I have implemented my scenarion following a helpful link from a guy in the forum (https://supportforums.cisco.com/docs/DOC-8313
What i actually want to implement is the below
i want my users to access the internet (80,443,and some ports of office 365 exchange online which i have openned) from provider A and only for the traffic i already mentioned.
Provider B should take over for the above mentioned traffic only when provider A is down otherwise provider B should be translating anything else (icmp, telnet, etc).
If either provider is down the other should be responsible for all traffic.
The problem begins when i have both interfaces up , nat translations for the web comes from both ISPS one packet is translated from provider A the other from Provider B. So the page takes too long to open.
See below my configuration and let me know if i have to change something either in the PBR logic or my access-lists that are connected to the PBR to correct this issue.
I do not have a full understanding of your issues. But I do have some suggestions to make. After you try them if there are still problems then please update with a description of the issues.
You are using the correct approach to NAT with two interfaces to use a route map. But the route map is referring to access list NATacl-NEW and I can not find that access list in the configuration.
Your description of what you want to achieve says that ISP B should be primary for most traffic and ISP A should carry all traffic if B is not working. The way to achieve that is to have a static default route pointing to ISP B and a floating static default route pointing to ISP A. What is in the configuration is two static default routes. This results in the router attempting to load share using both connections and traffic going through A that you would prefer to use B.
I believe that there are a couple of things in your PBR that should change.
- I do not understand what you are trying to do with
route-map PBR permit 30
It looks to me like the result is to send all traffic through ISP A. I wonder if your intent was for this to provide the failover if B is not working. But that is not what it is doing.
- several of the access lists use a mask for /16 such as this
permit tcp 192.168.0.0 0.0.255.255
But the LAN in the configuration has mask ip address 192.168.100.x 255.255.255.240. I am puzzled why the access list mask is so much more inclusive. Are there other 192.168 addresses in your network? If so how do they connect because I do not see anything in your config that would communicate with them?
NATacl-NEW is indeed in the configuration i forgot to copy paste it.. see below the config
ip access-list extended NATacl-NEW
permit ip 192.168.1.0 0.0.0.255 any
permit ip 192.168.2.0 0.0.0.255 any
permit ip 192.168.3.0 0.0.0.255 any
permit ip 192.168.4.0 0.0.0.255 any
permit ip host 192.168.7.247 any
permit ip host 192.168.7.248 any
permit ip 192.168.10.0 0.0.0.255 any
permit ip 192.168.100.0 0.0.0.15 any
permit ip 192.168.102.0 0.0.0.15 any
permit ip host 192.168.101.3 any
permit ip host 192.168.101.4 any
permit ip host 192.168.20.1 any
Provider A (provider's name PRIMETEL, you can see it in route map) speed 24mpbs
Provider B (provider's name CYTA, also in route map) speed 8mpbs
Provider A should act as the primary ISP and do nat translation for 80.443, and all ports that office 365 is using (since we are accessing office365 through outlook). Nothing more nothing less.
Provider B should act as the secondary ISP and do nat translation for all traffic except 80,443 and office 365 ports.
In case that provider A goes down Provider B will translate everything including 80,443 and office365 ports.
In case that provider B goes down Provide A will translate everything.
I use /16 bit subnet since i have a lot of subnets as you can see in NATacl-NEW access list and i don't want to define each one separetely.
If i didn't make things clear yet please see the link https://supportforums.cisco.com/docs/DOC-8313 . This is what i want to achieve... in that example in route-map PBR section match ip address 100 in my example is
NATacl-NEW and for route-map PBR permit 30 match ip address 101 is ALLOW-EVERYWHEREACCESS access-list.
I need both default static routes to be in the routing table at the same time since ISPA is for web browsing and ISPB is for anything else. If i use floating static default route for ISPB i will loose it from routing table am i right? And this is not the desirable action.
Please correct me if i am wrong somewhere.
Thanks a lot
Thank you for the additional information.
I am glad to know that the access list used for NAT does exist. I can only comment based on what you share with us in the config. And the ACL not being there looked like a significant problem (and I have seen situations where the ACL missing was indeed the cause of the problem). I do have a suggestion about the ACL. I suggest that you re-write the ACL and make it a standard access list rather than extended access list. There is not anything that you are checking for that needs the capabilities of an extended access list and I have seen a few situations where it did make a difference whether NAT was using standard or extended access lists (especially when the destination is always permit any).
I must have mis-read the route map. When I wrote my first response it looked to me like both statements were setting the next hop to gateway public ip. Looking at it now I see the 2. But I do think that there is a better way to accomplish your objective and not need route-map PBR permit 30. If you take my suggestion to have one normal static default route and one floating static default route then most traffic will go through CYTA. Traffic identified in route-map PBR permit 10 will go through PRIMETEL. If PRIMETEL is not working then then route map will not redirect and your web etc traffic will follow the default and go through CYTA. And if CYTA has a problem then the floating static route comes into the routing table and all traffic goes through PRIMETEL.
Just wanted to say congratulations on 12 years at Netcraftsmen. It is obviously a great place to work considering how long you have been there.
Floating default route isn't it inserted in the routing table only if the default static route is down?
Will the routes be like the below
ip route 0.0.0.0 0.0.0.0 public ip
ip route 0.0.0.0 0.0.0.0 public ip 2 10
Will with the way you suggest be able to nat translate from both isp's ?
I am a bit confused :)
Will it be possible to make required changes on my config and paste it back ?
Here is basically what I suggest.
In looking more closely I find a mismatch that should be fixed. In the track commands
set ip next-hop verify-availability [gateway public ip ] 1 track 10
So you should change either the track commands or the set commands so that the numbers agree.
Then I would suggest this
ip route 0.0.0.0 0.0.0.0 CYTA track 20
ip route 0.0.0.0 0.0.0.0 PRIMETEL
Then I would suggest
no route-map PBR permit 30
Then I would suggest
no ip access-list extended NATacl-NEW
ip access-list standard NATacl-NEW
permit ip 192.168.1.0 0.0.0.255
permit ip 192.168.2.0 0.0.0.255
permit ip 192.168.3.0 0.0.0.255
permit ip 192.168.4.0 0.0.0.255
permit ip host 192.168.7.247
permit ip host 192.168.7.248
permit ip 192.168.10.0 0.0.0.255
permit ip 192.168.100.0 0.0.0.15
permit ip 192.168.102.0 0.0.0.15
permit ip host 192.168.101.3
permit ip host 192.168.101.4
permit ip host 192.168.20.1
I also notice that you are using the same named access list on both of the ISP interfaces. It seems to me that it would be better if each ISP interface had its own unique access list rather than CBAC-OUT-NEW on both of them.
In reading my response I realize that I did not address this part of your question
Will with the way you suggest be able to nat translate from both isp's ?
So let me address that here. Yes you would be able to nat translate from both isp. Doing the translation only depends on identifying packets as they go out the interface and determining whether they qualify for translation. It does not matter whether the packet got to the interface by static route, or by PBR, or by whatever. It only matters that a packet is going out the PRIMETEL interface or the CYTA interface and that it match the route map statements.
Thank you very much for your prompt response!
I will follow your suggestion tomorrow morning (time here is 21:00 :) ) and will let you know!
Thanks a lot Richard it worked!
I have one more question. I've upgrade the ios to the latest one for my router (15.1(3)T ) when i do a "show version" i see the below
Cisco IOS Software, 2800 Software (C2800NM-ADVENTERPRISEK9-M), Version 15.1(3)T, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2010 by Cisco Systems, Inc.
ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)
Why my rom still refers to version 12.4(13r)T which it was my old IOS?
I am glad to know that you implemented what I suggested and that it worked.
To answer your question we need to be clear about the difference between the ROM bootstrap code and the IOS image. When the router first boots it loads and runs the ROM monitor code which runs diagnostics and loads the IOS image. The IOS image is the code that runs the router after it is in the up and stable condition. So you have two different code files that run at different times and do different things. It is common for the ROM code to be different (and earlier) than the IOS code. We frequently do upgrades to the IOS code without changing the ROM code. Some times in doing an IOS upgrade there will be a suggestion to also upgrade the ROM code but most of the time the new IOS will be fine with the old ROM code.
For my case what do you suggest me to do?
Will i face any weird issues if i don't upgrade it?
What is the procedure of upgrading rommon?
I have looked through the Release Notes for 15.1 for the 2800 router. It does not seem to suggest an upgrade for ROM monitor. So my suggestion is that you not do anything other than the normal upgrade of the IOS image. I do not expect you to experience any weird issues if you do not upgrade it.
Failover will not be smooth. You need to clear the NAT table. Else existing sessions will retain the WAN IP of the original connection.
You can use an Event manage applet to trigger on the IP SLA and clear the Nat table any time a link fails. Only issues is that all session then get reset, but that's better than waiting for the normal session timeout, which is often minutes.