04-01-2012 11:02 PM - edited 03-04-2019 03:52 PM
I have an 1811 with 2 WAN connections, Fiber and ADSL (both Ethernet). I'm having a heck of a time getting traffic out the ADSL link.
As it stands, I can ping the next hop 75.158.58.1, but no further. ping source FastEthernet1 times out to any external address nor can I NAT internal subnets out the interface.
I'm really at a loss as to why, especially since I can ping the next hop. Hoping someone can see something.
version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname RTR1
!
boot-start-marker
boot system flash c181x-advipservicesk9-mz.151-4.M.bin
boot-end-marker
!
!
security authentication failure rate 3 log
logging buffered 51200 warnings
!
!
!
aaa authentication login NetworkAdmins group radius local
aaa authorization console
!
!
!
!
!
aaa session-id common
!
clock timezone MST -7 0
crypto pki token default removal timeout 0
!
!
dot11 syslog
no ip source-route
!
!
!
!
!
ip cef
no ip bootp server
ip domain name internal.com
ip name-server 10.1.10.1
ip name-server 10.1.10.2
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
license udi pid CISCO1811/K9 sn FHK134173NW
archive
log config
hidekeys
!
!
ip tcp synwait-time 10
track timer interface 5
!
track 1 ip sla 1 reachability
delay down 15 up 10
!
track 2 ip sla 2 reachability
delay down 15 up 10
!
!
interface FastEthernet0
description Fiber
bandwidth 10000
ip address 209.**.**.130 255.255.255.240
ip nbar protocol-discovery
ip nat outside
ip virtual-reassembly in max-reassemblies 32
ip verify unicast reverse-path
speed 10
full-duplex
no cdp enable
!
interface FastEthernet1
description ADSL
ip address dhcp
ip nat outside
no ip virtual-reassembly in
duplex auto
speed auto
no cdp enable
!
interface FastEthernet2
description Inside
no ip address
!
interface FastEthernet3
no ip address
shutdown
!
interface FastEthernet4
no ip address
shutdown
!
interface FastEthernet5
no ip address
shutdown
!
interface FastEthernet6
no ip address
shutdown
!
interface FastEthernet7
no ip address
shutdown
!
interface FastEthernet8
no ip address
shutdown
!
interface FastEthernet9
no ip address
shutdown
!
interface Vlan1
description Inside
ip address 10.254.254.2 255.255.255.252
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
interface Async1
no ip address
encapsulation slip
shutdown
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat pool pri-default-pool 209.**.**.130 209.**.**.130 netmask 255.255.255.240
ip nat pool pri-servers-pool 209.**.**.131 209.**.**.131 netmask 255.255.255.240
ip nat inside source route-map nat-pri-default pool pri-default-pool overload
ip nat inside source route-map nat-pri-servers pool pri-servers-pool overload
ip nat inside source route-map nat-sec-test interface FastEthernet1 overload
ip route 0.0.0.0 0.0.0.0 209.**.**.129 200 track 1
ip route 0.0.0.0 0.0.0.0 75.**.**.1 250 track 2
ip route 10.1.0.0 255.255.224.0 10.254.254.1
ip route 10.251.251.0 255.255.255.248 10.254.254.1
ip route 10.252.252.0 255.255.255.248 10.254.254.1
!
ip access-list extended nat-default
permit ip 10.1.5.0 0.0.0.255 any
permit ip 10.1.6.0 0.0.0.255 any
permit ip 10.1.7.0 0.0.0.255 any
permit ip 10.1.12.0 0.0.0.255 any
permit ip 10.1.13.0 0.0.0.255 any
permit ip 10.1.9.0 0.0.0.255 any
permit ip 10.252.252.0 0.0.0.7 any
permit ip 10.251.251.0 0.0.0.7 any
permit ip 10.1.8.0 0.0.0.255 any
permit ip 10.1.14.0 0.0.0.255 any
ip access-list extended nat-sec-test
permit ip host 10.1.10.1 any
ip access-list extended nat-servers
permit ip 10.1.10.0 0.0.0.255 any
permit ip 10.1.11.0 0.0.0.255 any
ip access-list extended vty-access
permit tcp 10.1.10.0 0.0.0.255 any eq 22 log
permit tcp 10.1.5.0 0.0.0.255 any eq 22 log
!
ip sla 1
icmp-echo 209.**.**.129 source-interface FastEthernet0
threshold 10
timeout 1000
frequency 3
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo 75.**.**.1 source-interface FastEthernet1
threshold 40
timeout 1000
frequency 3
ip sla schedule 2 life forever start-time now
logging esm config
no cdp run
!
!
!
!
route-map nat-sec-test permit 10
match ip address nat-sec-test
set ip next-hop verify-availability 75.**.**.1 10 track 2
set ip next-hop verify-availability 209.**.**.129 20 track 1
!
route-map nat-pri-servers permit 10
match ip address nat-servers
match interface FastEthernet0
!
route-map nat-pri-default permit 10
match ip address nat-default
match interface FastEthernet0
!
!
radius-server host 10.1.10.1 auth-port 1812 acct-port 1813 key 7 ****************
!
!
!
control-plane
!
!
!
line con 0
exec-timeout 30 0
logging synchronous
transport output telnet ssh
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
exec-timeout 30 0
transport output telnet ssh
line vty 0 4
access-class vty-access in
exec-timeout 60 0
privilege level 15
logging synchronous
login authentication NetworkAdmins
transport input ssh
line vty 5 15
access-class vty-access in
exec-timeout 60 0
privilege level 15
logging synchronous
login authentication NetworkAdmins
transport input ssh
!
scheduler interval 500
ntp server 10.1.10.1 version 3
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end
RTR1#sh ip sla statistics
IPSLAs Latest Operation Statistics
IPSLA operation id: 1
Latest RTT: 1 milliseconds
Latest operation start time: 05:32:56 MST Mon Apr 2 2012
Latest operation return code: OK
Number of successes: 815
Number of failures: 1
Operation time to live: Forever
IPSLA operation id: 2
Latest RTT: 32 milliseconds
Latest operation start time: 05:32:57 MST Mon Apr 2 2012
Latest operation return code: OK
Number of successes: 497
Number of failures: 0
Operation time to live: Forever
04-02-2012 04:10 AM
I believe that there are a couple of issues in what you are trying to do. First the route map you are using to do the address translation for the ADSL link is coded like it is doing Policy Based Routing by setting the next hop. To control address translation it should have a match for the access list and a match for the interface (as you do in translation for the other interface) and no set statements.
Also the logic in the route map is flawed in that it has two set statements for next hop. It would execute the first set statement to make the next hop 75 and then would execute the second set statement resulting in the next hop being 209. If your intent is to provide an alternative next hop if one is not working then both addresses need to appear on a single set statement.
HTH
Rick
04-02-2012 07:31 AM
Thanks. I will change the route-map and report back, but even so wouldn't that only explain devices behind the router. Why does ping 8.8.8.8 source FA1 not work? I shouldn't need any route-maps/ACL's etc etc to ping out a directly connected interface should I?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide