Thanks Peter,

                    I just draw that topolgy on PAcket Tracer to simplify the setup thats it .But i need to implement it on real world.

                     Thanks for the post.   Actually i already knew this idea for Router on the stick. But i dont have any manageble switch in lan, i have simple unmanged switch. Can u please tell me how can implement the same without manageble switch.

Regards

Pawan

Hello Pawan,

Thank you - please apologize my slightly cheeky comment about the "homework" if that was inappropriate.

Unfortunately, without a switch that supports VLANs, our options are extremely limited. Do you believe it would be impossible to obtain a switch with VLAN support? It does not need to be Cisco at all.

We could try to make a couple of tricks using secondary IP addresses on interfaces but that would mean connecting the LAN and one ISP together on your switch. I am very, very reluctant to do such a scenario as it has a number of security and possible connectivity issues.

By the way, do you obtain your public addresses from ISP by DHCP, or are they statically assigned to you?

Best regards,

Peter

Hello Peter,

                thanks for the support.  Actualy we dont have any manageble switch which support vlans.

                 Please help me to implement without.

                 Security reason is no matter for the customer. Please guide or suggest me any trick to do so.

               I have static ip address given by the ISP.

Regards

Pawan

Pawan

I strongly recommend you don't do that. As Peter has said using secondary IPs and one switch would be a very bad idea.

Believe me, when the customer has been hacked, all their data corrupted and their computers used to attack other sites for which they will be held legally responsible it will be a matter of concern to them.

It's not that we do not want to help but part of your job is to make it very clear to the customer what the implications are if you implement a certain solution.

If the customer can afford and wants 2 ISP connections then it is reasonable to assume they want some sort of redudancy. If you implement a solution without segregating the LAN from the internet you won't have redudancy for very long.

You should talk to the customer, make it clear that with the equipment you have you can only implement a very insecure setup. For the price of a switch that can do 801.q trunking it is not worth the risk.

Jon

Thanks Jon,

                        For the Suggestion.

            i have discussed what u have suggested to me with my Senior. But he is stil  forcing me to implement for a short period of time, only for 1 month. After 1 month he will buy  New ethernet card for router.

Please  help to solve my issue....

Regards

Pawan

Pawan,

Alright - but please be aware that this is a very dangerous configuration. Your senior must be informed, and must take full responsibility if anything goes wrong.

By the way, additional ports for Cisco routers are quite expensive. It would be better to buy a managed switch instead of a HWIC module for your router.

We will connect your LAN and ISP1 together into the switch and to Fa0/0 on router, the ISP2 will be on Fa0/1. The configuration should be as follows:

interface FastEthernet0/0
 ip address 192.168.1.1 255.255.255.0
 ip address X.X.X.X M.M.M.M secondary ! This is the IP for ISP1
 no ip redirects
 ip nat enable
interface FastEthernet 0/1
 ip address Y.Y.Y.Y M.M.M.M ! This is the IP for ISP2
 ip nat enable
access-list 100 deny 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 permit 192.168.1.0 0.0.0.255 any
ip nat pool ISP1 X.X.X.X X.X.X.X netmask 255.255.255.252 ! Use the public IP on Fa0/0 here twice
ip nat pool ISP2 Y.Y.Y.Y Y.Y.Y.Y netmask 255.255.255.252 ! Use the public IP on Fa0/1 here twice
route-map ISP1 permit 10
 match ip address 100
 match interface FastEthernet0/0
route-map ISP2 permit 10
 match ip address 100
 match interface FastEthernet0/1
ip nat source route-map ISP1 pool ISP1 overload
ip nat source route-map ISP2 pool ISP2 overload
ip route 0.0.0.0 0.0.0.0 ISP1_NEXT_HOP
ip route 0.0.0.0 0.0.0.0 ISP2_NEXT_HOP

As I have created this configuration in quite a hurry it may not work right out of the box - please make sure you save your original configuration and are able to revert back if this changes are not usable.

Best regards,

Peter

Hi Peter

              Thanks for the configuration.

               I tried it ,but it is not working. When i intiate a ping from Lan host(192.168.1.10) to 8.8.8.8 it shows RTO. Even there is no translations show in  "sh ip nat trans" command on Router. When i did tracert from Host

(192.168.1.10) it only goes to its gateway(192.168.1.1) rest are timeout.

Please Peter help me.I did exact config as suggested by you.

This Show Run for what i configured.

PolicyR#sh run

Building configuration...

Current configuration : 1295 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Policy

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

memory-size iomem 5

!

!

ip cef

!

!

no ip domain lookup

!

!

!

!

interface FastEthernet0/0

ip address x.x.x.1 255.255.255.0 secondary

ip address 192.168.1.1 255.255.255.0

no ip redirects

ip nat enable

duplex auto

speed auto

!

interface FastEthernet1/0

ip address y.y.y.1 255.255.255.0

ip nat enable

duplex auto

speed auto

!

no ip http server

ip route 0.0.0.0 0.0.0.0 x.x.x.100

ip route 0.0.0.0 0.0.0.0 y.y.y.101

!

!

ip nat pool ISP1 x.x.x.1 x.x.x.2 netmask 255.255.255.252

ip nat pool ISP2 y.y.y.1 y.y.y.2 netmask 255.255.255.252

ip nat source route-map ISP1 pool ISP1 overload

ip nat source route-map ISP2 pool ISP2 overload

!

access-list 100 deny   ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 100 permit ip 192.168.1.0 0.0.0.255 any

route-map ISP2 permit 10

match ip address 100

match interface FastEthernet0/0

!

route-map ISP1 permit 10

match ip address 100

match interface FastEthernet1/0

!

!

!

control-plane

!

!

line con 0

exec-timeout 0 0

logging synchronous

line aux 0

line vty 0 4

login

!

end

PolicyR#

Thanks

pawan

Pawan,

I have tested the configuration in my lab. The configuration is correct, however, for some reason, using the route-map that matches both the ACL and the outgoing interface does not work correctly with the CEF enabled. However, deactivating CEF is the last thing we would want to do so just for now, we have to do without the route-map.

You have a couple of errors in your configuration:

• In both NAT pools, you must use the same IP address twice. You have used two IP addresses, .1 and .2 which is not what I asked you to do. The only IP address that should be used in a NAT pool is the interface IP address that connects you to the particular ISP.
• In your route-maps, you have swapped the interfaces, i.e. Fa1/0 in route-map ISP1 and Fa0/0 in route-map ISP2. However, as we are going to ignore the route-maps for now, it does not matter.

So modify your configuration so that it looks as follows:

ip nat pool ISP1 x.x.x.1 x.x.x.1 netmask 255.255.255.252
ip nat pool ISP2 y.y.y.1 y.y.y.1 netmask 255.255.255.252
ip nat source list 100 pool ISP1 overload
ip nat source list 100 pool ISP2 overload

Remove the previous versions of these commands from your configuration and leave the other configuration in place. Also please add the no ip redirects command to your Fa1/0 interface.

I will try to find out whether it is possible to use the route-maps with CEF but I am afraid that the attempts will prove futile. You should get a VLAN-capable switch or a new interface to your router as soon as possible - and even sooner

If you want to display the translation entries you need to use the command show ip nat nvi translation

Best regards,

Peter

Dear Peter ,

                   Thank You Very Much For the Support. Your configuration worked but it cannot be able to manage multiple gateway .i.e if  ISP1 gets down it connot get sift to ISP 2. To solve this purpose i have configured SLA to manage 2 ISPs. Now everything is working fine. But i have one issue regarding 2 commands command;

1) ip nat source list 100 pool ISP1 overload

2) ip nat source list 100 pool ISP2 overload.

at a time only one command is effetive,thinfg is that  if ISP 1 goes down then i  need to configured "ip nat source list 100 pool ISP2 overload" manually.then internet works.

Please give me any solution for the same, i have mentioned the final config below.

Policy(config)#do sh run

Building configuration...

Current configuration : 1568 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Policy

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

memory-size iomem 5

!

!

ip cef

!

!

no ip domain lookup

ip sla monitor 1

type echo protocol ipIcmpEcho 10.10.10.1 source-interface FastEthernet0/0

timeout 1000

threshold 2

frequency 3

ip sla monitor schedule 1 life forever start-time now

!

!

!

track 1 rtr 1 reachability

!

!

interface FastEthernet0/0

description Connt ISP1

ip address x.x.x.x x.x.x.x secondary

ip address 192.168.4.1 255.255.255.0

no ip redirects

ip nat enable

duplex auto

speed auto

!

interface FastEthernet1/0

description Connt ISP2

ip address y.y.y.y y.y.y.y

no ip redirects

ip nat enable

duplex auto

speed auto

!

no ip http server

ip route 0.0.0.0 0.0.0.0 ISP1_IP track 1

ip route 0.0.0.0 0.0.0.0 ISP2_IP 10

!

!

ip nat pool ISP1 x.x.x.1 x.x.x.1 netmask 255.255.255.252

ip nat pool ISP2 y.y.y.1 y.y.y.1 netmask 255.255.255.252

ip nat source list 100 pool ISP1 overload

!

access-list 100 deny   ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 100 permit ip 192.168.1.0 0.0.0.255 any

route-map ISP2 permit 10

match ip address 100

match interface FastEthernet1/0

!

route-map ISP1 permit 10

match ip address 100

match interface FastEthernet0/0

!

!

!

control-plane

!

!

line con 0

exec-timeout 0 0

logging synchronous

line aux 0

line vty 0 4

login

!

end

Regards

Pawan

Hi,

Can you try with the route-map config from Peter. I've tested this type of design on GNS3 with CEF enabled but with the old ip nat inside and outside commands under interface and it worked.

Regards.

Alain.

Hello Alain,

Yes, I assume that the old ip nat inside and ip nat outside would work but there is a problem with the fact that one of Pawan's interfaces needs to be both in inside and outside network at the same time. There is a kludge about PBRing the packets through a local loopback... perhaps we will have to resort to this solution as I do not see any other way to accomplish what Pawan needs to do right now (have two ip nat inside source or ip nat source commands with two different pools).

The NVI style of configuring this seemed to be a natural way to go, but sadly, there is obviously some nasty bug in CEF. Alain, by the way, can you confirm the bug's presence yourself? Use the following topology of four routers:

R1, R2, R3 - connected to a common LAN, R1=client PC, R2 = Pawan's router, R3 = ISP1

R2/R4 - connected together using another FastEthernet interface

Best regards,

Peter

Hi Peter,

Gonna lab this up and tell you what.

Regards.

Alain.

Hello Peter and cadet alain

                                    Is any other way to resolve the issue.

Regards

Pawan