cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4245
Views
0
Helpful
17
Replies
andyspranata
Beginner

Cisco 891 Fail over Configuration

Cisco 891 configuration Details:

version 15.0

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname XXXXX

!

boot-start-marker

boot-end-marker

!

security authentication failure rate 3 log

security passwords min-length 6

logging buffered 51200

logging console critical

enable secret 5 YYYYYYYYYYYYYYYYYYYYYYYYYY

!

aaa new-model

!

!

aaa authentication login default local

aaa authorization exec default local

!

!

!

!

!

aaa session-id common

!

!

!

no ip source-route

!

!

!

ip dhcp pool ccp-pool1

   import all

   network 10.153.64.0 255.255.255.128

   default-router 10.153.64.1

   dns-server 8.8.8.8

   lease infinite

!

!

ip cef

no ip bootp server

ip domain name VVVVVVVVVVVV

ip name-server 8.8.8.8

ip name-server 8.8.4.4

ip name-server 10.153.65.1

ip name-server 10.153.66.1

ip inspect tcp reassembly queue length 128

no ipv6 cef

!

!

!

!

!

track 1 ip sla 1 reachability

delay down 9 up 10

!

track 2 ip sla 2 reachability

delay down 9 up 10

!

!


interface FastEthernet8

description $ETH-WAN$$FW_OUTSIDE$

ip address 10.153.66.5 255.255.255.128

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip flow egress

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

!

interface GigabitEthernet0

description $ES_WAN$$ETH-WAN$$FW_OUTSIDE$

ip address 10.153.65.5 255.255.255.128

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip flow egress

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

!

interface Vlan1

description LAN Connection$ES_LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 1$$FW_INSIDE$

ip address 10.153.64.1 255.255.255.128

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip flow egress

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

!

!

interface Async1

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

encapsulation slip

!

!

ip forward-protocol nd

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

!

ip nat inside source route-map A interface FastEthernet8 overload

ip nat inside source route-map B interface GigabitEthernet0 overload

ip route 0.0.0.0 0.0.0.0 10.153.65.1 track 1

ip route 0.0.0.0 0.0.0.0 10.153.66.1 100 track 2

!

ip sla 1

icmp-echo 10.153.65.1 source-interface GigabitEthernet0

threshold 2

frequency 5

ip sla schedule 1 life forever start-time now

ip sla 2

icmp-echo 10.153.66.1 source-interface FastEthernet8

frequency 5

ip sla schedule 2 life forever start-time now

logging trap debugging

access-list 1 remark INSIDE_IF=Vlan1

access-list 1 remark CCP_ACL Category=2

access-list 1 permit 10.153.64.0 0.0.0.127

access-list 10 permit 10.153.64.0

access-list 110 permit ip 10.153.64.0 0.0.0.127 any

no cdp run

!

!

!

!

route-map A permit 10

match ip address 110

match interface GigabitEthernet0

!

route-map B permit 10

match ip address 110

match interface FastEthernet8

!


I could connect to the Gigabitethernet wan, based on above configuration.

When I test on FastEthernet8 for the secondary ISP connection it will not go through the internet.

The Ping details

ping from (10.153.65.5) to 8.8.8.8 = OK

ping from (10.153.66.5) to 10.153.66.1 = OK

ping from (10.153.66.5) to 8.8.8.8 = not OK

PLease advice?

3 ACCEPTED SOLUTIONS

Accepted Solutions

Hello,

     Well, you're trying to "ping" from WAN (10.153.66.5). You need to enable another default route for that . Just shut down "Gigabit 0" for testing.

     Don't forget you're using "Track" to install a default route once at a time

HTH,

Toshi

View solution in original post

Hello,

    Frist off, you need to make sure that which WAN interface you're using to get the outside. "Show ip route" will reveal you that. You can shut down Gigabit0 for testing.

HTH,

Toshi

View solution in original post

Hi Andy,

        Yes you can.

Edit: Your configuration looks fine to me. It's Active/Standby.

You can use PBR to redirect a host to WAN(FastEthernet)

!

ip access-list ext Redirect-Host

permit ip host 10.153.64.61 any

!

route-map GoToFastEthernet permit 10

match ip address Redirect-Host

set ip next-hop 10.153.66.1

!

int vlan 1

ip policy route-map GoToFastEthernet

!

HTH,

Toshi

View solution in original post

17 REPLIES 17
ebarticel
Enthusiast

You have missmatched route map to FastEhternet8 interface

      ip nat inside source route-map A interface FastEthernet8 overload

route-map B permit 10

match ip address 110

match interface FastEthernet8

Hope this helps

Eugen

sorry, that was a mistake when I copy paste the configuration

ip nat inside source route-map A interface FastEthernet8 overload

ip nat inside source route-map B interface GigabitEthernet0 overload

route-map B permit 10

match ip address 110

match interface GigabitEthernet0

!

route-map A permit 10

match ip address 110

match interface FastEthernet8

Did you try to change FastEthernet8 with the IP address for the interface in the nat statement?

Also both map statement are using the same acl 110. I see that you have and acl 1 configured.

Did you try to change one of map to use acl 1?

ip nat inside source route-map A interface FastEthernet8 overload

to

ip nat inside source route-map A interface 10.153.66.5 overload

is that correct?

Changed the route-map configuration to:

route-map B permit 10

match ip address 110

match interface GigabitEthernet0

!

route-map A permit 10

match ip address 1

match interface FastEthernet8

Don't need the "interface", just ip address

ip nat  inside source route-map A  10.153.66.5 overload

I tried it  and it give me a wrong syntax warning

    % invalid input detected

     ip nat  inside source route-map A  10.153.66.5 overload

                                                           ^