Configuring Backup Link (Dual Link To Internet)

tomocisco · ‎06-25-2012

Hi All,

Thanks for your ever helpful contributions that has continued to enrich our professional outputs.

I am dealing with an issue presently on my network.

I want to configure my router for a dual link to the internet so that when one link goes down the other comes up automatically and once the primary link is restored it switches to it automatically.

I know I am supposed to use different admin distances to show which is the main link and backup link but I am not very sure about how NAT will work with this and how it will affect my Vpn connection which I'm still troubleshooting. I.e. will the backup link automatically use the vpn?

My current config for primary linkis shown.

Building configuration...

Current configuration : 5673 bytes

!

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

no service dhcp

!

hostname

!

boot-start-marker

boot-end-marker

!

aaa new-model

!

aaa authentication login local_auth local

!

aaa session-id common

!

crypto pki trustpoint TP-self-signed-3885639516

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3885639516

revocation-check none

dot11 syslog

no ip source-route

no ip gratuitous-arps

!

ip cef

ip dhcp bootp ignore

!

no ip bootp server

no ip domain lookup

ip domain name

ip name-server 19.8.8.8

ip name-server 4.9.0.0

!

multilink bundle-name authenticated

!

username a

username to

!

crypto isakmp policy 1

encr aes

hash md5

authentication pre-share

group 2

crypto isakmp key scisc address 4.x.x.x

!

crypto ipsec transform-set ME-VPN esp-aes esp-md5-hmac

!

crypto map VPN-TO-PH 10 ipsec-isakmp

set peer 4.x.x.x

set transform-set ME-VPN

match address VPN-TRAFFIC

!

archive

log config

logging enable

hidekeys

!

ip ssh time-out 60

ip ssh authentication-retries 2

!

interface Loopback0

ip address 192.1.1.1 255.255.255.255

!

interface Tunnel0

no ip address

!

interface BRI0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

encapsulation hdlc

shutdown

!

interface FastEthernet0

ip address 192.168.0.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet1

ip address 41.y.y.y 255.255.255.248

ip verify unicast source reachable-via rx allow-default 101

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map VPN-TO-PH

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

!

interface FastEthernet5

!

interface FastEthernet6

!

interface FastEthernet7

!

interface FastEthernet8

!

interface FastEthernet9

!

interface Vlan1

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 4.x.x.x

ip route 192.168.1.0 255.255.255.0 FastEthernet1

!

ip http server

ip http access-class 20

ip http authentication local

ip http secure-server

ip nat inside source route-map LAT interface FastEthernet1 overload

!

ip access-list extended VPN-TRAFFIC

permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255

!

logging trap debugging

logging facility local2

access-list 20 permit 192.168.0.111

access-list 100 remark EXCLUDE NAT

access-list 100 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 100 permit ip 192.168.0.0 0.0.0.255 any

access-list 100 remark

access-list 101 permit udp any any eq bootpc

no cdp run

!

route-map LAT permit 1

match ip address 100

!

control-plane

!

line con 0

exec-timeout 5 0

password

login authentication local_auth

transport output telnet

line aux 0

login authentication local_auth

transport output telnet

line vty 0 4

privilege level 1

password

login authentication local_auth

transport input telnet ssh

line vty 5 193

privilege level 1

password

login authentication local_auth

transport input telnet ssh

!

end

Any one with an idea how to achieve this?

Thanks

Tom

ahmad82pkn · ‎06-25-2012

Over load your Private IP Scheme on both Primary WAN Interface and Secondary WAN interface.

When traffic will move from one link to other link using distance ( in case of failure ) NAT of secondary interface will start working.

About VPN, create two VPN. one with Primary Link one with backup link.

tomocisco · ‎06-26-2012

Hi Ahmad,

Thanks for your post.

I added a backup link using this statement:

ip route 0.0.0.0 0.0.0.0 4.x.x.x

ip route 0.0.0.0 0.0.0.0 4.y.y.y 150

ip route 192.168.1.0 255.255.255.0 FastEthernet1

ip route 192.168.1.0 255.255.255.0 FastEthernet0 200

However when i tried to change NAT to overload using the backup interface f0, i got this message:

router(config)#ip nat ins sourc route-map NAT interface f0 overload

%Dynamic mapping in use, cannot change

router(config)#

Also i discovered that if i create a new vpn for the backup link, the existing link appears to be going down because i can't ping the remote network again.

I know that the route statement above will switch to use the backup route (higher admin distance) once the main link is down but does that mean that each time I will have to manually add Nat overload to the new interface?

Does any one has a different approach to this.

I will appreciate it.

Thanks

Tom

cadet alain · ‎06-26-2012

Hi,

Can you post your config.

Regards.

Alain

Don't forget to rate helpful posts.

tomocisco · ‎06-26-2012

Hi Cadet,

The sho run is given below:

aaa new-model

!

aaa authentication login local_auth local

!

aaa session-id common

!

crypto pki trustpoint TP-self-signed-3885639516

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3885639516

revocation-check none

rsakeypair TP-self-signed-3885639516

!

quit

dot11 syslog

no ip source-route

no ip gratuitous-arps

!

ip cef

ip dhcp bootp ignore

!

no ip bootp server

no ip domain lookup

ip domain name mastersenergyltd.com

ip name-server 19.t.t.t

ip name-server 4.2.3.3

ip name-server 192.168.0.2

login block-for 15 attempts 5 within 5

!

multilink bundle-name authenticated

password encryption aes

!

crypto isakmp policy 1

encr aes

hash md5

authentication pre-share

group 2

crypto isakmp key 6 YNNZ address 4.y.y.y

!

crypto ipsec transform-set ME-VPN esp-aes esp-md5-hmac

!

crypto map VPN-TO-PH 10 ipsec-isakmp

set peer 4.y.y.y

set transform-set ME-VPN

match address VPN-TRAFFIC

!

archive

log config

logging enable

hidekeys

!

ip ssh time-out 60

ip ssh authentication-retries 2

!

interface Loopback0

ip address 192.100.100.1 255.255.255.255

!

interface Tunnel0

no ip address

!

interface BRI0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

encapsulation hdlc

shutdown

!

interface FastEthernet0

description BACKUP INTERNET LINK

ip address 4.z.z.z 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet1

ip address 4.d.d.d 255.255.255.0

ip verify unicast source reachable-via rx allow-default 101

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map VPN-TO-PH

!

interface FastEthernet2

switchport access vlan 100

!

interface FastEthernet3

!

interface FastEthernet4

!

interface FastEthernet5

!

interface FastEthernet6

!

interface FastEthernet7

!

interface FastEthernet8

!

interface FastEthernet9

!

interface Vlan1

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

!

interface Vlan100

ip address 192.168.0.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 4.2.2.1

ip route 0.0.0.0 0.0.0.0 4.1.2.4 150

ip route 192.168.1.0 255.255.255.0 FastEthernet1

ip route 192.168.1.0 255.255.255.0 FastEthernet0 200

!

ip http server

ip http access-class 20

ip http authentication local

ip http secure-server

ip nat inside source route-map LAT interface FastEthernet1 overload

!

ip access-list extended VPN-TRAFFIC

permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255

!

logging trap debugging

logging facility local2

access-list 20 permit 192.168.0.9

access-list 100 remark EXCLUDE NAT

access-list 100 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 100 permit ip 192.168.0.0 0.0.0.255 any

access-list 100 remark

access-list 101 permit udp any any eq bootpc

no cdp run

!

route-map LAT permit 1

match ip address 100

!

control-plane

!

line con 0

exec-timeout 5 0

password 7 01

login authentication local_auth

transport output telnet

line aux 0

login authentication local_auth

transport output telnet

line vty 0 4

privilege level 15

password 7 10

login authentication local_auth

transport input telnet ssh

line vty 5 193

privilege level 15

password 7 01

login authentication local_auth

transport input telnet ssh

!

end

The public IP addresses were changed.

Thanks

Thomas

cadet alain · ‎06-26-2012

Hi,

1) clear your nat mappings: clear ip nat trans *

2) remove your NAT statement: no ip nat inside source route-map LAT interface FastEthernet1 overload

3)create your 2 route-maps:

route-map PRIMARY permit 10

match ip add 100

match interface f1

route-map BACKUP permit 10

match ip add 100

match interface f0

3) create the 2 NAT statements:

ip nat inside source route-map PRIMARY interface f1

ip nat inside source route-map BACKUP interface f0/0

you should also configure a crypto map on the backup link with the correct settings.

Regards.

Alain.

Don't forget to rate helpful posts.

gamalielcruz · ‎06-26-2012

Hi,

I think you may have to use route maps in order to have dual NAT.

The NAT configuration would look like this:

ip nat inside source route-map map1 interface FastEthernet0/0 overload

ip nat inside source route-map map2 interface FastEthernet1/0 overload

Maps 1 and 2 would contain your match statements to match to an access-list for your private IP addresses and to match to each of your WAN interface.

HTH

tomocisco · ‎06-26-2012

Hi Gamalielcruz,

Thanks for your response.

I have a route map statement:

route-map LAT permit 1

match ip address 100

I created another one

route-map NAT permit 1

match ip address 100

But when I try to tie this to a NAT statement, the vpn goes down.

Or is there any other way to get this done using route map.

Thanks.

Tom

gamalielcruz · ‎06-26-2012

Have you put match interface statements to those route-maps? These would indicate which interface the particular route-map would send out the route to.