Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
739
Views
0
Helpful
5
Replies

Dual NAT failover not working

jopetik09
Level 1
Level 1

‎03-25-2011 12:30 AM - edited ‎03-04-2019 11:52 AM

Hi All,

Below is the config has done on my 881g but the dual NAT failover is not working.
I have a easy vpn over NAT (easy vpn firewall: 10.10.10.2 behind the router).

Tested like below....
1. After completed the config, I shut down the FastEthernet4, cleared the nat translations, found that nat translations are happening on to Cellular0 with error ( Incomplete ESP translations:

0 esp_conn=0x85A91FF0, hanging off nat entry 0x85A7D1D0)

But still the easy vpn is not up as I am not able to ping the remote devices.
2. If I reboot the router then the nat translations are happening with no above error and easy vpn is up and I am able to ping the remote servers.

Can someone please see the below config and suggest me what needs to be done to achive the NAT failover and easy VPN up.

interface FastEthernet4
bandwidth 2048
ip address 206.206.206.2 255.255.255.240
ip flow ingress
ip nat outside
ip virtual-reassembly
duplex auto
speed auto

interface Cellular0
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer in-band
dialer string gsm
dialer-group 1
async mode interactive
ppp chap hostname *************
ppp chap password ************ 
ppp ipcp dns request

ip route 0.0.0.0 0.0.0.0 206.206.206.4
ip route 0.0.0.0 0.0.0.0 Cellular0 10

ip nat inside source route-map nat2dsl interface FastEthernet4 overload
ip nat inside source route-map nat2cell interface Cellular0 overload


ip nat inside source static 10.10.10.2 206.206.206.3 route-map isp1static
ip nat inside source static 10.10.10.2 206.206.206.3 route-map isp2static

access-list 101 permit ip 10.10.10.0 0.0.0.255 any

route-map isp1static permit 10
match interface FastEthernet4

route-map isp2static permit 10
match interface Cellular0

route-map nat2dsl permit 10
match ip address 101
match interface FastEthernet4

route-map nat2cell permit 10
match ip address 101
match interface Cellular0

Please see the below nat translations for your reference...

RTR#sh ip nat tra
tcp 10.166.159.196:57877 10.10.10.2:57877 62.181.139.204:443 62.181.139.204:44
3
tcp 10.166.159.196:57878 10.10.10.2:57878 62.181.139.204:443 62.181.139.204:44
3
tcp 10.166.159.196:57879 10.10.10.2:57879 62.181.139.204:443 62.181.139.204:44
3
Pro Inside global      Inside local       Outside local      Outside global
tcp 10.166.159.196:57880 10.10.10.2:57880 62.181.139.204:443 62.181.139.204:44
3
esp 10.166.159.196:0   10.10.10.2:AB411082 195.169.210.9:0 195.169.210.9:0
--- 206.206.206.3       10.10.10.2       ---                ---

Incomplete ESP translations:
0 esp_conn=0x85A91FF0, hanging off nat entry 0x85A7D1D0


RTR#sh ip nat tra
Pro Inside global      Inside local       Outside local      Outside global
esp 206.206.206.3:0     10.10.10.2:0     195.169.210.9:0    195.169.210.9:48D54
82B
udp 206.206.206.3:161   10.10.10.2:161   196.108.184.9:17363 196.108.184.9:1736
3
udp 206.206.206.3:500   10.10.10.2:500   195.169.210.9:500  195.169.210.9:500
icmp 206.206.206.3:523  10.10.10.2:523   196.108.184.9:523  196.108.184.9:523
esp 206.206.206.3:0     10.10.10.2:19285A41 195.169.210.9:0 195.169.210.9:0
--- 206.206.206.3       10.10.10.2       ---   


Thanks in advance.

Jopeti.

Labels:
0 Helpful
5 Replies 5

mrdogantr
Level 1
Level 1

‎03-25-2011 01:13 AM

Hi, you can try ip sla config.

ip sla 10

icmp-echo 8.8.8.8

timeout 1000

frequency 3

ip sla schedule 10 life forever start-time now

track 10 ip sla 10 reachability

ip route 8.8.8.8 255.255.255.255 interface FastEthernet4

ip route 0.0.0.0 0.0.0.0 interface FastEthernet4 track 10

ip route 0.0.0.0 0.0.0.0 interface Cellular0 20

hth

Muammer

0 Helpful

jopetik09
Level 1
Level 1
In response to mrdogantr

‎03-25-2011 01:27 AM

Hi,

I have already configured the IP SAL like below but still NAT failover is not working.


ip sla 1
icmp-echo 206.206.206.2 source-interface FastEthernet4
timeout 1000
threshold 2
frequency 3
ip sla schedule 1 life forever start-time now

ip route 0.0.0.0 0.0.0.0 206.206.206.2 track 1
ip route 0.0.0.0 0.0.0.0 Cellular0 250
ip route 4.4.4.4 255.255.255.255 Cellular0


Need more suggestions.

Jopeti.

0 Helpful

mrdogantr
Level 1
Level 1
In response to jopetik09

‎03-25-2011 03:21 AM

Can you change lines below.

icmp-echo 8.8.8.8 source-interface FastEthernet4

ip route 8.8.8.8 255.255.255.255 interface FastEthernet4

hth

Muammer

0 Helpful

jopetik09
Level 1
Level 1
In response to mrdogantr

‎03-25-2011 03:47 AM

Hi,

**********************************************
Can you change lines below.

icmp-echo 8.8.8.8 source-interface FastEthernet4
ip route 8.8.8.8 255.255.255.255 interface FastEthernet4
**********************************************

Which part you want me to change?
You want me to remove below and add what you suggest? The below is the default route which I can not change with different...

icmp-echo 206.206.206.2 source-interface FastEthernet4
ip route 0.0.0.0 0.0.0.0 206.206.206.2 track 1

OR you just want me to replace icmp-echo 206.206.206.2 source-interface FastEthernet4 with ip route 8.8.8.8 255.255.255.255 interface FastEthernet4?


Jopeti.

0 Helpful

jopetik09
Level 1
Level 1
In response to jopetik09

‎03-28-2011 03:46 AM

Hi Guru's

Can someone help me here.

Jopeti.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card