Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4982
Views
0
Helpful
11
Replies

IP SLA with dual ISP using NAT

Tupe_kunal
Level 1
Level 1

‎12-18-2014 12:24 PM - edited ‎03-05-2019 12:25 AM

Hi All,

 

I need to configure IP SLA on a router with Dual ISP using NAT. Is the below config right ???

Will this work fine.Pls suggest.

--------------------------------------------------------------------------------------------------------------------------------

ISP 1- 113.65.12.230 (primary) ----------Interface G0/2

ISP 2- 58.51.18.50 (secondary) ---------Interface G0/1

----------------------------------------------------------------------------------------------------------------------------------

 ip sla 1
 icmp-echo 4.2.2.2 source-interface G0/2(113.65.12.230)
 timeout 500 
 threshold 2
 frequency 3

------------------------------------------------------------------------------------------------------------------------------------

p sla schedule 1 life forever start-time now

------------------------------------------------------------------------------------------------------------------------------------

track 1 ip sla 1 reachability
delay down 15
delay up 60

-----------------------------------------------------------------------------------------------------------------------------------

route-map SDM_RMAP_1 permit 1
 match ip address NAT-List-1
!
route-map SDM_RMAP_2 permit 2
 match ip address NAT-List-1

 

 

ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/2 overload

ip nat inside source route-map SDM_RMAP_2 interface GigabitEthernet0/1 overload

 

------------------------------------------------------------------------------------------------------------------------------------------

ip route 0.0.0.0 0.0.0.0 113.65.12.229 track 1

ip route 0.0.0.0 0.0.0.0 58.51.18.49  10

ip route 4.2.2.2 255.255.255.255 113.65.12.229 permanent

 

 

Labels:
0 Helpful
11 Replies 11

Karsten Iwen
VIP
VIP

‎12-18-2014 12:47 PM

I think there is only a small thing missing:

route-map SDM_RMAP_1 permit 1
 match ip address NAT-List-1
 match interface Gig 0/2
!
route-map SDM_RMAP_2 permit 2
 match ip address NAT-List-1
 match interface Gig 0/1
0 Helpful

Tupe_kunal
Level 1
Level 1
In response to Karsten Iwen

‎12-18-2014 01:16 PM

Hi Karsten,

 

Thanks for your reply.

Is there anything else other that matching the interface in the route-map ?

 

Best Regards,

Kunal Tupe

0 Helpful

Karsten Iwen
VIP
VIP
In response to Tupe_kunal

‎12-18-2014 01:43 PM

no, only the interface and the traffic that should be natted.

0 Helpful

Tupe_kunal
Level 1
Level 1
In response to Karsten Iwen

‎12-18-2014 02:02 PM

Okay, will perform the changes and get back if i need any assistance.

 

Cheers !!!

0 Helpful

paul driver
VIP
VIP
In response to Tupe_kunal

‎12-19-2014 07:03 PM

Hello

i have tested your configuration and it works accordingly

 

res

paul 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Tupe_kunal
Level 1
Level 1
In response to paul driver

‎12-20-2014 09:47 AM

Hi Paul,

 

The failover works fine.. But once the primary link is up again only the internet traffic reverts to the primary.. the VPN traffic does not switch over.

 

All the tunnels are still active with the secondary IP.

 

I manually have to remove the crypto map from the secondary interface and then the tunnel comes up..

 

What could be the issue.? Need to find a fix and get back to the Customer.

 

Best regards,

Kunal Tupe

 

 

0 Helpful

Tupe_kunal
Level 1
Level 1
In response to Karsten Iwen

‎12-18-2014 02:21 PM

Hi Kartsen,

 

Once question. Will this work smoothly when my Primary link goes down?

0 Helpful

Karsten Iwen
VIP
VIP
In response to Tupe_kunal

‎12-18-2014 11:11 PM

At least for NAT and routing, it should work both over the primary and secondary link. You also have to look at your firewallkng and ACL config. And of course you should test it.

0 Helpful

Tupe_kunal
Level 1
Level 1
In response to Karsten Iwen

‎12-19-2014 12:52 PM

Hi Karsten,

Scenario

I have two Internet Links 

I am running an IPSEC VPN tunnel on it

I want to failover the internet as well as VPN traffic on the secondary when the primary link goes down.

Configured IP SLA as mentioned in the previous post.

While testing i made the primary link down and it successfully did failover to the secondary i.e Internet and VPN traffic both.

When i made the primary link up back again only the internet traffic diverted again via primary but the VPN tunnels did not come up on the Primary link

When i removed the crypto map from the secondary interface the traffic diverted via primary (testing purpose)

What could be the issue ?

Below is the conf of the interfaces as well

-----------------------------------------------------------------------------------

ISP 1- 113.65.12.230 (primary) ----------Interface G0/2

ISP 2- 58.51.18.50 (secondary) ---------Interface G0/1

----------------------------------------------------------------------------------------------------------------------------------

 ip sla 1
 icmp-echo 4.2.2.2 source-interface G0/2(113.65.12.230)
 timeout 500 
 threshold 2
 frequency 3

------------------------------------------------------------------------------------------------------------------------------------

p sla schedule 1 life forever start-time now

------------------------------------------------------------------------------------------------------------------------------------

track 1 ip sla 1 reachability
delay down 15
delay up 60

-----------------------------------------------------------------------------------------------------------------------------------

route-map SDM_RMAP_1 permit 1
 match ip address NAT-List-1
 match interface G0/2
!
route-map SDM_RMAP_2 permit 2
 match ip address NAT-List-1
 match interface G0/1
 

 

ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/2 overload

ip nat inside source route-map SDM_RMAP_2 interface GigabitEthernet0/1 overload

 

------------------------------------------------------------------------------------------------------------------------------------------

ip route 0.0.0.0 0.0.0.0 113.65.12.229 track 1

ip route 0.0.0.0 0.0.0.0 58.51.18.49  10

ip route 4.2.2.2 255.255.255.255 113.65.12.229 permanent

----------------------------------------------------------------------------------------

 

interface GigabitEthernet0/1
 description ** 20MB SingTel BizLink  CN# ETH00047190SNG **
 bandwidth 20480
 ip address 58.51.18.50 255.255.255.252
 ip access-group ProtectWAN_SHORT in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow egress
 ip nat outside
 ip virtual-reassembly in
 load-interval 30
 duplex full
 speed 100
 no mop enabled
 crypto map My_vpn
!
interface GigabitEthernet0/2
 description ### L3 ###
 ip address 113.65.12.230 255.255.255.252
 ip access-group ProtectWAN_SHORT in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow egress
 ip nat outside
 ip virtual-reassembly in
 load-interval 30
 duplex auto
 speed auto
 crypto map My_vpn

0 Helpful

Karsten Iwen
VIP
VIP
In response to Tupe_kunal

‎12-19-2014 01:53 PM

Instead of thinking about this problem, there could be a better way to achieve this.

You could configure VTIs (virtual tunnel interfaces) over both links, run a routing protocol over the tunnels and let the routing do the decision which tunnel is available.

0 Helpful

Tupe_kunal
Level 1
Level 1
In response to Karsten Iwen

‎12-19-2014 05:40 PM

the client requires it to work that way :(

 

 

0 Helpful
Customers Also Viewed These Support Documents