09-21-2017 11:19 PM - edited 03-05-2019 09:10 AM
Hello
I have a cisco 1811 with double wan.
I would like to configure the latter for failover.
I have a fiber connection on fe0 and a mobile connection (via a 4g router) on fe1.
the router arrives at pinger 8.8.8.8 and my box fiber. But when I put a computer with an ip static on one of the ports, I can ping the port of the vlan, port fe0 (192.168.1.254) but I can not ping the fiber box (192.168.1.1) xterieur.
I can not find my error, help :)
here my configuration :
routeur-cisco1811#sh conf Using 3032 out of 196600 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname routeur-cisco1811 ! boot-start-marker boot-end-marker ! logging message-counter syslog enable secret 5 XXXXXXXXXXXXXX ! no aaa new-model ! ! dot11 syslog ip source-route ! ! ! ! ip cef no ip domain lookup ip domain name XXXXXXXX.com no ipv6 cef ! multilink bundle-name authenticated ! ! ! username XXXXXXXX privilege 15 secret 5 XXXXXX ! ! ! archive log config hidekeys ! ! ! track 8 ip sla 1 reachability ! ! ! interface FastEthernet0 description Acces principal FTTH ip address 192.168.1.254 255.255.255.0 ip nat outside ip virtual-reassembly duplex auto speed auto ! interface FastEthernet1 description Acces secour 3/4G ip address 10.0.0.254 255.255.255.0 ip nat outside ip virtual-reassembly duplex auto speed auto ! interface FastEthernet2 switchport access vlan 2 ! interface FastEthernet3 switchport access vlan 3 ! interface FastEthernet4 switchport access vlan 4 ! interface FastEthernet5 switchport access vlan 5 ! interface FastEthernet6 switchport access vlan 6 ! interface FastEthernet7 switchport access vlan 7 ! interface FastEthernet8 ! interface FastEthernet9 ! interface Vlan1 no ip address ! interface Vlan2 description ip address 192.168.2.254 255.255.255.0 ip access-group 13 out ! interface Vlan3 description casa ip address 192.168.3.254 255.255.255.0 ! interface Vlan4 description stockage ip address 192.168.4.254 255.255.255.0 ! interface Vlan5 description domotique et cameras ip address 192.168.5.254 255.255.255.0 ! interface Vlan6 description sentinelle ip address 192.168.6.254 255.255.255.0 ! interface Vlan7 description Monotoring surveillance generale ip address 10.1.1.254 255.255.255.0 ! interface Async1 no ip address encapsulation slip ! ip default-gateway 10.0.0.1 ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 192.168.1.1 track 8 ip route 0.0.0.0 0.0.0.0 10.0.0.1 10 no ip http server no ip http secure-server ! ! ! ip sla 1 icmp-echo 192.168.1.1 source-ip 192.168.1.254 ip sla schedule 1 life forever start-time now access-list 13 permit 0.0.0.0 ! ! ! ! ! ! control-plane ! ! line con 0 line 1 modem InOut stopbits 1 speed 115200 flowcontrol hardware line aux 0 line vty 0 4 login local transport input ssh ! end
Solved! Go to Solution.
09-30-2017 10:57 AM
I've never done a router behind a router with Double - NAT, but I aready know its not good. The one thing that I have on of my networks is IP inspect rules if you want to use the Cisco CBAC based Firewall system. The thing to always remember is to place all the rules where the traffic is going to hit first.
The IP Inspect Rules allow and traffic that you want outbound that requires return traffic. Meaning, if on VLAN 1 you allow certain traffic in that needs to go to any location TCP ( I.E. HTTP, HTTPS, etc...) that it needs to go out your WAN port, it will and any traffic that needs to come back in will.
Below is a Cisco 891F Router I have. I cut out some stuff pertitent only to me, but the basics are the same. This covers the basic CBAC configuration that most have. Since I don't have a secondary WAN, I can not comment on that or a configuration. I know the genreal idea, but not the specifics.
object-group service Web_Access
tcp eq www
tcp eq 443
udp eq ntp
tcp eq 22
tcp eq 993
tcp eq 587
tcp eq 465
tcp eq 8443
tcp eq 5222
tcp eq 5061
ip inspect name OUT tcp
ip inspect name OUT udp
interface GigabitEthernet8
description WAN Connection
ip address dhcp
ip access-group 103 in
ip nat outside
ip inspect OUT out
ip virtual-reassembly in
duplex auto
speed auto
no cdp enable
!
interface Vlan1
ip address 192.168.205.252 255.255.255.0
ip access-group LAN_IN in
ip nat inside
ip virtual-reassembly in
ip nat inside source list 10 interface GigabitEthernet8 overload
access-list 10 permit 192.168.205.0 0.0.0.255
ip access-list extended LAN_IN
remark LAN_IN
permit udp any any eq bootps log
permit object-group Web_Access 192.168.205.0 0.0.0.255 any
deny ip any any
10-02-2017 01:49 PM
Hy,
thanks for your answer.
I will buy a Cisco Switch manageable with eanough ports,
and manage Connections inter Vlan with it.
But i have a Question and it's the last one lol.
I have some Devices which are connected to the Fiber Box.
How can i do to allow some Device to go in my Vlans?
Thank you and Everybody who help me.
10-03-2017 12:23 AM
You will need to add some static routes on the fiber box so that it knows where to route packets. The IOS routes would look like:
! ip route 10.1.1.0 0.0.0.255 192.168.1.254 ip route 192.168.2.0 0.0.0.255 192.168.1.254 ip route 192.168.3.0 0.0.0.255 192.168.1.254 ip route 192.168.4.0 0.0.0.255 192.168.1.254 ip route 192.168.5.0 0.0.0.255 192.168.1.254 ip route 192.168.6.0 0.0.0.255 192.168.1.254 ip route 192.168.8.0 0.0.0.255 192.168.1.254 ip route 192.168.9.0 0.0.0.255 192.168.1.254 !
cheers,
Seb.
10-03-2017 10:28 AM
Thank you Seb :)
Can i ask a Question again lol?
ip sla 2 icmp-echo 90.116.11.243 source-ip 192.168.1.254 ip sla schedule 2 life forever start-time now ip route 90.116.11.243 255.255.255.255 192.168.1.1
I have it in my configuration to Balance from wan 1 to wan 2 when i lose Fiber Supply.
But 90.116.11.243 is my ISP ip. And my provider change ip each time i lose Fiber supply.
I have a dyndns at NOIP.
I have tested ip route XXXXXX.noip.com 255.255.255.255 192.168.1.1
but my route refuses like a capricious :p
What can i do?
thank you again again again again again :)
10-04-2017 12:27 AM
Only the ASA and IOS-XE (3E and above) supprt ACLs with FQDNs.
I suppose you could create an EEM script that would fairly regularily ping your noip.com FQDN, scrape the output and update that particular route. If you want to try that I suggest starting a new post on the EEM script board:
https://supportforums.cisco.com/t5/eem-scripting/bd-p/5941-discussions-eem-scripting
:)
10-04-2017 02:00 AM
Thank you very much :)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide