Pedro made a good suggestion

M-Square · ‎06-10-2015

I have an issue I am hoping the community might be able to assist with. I thought posting it here would be good as I am sure others use this type of setup and may benefit from it.

We have a Cisco 891 with dual WAN interfaces using two ISP's. The main link is the primary internet service while the secondary is only a backup service should the main link experience an outage. The primary [FA0] is a broadband cable service and the secondary WAN interface [Gi0] is a broadband DHCP based service in standby mode, no active traffic other than monitoring on the backup.

The setup is working with one caveat, when I break the primary service for testing tracking does its job but NAT traffic will not pass, hence the network is down. The solution is to delete "ip nat inside source route-map NAT0 interface FastEthernet0 overload" and once I do traffic starts to flow through the router again. The issue of course is that this is not dynamic enough since user intervention is required. I could create an applet to manually handle but this does not seem like it should be the answer.

Below is a snippet of the setup;

track 200 ip sla 200
delay down 60 up 60
!
track 300 ip sla 300
delay down 60 up 60
!
track 400 ip sla 400
delay down 60 up 60
!
track 500 list boolean or
object 200
object 300
object 400

interface FastEthernet0 <-- Primary WAN link (a basic broadband cable service with a static IP)
description WAN1
ip address 1.1.1.1 255.255.255.252 [public routable]
ip nat outside

interface GigabitEthernet8 <-- Backup/standby broadband ISP
description WAN2
ip address dhcp
ip nat outside

interface Vlan1
description LAN
ip address 10.10.10.254 255.255.255.0
ip nat inside

ip nat inside source route-map NAT0 interface FastEthernet0 overload <-- Primary PAT syntax
ip nat inside source route-map NAT1 interface GigabitEthernet8 overload <--Backup PAT syntax

ip sla 200
icmp-echo 209.207.110.137
threshold 1500
timeout 1500
ip sla schedule 200 life forever start-time now
ip sla 300
icmp-echo 8.8.8.8
threshold 1500
timeout 1500
ip sla schedule 300 life forever start-time now
ip sla 400
icmp-echo 208.67.222.222
threshold 1500
timeout 1500
ip sla schedule 400 life forever start-time now

route-map NAT0 permit 10
match ip address 140
set ip next-hop 1.1.1.2 <-- ISP A gateway
!
route-map NAT1 permit 20
match ip address 140
set ip next-hop x.x.x.x [dhcp default gateway of ISP B]
or
set ip next-hop dynamic dhcp
!

access-list 140 permit ip 10.10.10.0 0.0.0.255 any <-- LAN traffic to be NATed

Pedro Javier Herrera Diaz · ‎06-10-2015

for this case you should use the match option in the route-map instead of set ip next-hop option, if you don´t the router do NAT with the wrong interface, which is the case, try the next modification.

route-map NAT0 permit 10
match ip address 140
match interface FastEthernet0
!
route-map NAT1 permit 20
match ip address 140
macth interface GigabitEthernet8

Regards

M-Square · ‎06-10-2015

Hi Pedro,

Thank-you for the suggestion, it seems to have done the trick!
I will be able to fully test in the next few days.

Thanks a million, appreciated.

~M

Richard Burts · ‎06-10-2015

Pedro made a good suggestion and I believe that when you fully test it will work. Just to be clear on the issue the route map shown in the original post is the kind of route map that is used for PBR which makes decisions about how to forward data packets. But what you need is not a route map for routing but a route map to control NAT. And the important thing in a route map for NAT is that it should have two match statements, one to match the interface and one to match the access list. There is no need for a set statement when the route map is to control NAT.

HTH

Rick

HTH

Rick

Redundant ISP failover with PBR