Dual ISP Failover in Cisco 2901Router

ekbasheer786 · ‎08-09-2018

Hi Guys..

I would like to configure ISP failover in cisco 2901 router. We are using ADSL as primary WAN and one 4G Modem as Backup WAN. 4G Modem is connected to Gig 0/1 port. I tried with NAT Failover with Route-map and ip sla. But it is not working. I have found somany example in internet regarding this but no one using ADSL. Is it possible to do failover with ADSL and 4 G modem as WAN connections ?

Georg Pauwen · ‎08-09-2018

Hello,

NAT failover with route maps and IP SLA should work, you might have missed something. Post the current running configuration of your router...

ekbasheer786 · ‎08-09-2018

ekbasheer786 · ‎08-09-2018

!
!
!
interface GigabitEthernet0/0/0
description ***LAN INTERFACE****
ip address 192.168.9.1 255.255.255.0
ip nat inside
negotiation auto
!
interface GigabitEthernet0/0/1
ip address 192.168.1.2 255.255.255.0
ip nat outside
negotiation auto
!
interface Service-Engine0/1/0
!
interface ATM0/2/0
no ip address
no atm enable-ilmi-trap
!
interface ATM0/2/0.1 point-to-point
no atm enable-ilmi-trap
pvc 0/35
pppoe-client dial-pool-number 1
!
!
interface Ethernet0/2/0
no ip address
shutdown
no negotiation auto
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
shutdown
negotiation auto
!
interface Vlan1
no ip address
shutdown
!
interface Dialer1
description **** External Network ******
ip address negotiated
ip mtu 1492
ip nat outside
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname ******
ppp chap password ******
ppp pap sent-username ****** password 0 *******
no cdp enable
crypto map CISCO
ip virtual-reassembly

ip nat inside source route-map ISP1 interface Dialer1 overload
ip nat inside source route-map ISP2 interface GigabitEthernet0/0/1 overload

ip route 0.0.0.0 0.0.0.0 Dialer1 track 1
ip route 0.0.0.0 0.0.0.0 192.168.1.1 10
!
!

access-list 120 deny ip 192.168.9.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 120 deny ip 192.168.9.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 120 permit ip 192.168.9.0 0.0.0.255 any
!

route-map ISP1 permit 10
match ip address 120
match interface Dialer1
route-map ISP2 permit 10
match ip address 120
match interface GigabitEthernet0/0/1

ip sla 1
icmp-echo 8.8.8.8 source-interface Dialer1
timeout 1000
threshold 2
frequency 3

ip sla schedule 1 life forever start-time now
!

Georg Pauwen · ‎08-09-2018

Hello,

looking at your output, I assume that the ADSL modem is doing the NAT ? You won't need doublle NAT in GigabitEthernet0/0/1 then.

Also, is this the full config ? There is a crypto map on the dialer, as well as a split tunnel access list - do you have a VPN configured as well ?

ekbasheer786 · ‎08-09-2018

This is not full config, Crypto map is configured on ADSL interface. We are using Site to site vpn service. It is working fine. But How can i remove double NAT as you suggusted ? can you explain. Because ADSL is directly patched and connected in ADSL port of Cisco Router, We are not using any ADSL modem as of now. Not able to get internet through the 4G modem without NAT. So please

Georg Pauwen · ‎08-09-2018

Hello,

the reason your backup is not working is because you are using the same access list for the 4G NAT as for your ADSL. I have made some changes to your config (marked in bold), see if you get Internet connectivity to work with this when you shut the ADSL down.

Keep in mind that your VPN will fail through the backup, since you don't have anything configured on the 4G interface (GigabitEthernet0/0/1).Do you require the VPN to fail over as well ?

interface GigabitEthernet0/0/0
description ***LAN INTERFACE****
ip address 192.168.9.1 255.255.255.0
ip nat inside
negotiation auto
!
interface GigabitEthernet0/0/1
ip address 192.168.1.2 255.255.255.0
ip nat outside
negotiation auto
!
interface Service-Engine0/1/0
!
interface ATM0/2/0
no ip address
no atm enable-ilmi-trap
!
interface ATM0/2/0.1 point-to-point
no atm enable-ilmi-trap
pvc 0/35
pppoe-client dial-pool-number 1
!
interface Ethernet0/2/0
no ip address
shutdown
no negotiation auto
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
shutdown
negotiation auto
!
interface Vlan1
no ip address
shutdown
!
interface Dialer1
description **** External Network ******
ip address negotiated
ip mtu 1492
ip nat outside
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname ******
ppp chap password ******
ppp pap sent-username ****** password 0 *******
no cdp enable
crypto map CISCO
ip virtual-reassembly
!
ip nat inside source route-map ISP1 interface Dialer1 overload
ip nat inside source route-map ISP2 interface GigabitEthernet0/0/1 overload
!
ip route 0.0.0.0 0.0.0.0 Dialer1 track 1
ip route 0.0.0.0 0.0.0.0 192.168.1.1 10
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 120 deny ip 192.168.9.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 120 deny ip 192.168.9.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 120 permit ip 192.168.9.0 0.0.0.255 any
!
route-map ISP1 permit 10
match ip address 120
match interface Dialer1

!
route-map ISP2 permit 10
match ip address 1
match interface GigabitEthernet0/0/1
!
ip sla 1
icmp-echo 8.8.8.8 source-interface Dialer1
timeout 1000
threshold 2
frequency 3
!
ip sla schedule 1 life forever start-time now
!

ekbasheer786 · ‎08-09-2018

VPN is not required through Backup 4G, we are looking only a internet failover solution (not VPN failover). We are not able to get internet without NAT GigabitEthernet0/0/1 interface and shutdown Dailer interface through 4G modem. May be because of Double NAT as you said before. Anyway we will try with creating another access-list as you suggested. Thank you

Georg Pauwen · ‎08-09-2018

Hello,

ok, give it a try. It is also a good idea to configure an EEM script that clears the NAT translations in case of a failover. Use the script below:

event manager applet CLEAR_NAT

event track 1 state any

action 1.0 cli command "enable"

action 2.0 cli command "clear ip nat trans forced"