How to configure NAT load-balancing over two ISPs on Cisco 2851.
System image file is "flash:c2800nm-adventerprisek9-mz.151-4.M.bin"
My config (users behind the router/PAT unable to acccess to Internet, I don't known why?!!):
interface FastEthernet0/1/0.1101
description *** INET: ISP1 ***
bandwidth 100000
encapsulation dot1Q 1101
ip address 1.1.1.2 255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly in
service-policy output POLICY-100M
!
interface FastEthernet0/1/0.1103
description *** INET: ISP2 ***
bandwidth 50000
encapsulation dot1Q 1103
ip address 2.2.2.2 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly in
service-policy output POLICY-50M
!
interface GigabitEthernet0/0.12
description *** LAN ***
encapsulation dot1Q 12
ip address 172.18.253.233 255.255.255.252
ip pim sparse-mode
ip nat inside
ip virtual-reassembly in
no cdp enable
!
ip route 0.0.0.0 0.0.0.0 1.1.1.1
ip route 0.0.0.0 0.0.0.0 2.2.2.1
!
ip nat pool POOL-ISP1 1.1.1.2 1.1.1.2 prefix-length 30
ip nat pool POOL-ISP2 2.2.2.2 2.2.2.2 prefix-length 30
ip nat inside source route-map RMAP-NAT-ISP1 pool POOL-ISP1 overload
ip nat inside source route-map RMAP-NAT-ISP2 pool POOL-ISP2 overload
!
route-map RMAP-NAT-ISP1 permit 10
match ip address ACL-NAT
match interface FastEthernet0/1/0.1101
oute-map RMAP-NAT-ISP2 permit 10
match ip address ACL-NAT
match interface FastEthernet0/1/0.1103
!
ip access-list extended ACL-NAT
deny ip object-group OBJNET-PRIVATE object-group OBJNET-PRIVATE
permit ip object-group OBJNET-SR any
!
If "no ip route 0.0.0.0 0.0.0.0 2.2.2.1" the situation doesn't change, there is no Internet access.
...and working config (only through one ISP only ):
!<interface config all the same, see above>
!
ip route 0.0.0.0 0.0.0.0 1.1.1.1
!
ip nat pool POOL-ISP1 1.1.1.2 1.1.1.2 prefix-length 30
ip nat pool POOL-ISP2 2.2.2.2 2.2.2.2 prefix-length 30
ip nat inside source list ACL-NAT pool POOL-ISP1 overload
!
ip access-list extended ACL-NAT
deny ip object-group OBJNET-PRIVATE object-group OBJNET-PRIVATE
permit ip object-group OBJNET-SR any
!
If add "ip route 0.0.0.0 0.0.0.0 2.2.2.1" the situation change, there is no Internet access!.
What is wrong in first config?! How to do:
- if both ISPs avail.., then use both ISP for NAT for all inside hosts
- if one of ISPs unavail.., then use second ISP for NAT for all inside hosts