02-03-2012 09:47 PM - edited 03-04-2019 03:08 PM
Cisco 891 configuration Details:
version 15.0
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname XXXXX
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret 5 YYYYYYYYYYYYYYYYYYYYYYYYYY
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
!
!
!
aaa session-id common
!
!
!
no ip source-route
!
!
!
ip dhcp pool ccp-pool1
import all
network 10.153.64.0 255.255.255.128
default-router 10.153.64.1
dns-server 8.8.8.8
lease infinite
!
!
ip cef
no ip bootp server
ip domain name VVVVVVVVVVVV
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip name-server 10.153.65.1
ip name-server 10.153.66.1
ip inspect tcp reassembly queue length 128
no ipv6 cef
!
!
!
!
!
track 1 ip sla 1 reachability
delay down 9 up 10
!
track 2 ip sla 2 reachability
delay down 9 up 10
!
!
interface FastEthernet8
description $ETH-WAN$$FW_OUTSIDE$
ip address 10.153.66.5 255.255.255.128
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
!
interface GigabitEthernet0
description $ES_WAN$$ETH-WAN$$FW_OUTSIDE$
ip address 10.153.65.5 255.255.255.128
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
!
interface Vlan1
description LAN Connection$ES_LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 1$$FW_INSIDE$
ip address 10.153.64.1 255.255.255.128
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
!
interface Async1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation slip
!
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source route-map A interface FastEthernet8 overload
ip nat inside source route-map B interface GigabitEthernet0 overload
ip route 0.0.0.0 0.0.0.0 10.153.65.1 track 1
ip route 0.0.0.0 0.0.0.0 10.153.66.1 100 track 2
!
ip sla 1
icmp-echo 10.153.65.1 source-interface GigabitEthernet0
threshold 2
frequency 5
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo 10.153.66.1 source-interface FastEthernet8
frequency 5
ip sla schedule 2 life forever start-time now
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.153.64.0 0.0.0.127
access-list 10 permit 10.153.64.0
access-list 110 permit ip 10.153.64.0 0.0.0.127 any
no cdp run
!
!
!
!
route-map A permit 10
match ip address 110
match interface GigabitEthernet0
!
route-map B permit 10
match ip address 110
match interface FastEthernet8
!
I could connect to the Gigabitethernet wan, based on above configuration.
When I test on FastEthernet8 for the secondary ISP connection it will not go through the internet.
The Ping details
ping from (10.153.65.5) to 8.8.8.8 = OK
ping from (10.153.66.5) to 10.153.66.1 = OK
ping from (10.153.66.5) to 8.8.8.8 = not OK
PLease advice?
Solved! Go to Solution.
02-03-2012 11:18 PM
Hello,
Well, you're trying to "ping" from WAN (10.153.66.5). You need to enable another default route for that . Just shut down "Gigabit 0" for testing.
Don't forget you're using "Track" to install a default route once at a time
HTH,
Toshi
02-03-2012 11:27 PM
Hello,
Frist off, you need to make sure that which WAN interface you're using to get the outside. "Show ip route" will reveal you that. You can shut down Gigabit0 for testing.
HTH,
Toshi
02-04-2012 12:01 AM
Hi Andy,
Yes you can.
Edit: Your configuration looks fine to me. It's Active/Standby.
You can use PBR to redirect a host to WAN(FastEthernet)
!
ip access-list ext Redirect-Host
permit ip host 10.153.64.61 any
!
route-map GoToFastEthernet permit 10
match ip address Redirect-Host
set ip next-hop 10.153.66.1
!
int vlan 1
ip policy route-map GoToFastEthernet
!
HTH,
Toshi
02-03-2012 10:10 PM
You have missmatched route map to FastEhternet8 interface
ip nat inside source route-map A interface FastEthernet8 overload
route-map B permit 10
match ip address 110
match interface FastEthernet8
Hope this helps
Eugen
02-03-2012 10:19 PM
sorry, that was a mistake when I copy paste the configuration
ip nat inside source route-map A interface FastEthernet8 overload
ip nat inside source route-map B interface GigabitEthernet0 overload
route-map B permit 10
match ip address 110
match interface GigabitEthernet0
!
route-map A permit 10
match ip address 110
match interface FastEthernet8
02-03-2012 10:25 PM
Did you try to change FastEthernet8 with the IP address for the interface in the nat statement?
Also both map statement are using the same acl 110. I see that you have and acl 1 configured.
Did you try to change one of map to use acl 1?
02-03-2012 10:34 PM
ip nat inside source route-map A interface FastEthernet8 overload
to
ip nat inside source route-map A interface 10.153.66.5 overload
is that correct?
Changed the route-map configuration to:
route-map B permit 10
match ip address 110
match interface GigabitEthernet0
!
route-map A permit 10
match ip address 1
match interface FastEthernet8
02-03-2012 10:45 PM
Don't need the "interface", just ip address
ip nat inside source route-map A 10.153.66.5 overload
02-03-2012 11:03 PM
I tried it and it give me a wrong syntax warning
% invalid input detected
ip nat inside source route-map A 10.153.66.5 overload
^
02-03-2012 11:17 PM
You need a space between "route-map" and "A".
Also you have two default routes, but the one out Fa8 has a 100 AD. maybe if you remove that value it will use it
ip route 0.0.0.0 0.0.0.0 10.x.x.x 100 track 2
change to
ip route 0.0.0.0 0.0.0.0 10.x.x.x track 2
02-03-2012 11:08 PM
Helllo,
Try this out.
!
ip nat inside source route-map B interface FastEthernet8 overload
ip nat inside source route-map A interface GigabitEthernet0 overload
!
route-map A permit 10
match ip address 110
match interface GigabitEthernet0
!
route-map B permit 10
match ip address 110
match interface FastEthernet8
!
Edit: Well, you're trying to "ping" from WAN(10.153.66.5). You need to enable another default route for that . Just shut down "Gigabit 0" for testing.
HTH,
Toshi
02-03-2012 11:12 PM
HI ,
It was a wrong copy-paste configuration: the right one is:
ip nat inside source route-map A interface FastEthernet8 overload
ip nat inside source route-map B interface GigabitEthernet0 overload
route-map B permit 10
match ip address 110
match interface GigabitEthernet0
!
route-map A permit 10
match ip address 110
match interface FastEthernet8
02-03-2012 11:18 PM
Hello,
Well, you're trying to "ping" from WAN (10.153.66.5). You need to enable another default route for that . Just shut down "Gigabit 0" for testing.
Don't forget you're using "Track" to install a default route once at a time
HTH,
Toshi
02-03-2012 11:26 PM
Thanks Man,
You are correct - I just tried it and it is working
The failover configuration
Thanks to you.
Best regards,
Andy
02-03-2012 11:23 PM
Please find below the ping details
#ping
Protocol [ip]:
Target IP address: 8.8.8.8
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: FastEthernet8
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 10.153.66.5
.....
Success rate is 0 percent (0/5)
Please give the details to enable default route?
is this what you mean:
ip route 0.0.0.0 0.0.0.0 10.153.65.1 track 1
ip route 0.0.0.0 0.0.0.0 10.153.66.1 100 track 2
02-03-2012 11:27 PM
Hello,
Frist off, you need to make sure that which WAN interface you're using to get the outside. "Show ip route" will reveal you that. You can shut down Gigabit0 for testing.
HTH,
Toshi
02-03-2012 11:50 PM
Hi,
I have test it - and it is working.
So the FastEthernet8 will not active when GigabitEthernert0 is active.
is there a way to make sure that both of them active but
GigabitEthernert0 as the primary.
because I would like to configure 1 ip - 10.153.64.61 to route directly to 10.153.66.5
Best regards
Andy
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide