastEthernet0
description Acces principal FTTH
ip address 192.168.1.254 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet1
description Acces secour 3/4G
ip address 10.0.0.254 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet2
switchport access vlan 2
!
interface FastEthernet3
switchport access vlan 3
!
interface FastEthernet4
switchport access vlan 4
!
interface FastEthernet5
switchport access vlan 5
!
interface FastEthernet6
switchport access vlan 6
!
interface FastEthernet7
switchport access vlan 7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
no ip address
!
interface Vlan2
description
ip address 192.168.2.254 255.255.255.0
ip nat inside
!
interface Vlan3
description casa
ip address 192.168.3.254 255.255.255.0
ip nat inside
!
interface Vlan4
description stockage
ip address 192.168.4.254 255.255.255.0
ip nat inside
!
interface Vlan5
description domotique et cameras
ip address 192.168.5.254 255.255.255.0
ip nat inside
!
interface Vlan6
description sentinelle
ip address 192.168.6.254 255.255.255.0
ip nat inside
!
interface Vlan7
description Monotoring surveillance generale
ip address 10.1.1.254 255.255.255.0
ip nat inside
!
interface Async1
no ip address
encapsulation slip
!
ip forward-protocol nd
!
ip nat inside source route-map MAIN_ISP interface FastEthernet0/0 overload
ip nat inside source route-map BACKUP_ISP interface FastEthernet1/0 overload
!
ip route 0.0.0.0 0.0.0.0 192.168.1.1 track 8
ip route 0.0.0.0 0.0.0.0 10.0.0.1 10
!
access-list 100 permit ip 192.168.2.0 0.0.0.255
access-list 100 permit ip 192.168.3.0 0.0.0.255
access-list 100 permit ip 192.168.4.0 0.0.0.255
access-list 100 permit ip 192.168.5.0 0.0.0.255
access-list 100 permit ip 192.168.6.0 0.0.0.255
access-list 100 permit ip 10.1.1.254 0.0.0.255
!
no ip http server
no ip http secure-server
!
ip sla 1
icmp-echo 192.168.1.1 source-ip 192.168.1.254
ip sla schedule 1 life forever start-time now
!
route-map MAIN_ISP permit 10
match ip address 100
match interface FastEthernet0/0
!
route-map BACKUP_ISP permit 10
match ip address 100
match interface FastEthernet1/0
!
event manager applet CLEAR_NAT_DOWN
event track 1 state down
action 1.0 cli command "enable"
action 2.0 cli command "clear ip nat translations forced"
!
event manager applet CLEAR_NAT_UP
event track 1 state up
action 1.0 cli command "enable"
action 2.0 cli command "clear ip nat translations forced"
!
control-plane
!
line con 0
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
line vty 0 4
login local
transport input ssh
!
end
09-23-2017 03:20 PM
Hy again,
This is the last last configuration lol .
version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname routeur-cisco1811 ! boot-start-marker boot-end-marker ! logging message-counter syslog enable secret 5 $1$oQhA$Eu5oCOXYqbhFCYRR9x0pH/ ! no aaa new-model ! ! dot11 syslog ip source-route ! ! ! ! ip cef no ip domain lookup ip domain name domoticity.com no ipv6 cef ! multilink bundle-name authenticated ! ! ! username domoticity privilege 15 secret 5 $1$dSvN$MpTHvWFcIVe7Ydm748fwB1 ! ! ! archive log config hidekeys ! ! ! track 8 ip sla 1 reachability ! ! ! interface FastEthernet0 description Acces principal FTTH ip address 192.168.1.254 255.255.255.0 ip nat outside ip virtual-reassembly duplex auto speed auto ! interface FastEthernet1 description Acces secour 3/4G ip address 10.0.0.254 255.255.255.0 ip nat outside ip virtual-reassembly duplex auto speed auto ! interface FastEthernet2 switchport access vlan 2 ! interface FastEthernet3 switchport access vlan 3 ! interface FastEthernet4 switchport access vlan 4 ! interface FastEthernet5 switchport access vlan 5 ! interface FastEthernet6 switchport access vlan 6 ! interface FastEthernet7 switchport access vlan 7 ! interface FastEthernet8 switchport access vlan 8 ! interface FastEthernet9 ! interface Vlan1 no ip address ! interface Vlan2 description domoticity ip address 192.168.2.254 255.255.255.0 ip access-group 102 in ip nat inside ip virtual-reassembly ! interface Vlan3 description casa ip address 192.168.3.254 255.255.255.0 ip access-group 103 in ip nat inside ip virtual-reassembly ! interface Vlan4 description stockage ip address 192.168.4.254 255.255.255.0 ip access-group 104 in ip nat inside ip virtual-reassembly ! interface Vlan5 description domotique et cameras ip address 192.168.5.254 255.255.255.0 ip access-group 105 in ip nat inside ip virtual-reassembly ! interface Vlan6 description sentinelle ip address 192.168.6.254 255.255.255.0 ip access-group 106 in ip nat inside ip virtual-reassembly ! interface Vlan7 description Monotoring surveillance generale ip address 10.1.1.254 255.255.255.0 ip access-group 107 in ip nat inside ip virtual-reassembly ! interface Vlan8 description Orange travail ip address 192.168.8.254 255.255.255.0 ip access-group 108 in ip nat inside ip virtual-reassembly ! interface Async1 no ip address encapsulation slip ! ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 192.168.1.1 track 8 ip route 0.0.0.0 0.0.0.0 10.0.0.1 10 no ip http server no ip http secure-server ! ! ip nat inside source route-map BACKUP_ISP interface FastEthernet1 overload ip nat inside source route-map MAIN_ISP interface FastEthernet0 overload ! ip sla 1 icmp-echo 192.168.1.1 source-ip 192.168.1.254 ip sla schedule 1 life forever start-time now access-list 102 permit ip 192.168.4.0 0.0.0.255 any access-list 102 permit ip 192.168.6.0 0.0.0.255 any access-list 102 permit ip 10.1.1.0 0.0.0.255 any access-list 103 permit ip 192.168.2.0 0.0.0.255 any access-list 103 permit ip 192.168.4.0 0.0.0.255 any access-list 103 permit ip 192.168.5.0 0.0.0.255 any access-list 103 permit ip 192.168.6.0 0.0.0.255 any access-list 103 permit ip 10.1.1.0 0.0.0.255 any access-list 104 permit ip 10.1.1.0 0.0.0.255 any access-list 104 permit ip 192.168.2.0 0.0.0.255 any access-list 104 permit ip 192.168.3.0 0.0.0.255 any access-list 104 permit ip 192.168.5.0 0.0.0.255 any access-list 104 permit ip 192.168.6.0 0.0.0.255 any access-list 104 permit ip 192.168.8.0 0.0.0.255 any access-list 105 permit ip 10.1.1.0 0.0.0.255 any access-list 105 permit ip 192.168.2.0 0.0.0.255 any access-list 105 permit ip 192.168.3.0 0.0.0.255 any access-list 105 permit ip 192.168.4.0 0.0.0.255 any access-list 105 permit ip 192.168.6.0 0.0.0.255 any access-list 106 permit ip 192.168.2.0 0.0.0.255 any access-list 106 permit ip 10.1.1.0 0.0.0.255 any access-list 107 permit ip 192.168.2.0 0.0.0.255 any access-list 108 permit ip 10.1.1.0 0.0.0.255 any access-list 108 permit ip 192.168.2.0 0.0.0.255 any access-list 108 permit ip 192.168.4.0 0.0.0.255 any access-list 108 permit ip 192.168.6.0 0.0.0.255 any ! ! ! ! route-map BACKUP_ISP permit 10 match ip address 100 match interface FastEthernet1 ! route-map MAIN_ISP permit 10 match ip address 100 match interface FastEthernet0 ! ! ! control-plane ! ! line con 0 line 1 modem InOut stopbits 1 speed 115200 flowcontrol hardware line aux 0 line vty 0 4 login local transport input ssh ! event manager applet CLEAR_NAT_DOWN event track 1 state down action 1.0 cli command "enable" action 2.0 cli command "clear ip nat translations forced" event manager applet CLEAR_NAT_UP event track 1 state up action 1.0 cli command "enable" action 2.0 cli command "clear ip nat translations forced" ! end
I have wrote your configuration and adapted password etc.... in the same order but the configuration stand out like this. And always no internet.
Thank you for your help again
09-23-2017 11:25 PM
Hello,
you are missing access list 100. Add the below to your configuration:
access-list 100 permit ip 192.168.2.0 0.0.0.255
access-list 100 permit ip 192.168.3.0 0.0.0.255
access-list 100 permit ip 192.168.4.0 0.0.0.255
access-list 100 permit ip 192.168.5.0 0.0.0.255
access-list 100 permit ip 192.168.6.0 0.0.0.255
access-list 100 permit ip 10.1.1.254 0.0.0.255
09-24-2017 12:15 AM
Hello.
I have added the access-list 100 :
version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname routeur-cisco1811 ! boot-start-marker boot-end-marker ! logging message-counter syslog enable secret 5 $1$oQhA$Eu5oCOXYqbhFCYRR9x0pH/ ! no aaa new-model ! ! dot11 syslog ip source-route ! ! ! ! ip cef no ip domain lookup ip domain name domoticity.com no ipv6 cef ! multilink bundle-name authenticated ! ! ! username domoticity privilege 15 secret 5 $1$dSvN$MpTHvWFcIVe7Ydm748fwB1 ! ! ! archive log config hidekeys ! ! ! track 8 ip sla 1 reachability ! ! ! interface FastEthernet0 description Acces principal FTTH ip address 192.168.1.254 255.255.255.0 ip nat outside ip virtual-reassembly duplex auto speed auto ! interface FastEthernet1 description Acces secour 3/4G ip address 10.0.0.254 255.255.255.0 ip nat outside ip virtual-reassembly duplex auto speed auto ! interface FastEthernet2 switchport access vlan 2 ! interface FastEthernet3 switchport access vlan 3 ! interface FastEthernet4 switchport access vlan 4 ! interface FastEthernet5 switchport access vlan 5 ! interface FastEthernet6 switchport access vlan 6 ! interface FastEthernet7 switchport access vlan 7 ! interface FastEthernet8 switchport access vlan 8 ! interface FastEthernet9 switchport access vlan 9 ! interface Vlan1 no ip address ! interface Vlan2 description domoticity ip address 192.168.2.254 255.255.255.0 ip access-group 102 in ip nat inside ip virtual-reassembly ! interface Vlan3 description casa ip address 192.168.3.254 255.255.255.0 ip access-group 103 in ip nat inside ip virtual-reassembly ! interface Vlan4 description stockage ip address 192.168.4.254 255.255.255.0 ip access-group 104 in ip nat inside ip virtual-reassembly ! interface Vlan5 description domotique et cameras ip address 192.168.5.254 255.255.255.0 ip access-group 105 in ip nat inside ip virtual-reassembly ! interface Vlan6 description sentinelle ip address 192.168.6.254 255.255.255.0 ip access-group 106 in ip nat inside ip virtual-reassembly ! interface Vlan7 description Monotoring surveillance generale ip address 10.1.1.254 255.255.255.0 ip access-group 107 in ip nat inside --More-- *Sep 24 07:09:17.883: %TRACKING-5-STATE: 8 ip sla 1 reachabilit ip virtual-reassembly ! interface Vlan8 description Orange travail ip address 192.168.8.254 255.255.255.0 ip access-group 108 in ip nat inside ip virtual-reassembly ! interface Vlan9 description Serveurs multimedia ip address 192.168.9.254 255.255.255.0 ip nat inside ip virtual-reassembly ! interface Async1 no ip address encapsulation slip ! ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 192.168.1.1 track 8 ip route 0.0.0.0 0.0.0.0 10.0.0.1 10 no ip http server no ip http secure-server ! ! ip nat inside source route-map BACKUP_ISP interface FastEthernet1 overload ip nat inside source route-map MAIN_ISP interface FastEthernet0 overload ! ip sla 1 icmp-echo 192.168.1.1 source-ip 192.168.1.254 ip sla schedule 1 life forever start-time now access-list 100 permit ip 192.168.2.0 0.0.0.255 any access-list 100 permit ip 192.168.3.0 0.0.0.255 any access-list 100 permit ip 192.168.4.0 0.0.0.255 any access-list 100 permit ip 192.168.5.0 0.0.0.255 any access-list 100 permit ip 192.168.6.0 0.0.0.255 any access-list 100 permit ip 192.168.8.0 0.0.0.255 any access-list 100 permit ip 192.168.9.0 0.0.0.255 any access-list 100 permit ip 10.1.1.0 0.0.0.255 any access-list 102 permit ip 192.168.4.0 0.0.0.255 any access-list 102 permit ip 192.168.6.0 0.0.0.255 any access-list 102 permit ip 10.1.1.0 0.0.0.255 any access-list 102 permit ip 192.168.9.0 0.0.0.255 any access-list 103 permit ip 192.168.2.0 0.0.0.255 any access-list 103 permit ip 192.168.4.0 0.0.0.255 any access-list 103 permit ip 192.168.5.0 0.0.0.255 any access-list 103 permit ip 192.168.6.0 0.0.0.255 any access-list 103 permit ip 10.1.1.0 0.0.0.255 any access-list 103 permit ip 192.168.9.0 0.0.0.255 any access-list 104 permit ip 10.1.1.0 0.0.0.255 any access-list 104 permit ip 192.168.2.0 0.0.0.255 any access-list 104 permit ip 192.168.3.0 0.0.0.255 any access-list 104 permit ip 192.168.5.0 0.0.0.255 any access-list 104 permit ip 192.168.6.0 0.0.0.255 any access-list 104 permit ip 192.168.8.0 0.0.0.255 any access-list 104 permit ip 192.168.9.0 0.0.0.255 any access-list 105 permit ip 10.1.1.0 0.0.0.255 any access-list 105 permit ip 192.168.2.0 0.0.0.255 any access-list 105 permit ip 192.168.3.0 0.0.0.255 any access-list 105 permit ip 192.168.4.0 0.0.0.255 any access-list 105 permit ip 192.168.6.0 0.0.0.255 any access-list 106 permit ip 192.168.2.0 0.0.0.255 any access-list 106 permit ip 10.1.1.0 0.0.0.255 any access-list 107 permit ip 192.168.2.0 0.0.0.255 any access-list 108 permit ip 10.1.1.0 0.0.0.255 any access-list 108 permit ip 192.168.2.0 0.0.0.255 any access-list 108 permit ip 192.168.4.0 0.0.0.255 any access-list 108 permit ip 192.168.6.0 0.0.0.255 any access-list 109 permit ip 192.168.2.0 0.0.0.255 any access-list 109 permit ip 192.168.3.0 0.0.0.255 any access-list 109 permit ip 192.168.4.0 0.0.0.255 any access-list 109 permit ip 192.168.6.0 0.0.0.255 any access-list 109 permit ip 10.1.1.0 0.0.0.255 any ! ! ! ! route-map BACKUP_ISP permit 10 match ip address 100 match interface FastEthernet1 ! route-map MAIN_ISP permit 10 match ip address 100 match interface FastEthernet0 ! ! ! control-plane ! ! line con 0 line 1 modem InOut stopbits 1 speed 115200 flowcontrol hardware line aux 0 line vty 0 4 login local transport input ssh ! event manager applet CLEAR_NAT_DOWN event track 1 state down action 1.0 cli command "enable" action 2.0 cli command "clear ip nat translations forced" event manager applet CLEAR_NAT_UP event track 1 state up action 1.0 cli command "enable" action 2.0 cli command "clear ip nat translations forced" ! end
And i have tested to added at the FastEthernet 0 the ip access-group 100 in and out.
I tested without access-group in Fa0.
No internet.
Thank you again for your help.
09-24-2017 11:33 AM
As stated before, remove the access lists from your VLAN interfaces, so you get the Internet part right first.
What DNS servers are your clients configured with ?
Try and add:
ip name-server 8.8.8.8
ip name-server 8.8.4.4
09-24-2017 12:30 PM
Hy again again :)
so i have deleted all access list abut vlan.
I have added name-server
This is my conf :
version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname routeur-cisco1811 ! boot-start-marker boot-end-marker ! logging message-counter syslog enable secret 5 XXXXXXXXXXX ! no aaa new-model ! ! dot11 syslog ip source-route ! ! ! ! ip cef no ip domain lookup ip domain name domoticity.com ip name-server 8.8.8.8 ip name-server 8.8.4.4 no ipv6 cef ! multilink bundle-name authenticated ! ! ! username domoticity privilege 15 secret 5 XXXXXXXXXX ! ! ! archive log config hidekeys ! ! ! track 8 ip sla 1 reachability ! ! ! interface FastEthernet0 description Acces principal FTTH ip address 192.168.1.254 255.255.255.0 ip nat outside ip virtual-reassembly duplex auto speed auto ! interface FastEthernet1 description Acces secour 3/4G ip address 10.0.0.254 255.255.255.0 ip nat outside ip virtual-reassembly duplex auto speed auto ! interface FastEthernet2 switchport access vlan 2 ! interface FastEthernet3 switchport access vlan 3 ! interface FastEthernet4 switchport access vlan 4 ! interface FastEthernet5 switchport access vlan 5 ! interface FastEthernet6 switchport access vlan 6 ! interface FastEthernet7 switchport access vlan 7 ! interface FastEthernet8 switchport access vlan 8 ! interface FastEthernet9 switchport access vlan 9 ! interface Vlan1 no ip address ! interface Vlan2 description domoticity ip address 192.168.2.254 255.255.255.0 ip nat inside ip virtual-reassembly ! interface Vlan3 description casa ip address 192.168.3.254 255.255.255.0 ip nat inside ip virtual-reassembly ! interface Vlan4 description stockage ip address 192.168.4.254 255.255.255.0 ip nat inside ip virtual-reassembly ! interface Vlan5 description domotique et cameras ip address 192.168.5.254 255.255.255.0 ip nat inside ip virtual-reassembly ! interface Vlan6 description sentinelle ip address 192.168.6.254 255.255.255.0 ip nat inside ip virtual-reassembly ! interface Vlan7 description Monotoring surveillance generale ip address 10.1.1.254 255.255.255.0 ip nat inside ip virtual-reassembly ! interface Vlan8 description Orange travail ip address 192.168.8.254 255.255.255.0 ip nat inside ip virtual-reassembly ! interface Vlan9 description Serveurs multimedia ip address 192.168.9.254 255.255.255.0 ip nat inside ip virtual-reassembly ! interface Async1 no ip address encapsulation slip ! ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 192.168.1.1 track 8 ip route 0.0.0.0 0.0.0.0 10.0.0.1 10 no ip http server no ip http secure-server ! ! ip nat inside source route-map BACKUP_ISP interface FastEthernet1 overload ip nat inside source route-map MAIN_ISP interface FastEthernet0 overload ! ip sla 1 icmp-echo 192.168.1.1 source-ip 192.168.1.254 ip sla schedule 1 life forever start-time now access-list 100 permit ip 192.168.2.0 0.0.0.255 any access-list 100 permit ip 192.168.3.0 0.0.0.255 any access-list 100 permit ip 192.168.4.0 0.0.0.255 any access-list 100 permit ip 192.168.5.0 0.0.0.255 any access-list 100 permit ip 192.168.6.0 0.0.0.255 any access-list 100 permit ip 192.168.8.0 0.0.0.255 any access-list 100 permit ip 192.168.9.0 0.0.0.255 any access-list 100 permit ip 10.1.1.0 0.0.0.255 any ! ! ! ! route-map BACKUP_ISP permit 10 match ip address 100 match interface FastEthernet1 ! route-map MAIN_ISP permit 10 match ip address 100 match interface FastEthernet0 ! ! ! control-plane ! ! line con 0 line 1 modem InOut stopbits 1 speed 115200 flowcontrol hardware line aux 0 line vty 0 4 login local transport input ssh ! event manager applet CLEAR_NAT_DOWN event track 1 state down action 1.0 cli command "enable" action 2.0 cli command "clear ip nat translations forced" event manager applet CLEAR_NAT_UP event track 1 state up action 1.0 cli command "enable" action 2.0 cli command "clear ip nat translations forced" ! end
So now, when i plug only the wan 1 (fiber box) :
i can ping the fiber box (192.168.1.1) but no go throught internet.
when i do an sh ip route :
routeur-cisco1811#sh ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is not set C 192.168.1.0/24 is directly connected, FastEthernet0 C 192.168.3.0/24 is directly connected, Vlan3
But the failover works, because when i plug wan 1 and wan 2 it balances in wans 2 with the ip route and i have internet.
So i have done an sh ip int brief
routeur-cisco1811#sh ip int brief Interface IP-Address OK? Method Status Protocol Async1 unassigned YES NVRAM down down FastEthernet0 192.168.1.254 YES NVRAM up up FastEthernet1 10.0.0.254 YES NVRAM up down FastEthernet2 unassigned YES unset up down FastEthernet3 unassigned YES unset up up FastEthernet4 unassigned YES unset up down FastEthernet5 unassigned YES unset up down FastEthernet6 unassigned YES unset up down FastEthernet7 unassigned YES unset up down FastEthernet8 unassigned YES unset up down FastEthernet9 unassigned YES unset up down NVI0 192.168.1.254 YES unset up up Vlan1 unassigned YES NVRAM up down Vlan2 192.168.2.254 YES NVRAM up down Vlan3 192.168.3.254 YES NVRAM up up Vlan4 192.168.4.254 YES NVRAM up down Vlan5 192.168.5.254 YES NVRAM up down Vlan6 192.168.6.254 YES NVRAM up down Vlan7 10.1.1.254 YES NVRAM up down Vlan8 192.168.8.254 YES NVRAM up down Vlan9 192.168.9.254 YES NVRAM up down
And i see the wan 1 ( fastethernet0 ) is up.
In my fiber box, the ip address cisco is in the DMZ and have and ip static reserved.
The firewall is low.
I'm approching the solution lol.
Thank you again again for your help very very usefull
09-24-2017 12:41 PM
Hello,
you are NATting to a private address (192.168.1.254). There must be another device that translates this to an actual public IP address, is that your firewall ? What firewall, and what is the configuration ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide