Re: Failover WAN and port-forward on 887

l.mourikis · ‎04-13-2019

Hello,

I need some help on the following scenario. Cisco router with one VLAN for local network and two DSL WAN connections with static IP addresses. So, let's call them LAN, WAN1 and WAN2.

I need to route all outgoing traffic from LAN to Internet via WAN2. Also, I have a web server that I need to respond to TCP port 80 on both WAN1 and WAN2.

When WAN2 experience issues, I want the outgoing traffic to be routed via WAN1.

First, is this possible? And if so, can someone give a working example? If more information is needed, please let me know.

Regards

balaji.bandi · ‎04-13-2019

here is the Example for Sending Traffic to outside using One WAN Links, if that hve issue it failover automatically.

https://www.cisco.com/c/en/us/support/docs/ip/ip-routing/200785-ISP-Failover-with-default-routes-using-I.html

Incoming is bit Tricky you want to port 80 to be routed to WAN 1 and WAN2 and it will be Natted internal IP address.

If you have Static IP is this possible, But question like above, if one of WAN Link fails the port 80 traffic is blackholed.

in the same context, you have mapped DNS Entry with this IP address ? so you have A records in DNS for Both IP's

Can be done in Dynamic way to check outside with script keep track availability, change the DNS records.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

l.mourikis · ‎04-13-2019

Thank you very much!

OK, I have successfully created the fail-over part and I think it works as expected. I have used route-map, sla track, route metrics, etc as in the guide you suggested. So far, so good.

The problem seems to be with the port forwarding. When both WAN interfaces are up, some requests from outside to the web server do not get an answer. It seems that the router cannot figure out the WAN interface from which the traffic came from. So, the server's reply some times is routed from WAN1 and sometimes from WAN2, no matter the originated WAN interface. I hope I am getting it right. If so, is there a configuration that can achieve the desired functionality?

Changing the DNS records, at least at this stage, does not seem a viable solution. I would like to first investigate a routing solution to the problem.

Regards

balaji.bandi · ‎04-13-2019

Glad outgoing working as expected, but incoming as i have mentioned it bit tricky to deploy that kind of setup.

Need to be mechanism in place for inspecting the traffic to send out where it is orginating from.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

l.mourikis · ‎04-13-2019

Could you please provide some more information on the mechanism you are referring to? Do you have any links or sample configuration?

balaji.bandi · ‎04-13-2019

I have not used this solution or tested, May be this works Technically.

If you can able to bind 2 IP address to Web Server the solution can be achieve as suggested below :

You need two IP-adresses on your server and route-maps to control the return-traffic:

interface Gig0/0

ip policy route-map Gig0/0-IN

You need two NAT-statements for the two IPs on the server:

ip nat inside source static tcp 10.10.10.101 8080 interface Gig0/1 8080

ip nat inside source static tcp 10.10.10.102 8080 interface Gig0/2 8080

With the help of PBR you force the return-traffic to the right link:

ip access-list extended TRAFFIC-FROM-10.10.10.101

permit tcp host 10.10.10.101 eq 8080 any

ip access-list extended TRAFFIC-FROM-10.10.10.102

permit tcp host 10.10.10.102 eq 8080 any

!

route-map Gig0/0-IN permit 10

match ip address TRAFFIC-FROM-10.10.10.101

set interface Gig0/1

!

route-map Gig0/0-IN permit 20

match ip address TRAFFIC-FROM-10.10.10.102

set interface Gig0/2

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

l.mourikis · ‎04-13-2019

You just blew my mind! Yes, I also believe that this will work. I will try it in the next days and let you know if this worked.

But even if it won't, your suggestion remains brilliant!

Thank you very much!!

balaji.bandi · ‎04-13-2019

May be get change will test in lab. keep us posted outcome.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Jaderson Pessoa · ‎04-13-2019

@l.mourikis hello,

I suggest you to use IP SLA, check the exemples below;

track 1 ip sla 1 reachability

delay down 30 up 30

ip sla 1
icmp-echo 8.8.8.8 (ip of google's dns) source-interface GigabitEthernet0/0/1
verify-data
threshold 100
timeout 100
frequency 30
ip sla schedule 1 life forever start-time now

ip route 0.0.0.0 0.0.0.0 201.10.10.X name WAN1 track 1
ip route 0.0.0.0 0.0.0.0 101.10.10.X 20 (distance administrative) name WAN2

The exemple above will redirect traffic from wan1 to wan2 if having experience issue with google's DNS on the internet and when the wan1 has issue solved automatically will be master for internet route.

Jaderson Pessoa
*** Rate All Helpful Responses ***

l.mourikis · ‎04-13-2019

Dear Pessoa,

What you suggest is indeed a correct configuration for outgoing traffic. Thank you! However, I have resolved this issue. The big problem to me is the port forwarding. Please see my previous messages on the thread, where I describe the issue.

Regards