Router Failover for PAT and NAT Users

qasimkhans · ‎11-05-2013

I need to configure Router failover on WAN links, i am hosting servers (Web server, Citrix, App severs, etc). i have IPs from ISPs. I am also using IP SLA for Internet Failover on router. now i want to setup Routers failover. my both router config as below.

track 10 ip sla 1 reachability

delay down 1 up 1

!

track 20 ip sla 2 reachability

delay down 1 up 1

!

interface GigabitEthernet0/0

no ip address

ip virtual-reassembly in

duplex auto

speed auto

media-type rj45

!

interface GigabitEthernet0/0.7

description Voice-Vlan

encapsulation dot1Q 7

ip address 192.168.7.3 255.255.255.0

ip helper-address 192.168.10.15

ip helper-address 192.168.10.16

!

interface GigabitEthernet0/0.8

description IT-Vlan

encapsulation dot1Q 8

ip address 192.168.8.3 255.255.255.0

ip helper-address 192.168.10.15

ip helper-address 192.168.10.16

ip nat inside

ip virtual-reassembly in

!

interface GigabitEthernet0/0.9

description Regency-Vlan

encapsulation dot1Q 9

ip address 192.168.9.3 255.255.255.0

ip helper-address 192.168.10.15

ip helper-address 192.168.10.16

ip nat inside

ip virtual-reassembly in

!

interface GigabitEthernet0/0.10

description Servers-&-Switches-Vlan

encapsulation dot1Q 10

ip address 192.168.10.7 255.255.255.0

ip helper-address 192.168.10.16

no ip redirects

no ip proxy-arp

ip nat inside

ip virtual-reassembly in

ip policy route-map PBR

!

interface FastEthernet0/0/1

ip address 50.x.x.14 255.255.255.252

ip nat outside

ip virtual-reassembly in

duplex full

speed 100

crypto map vpn

!

interface FastEthernet0/1/0

ip address 162.x.x.34 255.255.255.224

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

!

ip forward-protocol nd

no ip http server

no ip http secure-server

!

ip nat inside source route-map ISP1 interface FastEthernet0/0/1 overload

ip nat inside source route-map ISP2 interface FastEthernet0/1/0 overload

ip nat inside source static tcp 192.168.10.53 80 50.x.x.52 80 route-map ISP1 extendable

ip nat inside source static tcp 192.168.10.53 80 162.x.x.35 80 route-map ISP2 extendable

ip route 0.0.0.0 0.0.0.0 50.x.x.13 track 10

ip route 0.0.0.0 0.0.0.0 162.x.x.62 200

!

ip access-list extended acl_internet

deny ip 192.168.0.0 0.0.255.255 10.10.10.0 0.0.0.255

deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255

permit ip 192.168.0.0 0.0.255.255 any

ip access-list extended acl_natisp1

deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255

permit ip 192.168.0.0 0.0.255.255 any

ip access-list extended acl_natisp2

deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255

permit ip 192.168.0.0 0.0.255.255 any

ip access-list extended acl_ncsvpn

permit ip 192.168.0.0 0.0.255.255 192.168.4.0 0.0.0.255

ip access-list extended acl_vpn

permit ip 192.168.0.0 0.0.255.255 10.10.10.0 0.0.0.255

!

ip sla 1

icmp-echo 50.x.x.13

threshold 500

timeout 500

frequency 1

ip sla schedule 1 life forever start-time now

ip sla 2

icmp-echo 162.x.x.62

threshold 500

timeout 500

frequency 1

ip sla schedule 2 life forever start-time now

!

route-map PBR permit 10

match ip address acl_natisp1

set ip next-hop verify-availability 50.x.x.13 1 track 10

!

route-map PBR permit 20

match ip address acl_natisp2

set ip next-hop verify-availability 162.x.x.62 2 track 20

!

route-map ISP2 permit 20

match ip address acl_internet

match interface FastEthernet0/1/0

!

route-map ISP1 permit 10

match ip address acl_internet

match interface FastEthernet0/0/1