Good Afternoon,
We are trying to configure our Cisco router with a backup WAN but are having issues getting the NAT configured properly to allow traffic onto the backup connection. We have confirmed that the static route is automatically removed when the primary WAN does offline, however we are unable to
ping
the gateway on the secondary WAN. Removing the NAT entry for the primary WAN instantly allows traffic to flow over the secondary WAN, so it seems the issue is most likely with the NAT configuration itself.
Below is the current configuration of the router, any assistance on getting this resolved would be greatly appriecated.
Kind Regards,
David
version 17.9
service timestamps debug datetime msec
service timestamps log datetime msec
service call-home
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
platform hardware throughput crypto 50000
!
hostname BrewerySecurity
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
clock timezone GMT 0 0
!
!
!
!
!
!
!
ip name-server 192.168.88.1 192.168.10.1 1.1.1.1
ip domain name BrewSec.local
ip dhcp excluded-address 172.16.0.0 172.16.0.99
ip dhcp excluded-address 172.16.0.201 172.16.0.255
!
ip dhcp pool BrewSec
network 172.16.0.0 255.255.255.0
default-router 172.16.0.1
dns-server 172.16.0.1
!
!
!
login on-success log
ipv6 unicast-routing
!
!
!
!
!
!
!
subscriber templating
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint SLA-TrustPoint
enrollment pkcs12
revocation-check crl
!
crypto pki trustpoint TP-self-signed-2012739551
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2012739551
revocation-check none
rsakeypair TP-self-signed-2012739551
!
!
crypto pki certificate chain SLA-TrustPoint
crypto pki certificate chain TP-self-signed-2012739551
!
!
license udi pid C1111-8P sn FCZ2712R201
memory free low-watermark processor 65797
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
!
username admin privilege 15 secret 9 *******
!
redundancy
mode none
!
!
vlan internal allocation policy ascending
!
track 1 ip sla 1 state
!
!
interface GigabitEthernet0/0/0
ip address 192.168.88.5 255.255.255.0
ip nat outside
negotiation auto
!
interface GigabitEthernet0/0/1
ip address 192.168.10.5 255.255.255.0
ip nat outside
negotiation auto
!
interface GigabitEthernet0/1/0
!
interface GigabitEthernet0/1/1
!
interface GigabitEthernet0/1/2
!
interface GigabitEthernet0/1/3
!
interface GigabitEthernet0/1/4
!
interface GigabitEthernet0/1/5
!
interface GigabitEthernet0/1/6
!
interface GigabitEthernet0/1/7
!
interface Vlan1
ip address 172.16.0.1 255.255.255.0
ip nat inside
!
ip http server
ip http authentication local
ip http secure-server
ip forward-protocol nd
ip dns server
!
!
ip nat inside source route-map NAT-WAN1 interface GigabitEthernet0/0/0 overload
ip nat inside source route-map NAT-WAN2 interface GigabitEthernet0/0/1 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 192.168.88.1 track 1
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/1 192.168.10.1 253
!
!
ip sla 1
icmp-echo 8.8.8.8 source-interface GigabitEthernet0/0/0
ip sla schedule 1 life forever start-time now
!
ip access-list extended 197
10 permit ip any any
!
!
route-map NAT-WAN1 permit 10
match ip address 197
set interface GigabitEthernet0/0/0
!
route-map NAT-WAN2 permit 10
match ip address 197
set interface GigabitEthernet0/0/1
!
!
!
control-plane
!
!
line con 0
transport input none
stopbits 1
line vty 0
login
length 0
transport input ssh
line vty 1 4
login
transport input ssh
line vty 5 14
login
transport input ssh
!
call-home
! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
contact-email-addr sch-smart-licensing@cisco.com
profile "CiscoTAC-1"
active
destination transport-method http
!
!
!
!
!
!
end
