Solved: Re: cisco 1800 failover and route - Page 4

domoticity · ‎09-21-2017

Hello

I have a cisco 1811 with double wan.
I would like to configure the latter for failover.
I have a fiber connection on fe0 and a mobile connection (via a 4g router) on fe1.
the router arrives at pinger 8.8.8.8 and my box fiber. But when I put a computer with an ip static on one of the ports, I can ping the port of the vlan, port fe0 (192.168.1.254) but I can not ping the fiber box (192.168.1.1) xterieur.
I can not find my error, help :)

here my configuration :

routeur-cisco1811#sh conf
Using 3032 out of 196600 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname routeur-cisco1811
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
enable secret 5 XXXXXXXXXXXXXX
!
no aaa new-model
!
!
dot11 syslog
ip source-route
!
!
!
!
ip cef
no ip domain lookup
ip domain name XXXXXXXX.com
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
username XXXXXXXX privilege 15 secret 5 XXXXXX
!
!
!
archive
 log config
  hidekeys
!
!
!
track 8 ip sla 1 reachability
!
!
!
interface FastEthernet0
 description Acces principal FTTH
 ip address 192.168.1.254 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet1
 description Acces secour 3/4G
 ip address 10.0.0.254 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet2
 switchport access vlan 2
!
interface FastEthernet3
 switchport access vlan 3
!
interface FastEthernet4
 switchport access vlan 4
!
interface FastEthernet5
 switchport access vlan 5
!
interface FastEthernet6
 switchport access vlan 6
!
interface FastEthernet7
 switchport access vlan 7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
 no ip address
!
interface Vlan2
 description 
 ip address 192.168.2.254 255.255.255.0
 ip access-group 13 out
!
interface Vlan3
 description casa
 ip address 192.168.3.254 255.255.255.0
!
interface Vlan4
 description stockage
 ip address 192.168.4.254 255.255.255.0
!
interface Vlan5
 description domotique et cameras
 ip address 192.168.5.254 255.255.255.0
!
interface Vlan6
 description sentinelle
 ip address 192.168.6.254 255.255.255.0
!
interface Vlan7
 description Monotoring surveillance generale
 ip address 10.1.1.254 255.255.255.0
!
interface Async1
 no ip address
 encapsulation slip
!
ip default-gateway 10.0.0.1
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.1.1 track 8
ip route 0.0.0.0 0.0.0.0 10.0.0.1 10
no ip http server
no ip http secure-server
!
!
!
ip sla 1
 icmp-echo 192.168.1.1 source-ip 192.168.1.254
ip sla schedule 1 life forever start-time now
access-list 13 permit 0.0.0.0
!
!
!
!
!
!
control-plane
!
!
line con 0
line 1
 modem InOut
 stopbits 1
 speed 115200
 flowcontrol hardware
line aux 0
line vty 0 4
 login local
 transport input ssh
!
end

David Lee · ‎09-30-2017

I've never done a router behind a router with Double - NAT, but I aready know its not good. The one thing that I have on of my networks is IP inspect rules if you want to use the Cisco CBAC based Firewall system. The thing to always remember is to place all the rules where the traffic is going to hit first.

The IP Inspect Rules allow and traffic that you want outbound that requires return traffic. Meaning, if on VLAN 1 you allow certain traffic in that needs to go to any location TCP ( I.E. HTTP, HTTPS, etc...) that it needs to go out your WAN port, it will and any traffic that needs to come back in will.

Below is a Cisco 891F Router I have. I cut out some stuff pertitent only to me, but the basics are the same. This covers the basic CBAC configuration that most have. Since I don't have a secondary WAN, I can not comment on that or a configuration. I know the genreal idea, but not the specifics.

object-group service Web_Access
tcp eq www
tcp eq 443
udp eq ntp
tcp eq 22
tcp eq 993
tcp eq 587
tcp eq 465
tcp eq 8443
tcp eq 5222
tcp eq 5061

ip inspect name OUT tcp
ip inspect name OUT udp

interface GigabitEthernet8
description WAN Connection
ip address dhcp
ip access-group 103 in
ip nat outside
ip inspect OUT out
ip virtual-reassembly in
duplex auto
speed auto
no cdp enable
!
interface Vlan1
ip address 192.168.205.252 255.255.255.0
ip access-group LAN_IN in
ip nat inside
ip virtual-reassembly in

ip nat inside source list 10 interface GigabitEthernet8 overload

access-list 10 permit 192.168.205.0 0.0.0.255

ip access-list extended LAN_IN
remark LAN_IN
permit udp any any eq bootps log
permit object-group Web_Access 192.168.205.0 0.0.0.255 any
deny ip any any

domoticity · ‎10-02-2017

Hy,

thanks for your answer.

I will buy a Cisco Switch manageable with eanough ports,

and manage Connections inter Vlan with it.

But i have a Question and it's the last one lol.

I have some Devices which are connected to the Fiber Box.

How can i do to allow some Device to go in my Vlans?

Thank you and Everybody who help me.

Seb Rupik · ‎10-03-2017

You will need to add some static routes on the fiber box so that it knows where to route packets. The IOS routes would look like:

!
ip route 10.1.1.0 0.0.0.255 192.168.1.254
ip route 192.168.2.0 0.0.0.255 192.168.1.254
ip route 192.168.3.0 0.0.0.255 192.168.1.254
ip route 192.168.4.0 0.0.0.255 192.168.1.254
ip route 192.168.5.0 0.0.0.255 192.168.1.254
ip route 192.168.6.0 0.0.0.255 192.168.1.254
ip route 192.168.8.0 0.0.0.255 192.168.1.254
ip route 192.168.9.0 0.0.0.255 192.168.1.254
!

cheers,

Seb.

domoticity · ‎10-03-2017

Thank you Seb :)

Can i ask a Question again lol?

ip sla 2
 icmp-echo 90.116.11.243 source-ip 192.168.1.254
ip sla schedule 2 life forever start-time now
ip route 90.116.11.243 255.255.255.255 192.168.1.1

I have it in my configuration to Balance from wan 1 to wan 2 when i lose Fiber Supply.

But 90.116.11.243 is my ISP ip. And my provider change ip each time i lose Fiber supply.

I have a dyndns at NOIP.

I have tested ip route XXXXXX.noip.com 255.255.255.255 192.168.1.1

but my route refuses like a capricious :p

What can i do?

thank you again again again again again :)

Seb Rupik · ‎10-04-2017

Only the ASA and IOS-XE (3E and above) supprt ACLs with FQDNs.

I suppose you could create an EEM script that would fairly regularily ping your noip.com FQDN, scrape the output and update that particular route. If you want to try that I suggest starting a new post on the EEM script board:

https://supportforums.cisco.com/t5/eem-scripting/bd-p/5941-discussions-eem-scripting

:)

domoticity · ‎10-04-2017

Thank you very much :)