cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3004
Views
0
Helpful
12
Replies

simultaneous dual wan access with nat

Olivier Joly
Level 1
Level 1

Hi,

I have a 1841 router with two wan access from two different ISP:

1: throught dialer with fixed ip obtained from dhcp - ATM interface

2: thought fastethernet 0/1 with fixed ip and a specific gateway - can be use for Internet traffic if dialer is down.

I can't manage to make them accessible at the same time (ping and ssh).

In a second time I would like to have a VPN client access on one wan and site to site VPN on the other, instead of having the two on one wan.

Thanks in advance for your help

The sh ip route return:

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

S* 0.0.0.0/0 is directly connected, Dialer0

62.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

C 62.x.x.8/30 is directly connected, FastEthernet0/1

L 62.x.x.10/32 is directly connected, FastEthernet0/1

192.168.3.0/32 is subnetted, 1 subnets

S 192.168.3.1 via 0.0.0.0, Virtual-Access2

192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks

C 192.168.10.0/24 is directly connected, FastEthernet0/0

L 192.168.10.254/32 is directly connected, FastEthernet0/0

S 192.168.11.0/24 is directly connected, Tunnel0

192.168.50.0/24 is variably subnetted, 2 subnets, 2 masks

C 192.168.50.0/24 is directly connected, Tunnel0

L 192.168.50.1/32 is directly connected, Tunnel0

193.x.x.0/32 is subnetted, 1 subnets

C 193.x.x.3 is directly connected, Dialer0

193.x.x.0/32 is subnetted, 1 subnets

C 193.x.x.113 is directly connected, Dialer

I think I should have two entries for s* instead of one. I didn't find a way for it.

Please find below the config:

version 15.1

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime localtime

service timestamps log datetime localtime

service password-encryption

service sequence-numbers

aaa new-model

aaa session-id common

dot11 syslog

no ip source-route

Ip cef

multilink bundle-name authenticated

redundancy

!

!

no ip ftp passive

interface Tunnel0

ip address 192.168.50.1 255.255.255.0

tunnel source Dialer0

tunnel mode ipsec ipv4

tunnel destination x.x.x.x

tunnel path-mtu-discovery

tunnel protection ipsec profile vti

!

interface FastEthernet0/0

ip address 192.168.10.254 255.255.255.0

ip nat inside

ip virtual-reassembly in

ip tcp adjust-mss 1452

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 62.x.x.10 255.255.255.252

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

!

interface ATM0/0/0

no ip address

no atm ilmi-keepalive

!

interface ATM0/0/0.1 point-to-point

pvc 8/35

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

!

interface Virtual-Template1

ip unnumbered Dialer0

!

interface Virtual-Template2

ip unnumbered FastEthernet0/0

!

interface Dialer0

ip address negotiated

ip nat outside

ip virtual-reassembly in

encapsulation ppp

dialer pool 1

ppp authentication chap callin

ppp chap hostname xxx

ppp chap password xxx

crypto map mymap

!

ip local pool cabinetpool 192.168.1.1 192.168.1.10

ip local pool Vpnssladsl 192.168.3.1 192.168.3.10

ip forward-protocol nd

ip http server

ip http authentication local

ip http secure-server

!

!

ip nat inside source route-map routemymap interface Dialer0 overload

ip nat inside source route-map routest interface FastEthernet0/1 overload

ip route 0.0.0.0 0.0.0.0 Dialer0

ip route 0.0.0.0 0.0.0.0 FastEthernet0/1 62.x.x.9 10

ip route 192.168.11.0 255.255.255.0 Tunnel0

!

ip radius source-interface FastEthernet0/0

logging esm config

access-list 10 permit 192.168.10.0 0.0.0.255

access-list 10 deny any

access-list 100 remark crypto group

access-list 100 permit ip 192.168.10.0 0.0.0.255 any

access-list 101 remark vpn routemymap

access-list 101 remark CCP_ACL Category=18

access-list 101 deny ip 192.168.10.0 0.0.0.255 host 192.168.1.1

access-list 101 deny ip 192.168.10.0 0.0.0.255 host 192.168.1.2

access-list 101 deny ip 192.168.10.0 0.0.0.255 host 192.168.1.3

access-list 101 deny ip 192.168.10.0 0.0.0.255 host 192.168.1.4

access-list 101 deny ip 192.168.10.0 0.0.0.255 host 192.168.1.5

access-list 101 deny ip 192.168.10.0 0.0.0.255 host 192.168.1.6

access-list 101 deny ip 192.168.10.0 0.0.0.255 host 192.168.1.7

access-list 101 deny ip 192.168.10.0 0.0.0.255 host 192.168.1.8

access-list 101 deny ip 192.168.10.0 0.0.0.255 host 192.168.1.9

access-list 101 deny ip 192.168.10.0 0.0.0.255 host 192.168.1.10

access-list 101 deny ip 192.168.10.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 101 permit ip 192.168.10.0 0.0.0.255 any

access-list 101 deny ip any any

access-list 110 remark crypto

access-list 110 permit ip 192.168.10.0 0.0.0.255 any

access-list 111 remark vpn routest

access-list 111 remark CCP_ACL Category=18

access-list 111 deny ip 192.168.10.0 0.0.0.255 host 192.168.2.1

access-list 111 deny ip 192.168.10.0 0.0.0.255 host 192.168.2.2

access-list 111 deny ip 192.168.10.0 0.0.0.255 host 192.168.2.3

access-list 111 deny ip 192.168.10.0 0.0.0.255 host 192.168.2.4

access-list 111 deny ip 192.168.10.0 0.0.0.255 host 192.168.2.5

access-list 111 deny ip 192.168.10.0 0.0.0.255 host 192.168.2.6

access-list 111 deny ip 192.168.10.0 0.0.0.255 host 192.168.2.7

access-list 111 deny ip 192.168.10.0 0.0.0.255 host 192.168.2.8

access-list 111 deny ip 192.168.10.0 0.0.0.255 host 192.168.2.9

access-list 111 deny ip 192.168.10.0 0.0.0.255 host 192.168.2.10

access-list 111 deny ip 192.168.10.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 111 permit ip 192.168.10.0 0.0.0.255 any

access-list 111 deny ip any any

dialer-list 1 protocol ip permit

dialer-list 2 protocol ip permit

!

!

!

!

route-map routemymap permit 1

match ip address 101

match interface Dialer0

!

route-map routest permit 1

match ip address 101

match interface FastEthernet0/1

line con 0

line aux 0

line vty 0 4

access-class 10 in

privilege level 15

transport input telnet

line vty 5 8

authorization exec ciscocp_vpn_xauth_ml_1

login authentication ciscocp_vpn_xauth_ml_1

transport input ssh

Sent from Cisco Technical Support iPad App

1 Accepted Solution

Accepted Solutions

Hi Oliver

ok things getting clearer for me.

Can you tell me what version and feature set you are running ?

Here you are facing some diffculties with cisco routers.

1) Dialer Interface do not realy go down. so the route over d1 is allway there.

     Because it must know when to dial ... :-)

2) Simultan access over both can be done no problem

    You have it configured.

3) Access over the dialer and if this is not possible go over Fa0 can also be done.

    a) Track something over the dialer that triggers Policy Based  Routing

    b) Make a static route over d0 for one host as tracked object. and bind the default route to the tracker.

        Tracker will Trigger the dialer and install the default route when possible

4) Access to both WAN Addresses via SSH

    Yes it is possible, you need active default routes over both interfaces.

    This gives you two possible soulutions

     a) Policy Based Routing

         A Little Complex but can be handelt good

     b) VRF-Lite

         More complex ....

Policy Based Routing

http://www.cisco.com/en/US/docs/ios/12_2/qos/configuration/guide/qcfpbr_ps1835_TSD_Products_Configuration_Guide_Chapter.html

PBR with Tracked Objects

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gtpbrtrk.html

A Relativ Complete Example:

https://supportforums.cisco.com/docs/DOC-8313

From my Point of view that should do the trick

and btw route the traffic for the other office over the next hop gateway tunnel address at the remote location.

HTH

Patrick  

View solution in original post

12 Replies 12

patrick.preuss
Level 1
Level 1

Hi

your second route is only activ when d0 is down. The 10 in the makes the route flowting static, or in other word

a higher administraiv distance.

For the other Policy Based Routing might be a solution.

HTH

Hi Patrick,

Thank you for your reply.

I tried at first without the metric 10. However the wan2 always becomes the default route instead of wan1. The show ip route gives without the metric 10:

Gateway of last resort is 62.x.x.9 to network 0.0.0.0

S* 0.0.0.0/0 via 62.x.x.9, FastEthernet0/1

is directly connected, Dialer0

62.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

Furthermore, with this configuration, a traceroute use wan2, and the wan2 public ip does not respond to ping nor ssh.

I read on the Cisco website that the router should use the first ip route from the config, but not is my case.

I even tried to force the default route for wan1 with no luck (ip route 0.0.0.0 0.0.0.0 dialer 0 193.x.x.3). The sh ip route gave something like:

S* 0.0.0.0/0 via 193.x.x.3, dialer 0

via 62.193.44.9, FastEthernet0/1

But still using wan2

After your reply, I looked a bit into pbr as you suggested. I added ip metric +1 to wan1 route-map and ip metric +2 for wan2, but still no change.

I will check further for pbr.

In the meantime, do you have any more suggestions ?

Best regards,

Olivier

Sent from Cisco Technical Support iPad App

Hi Oliver

this was not what i sayed.

You should basicly have following:

1) Two route-maps

matching inside traffic

and the exit interface

2) two nats for the route-maps

this ok you have this.

then you need two default routes

ip route 0/0

ip route 0/0

No Administarive Distance or the route will not inserted.

Now everybody should have internet access.

what you see in your output is right both links are active and will be used based on load sharing rules.

Mostly per Session.

What do you mean by access at the sametime? Please provide a traceroute and or a extendet Ping (soure interface will be helpful)

Please have a look into following discussion:

https://supportforums.cisco.com/thread/2117045

Its basicly the same.

Hi oliver

one more thing

ip route 192.168.11.0 255.255.255.0 Tunnel0

!

interface Tunnel0

ip address 192.168.50.1 255.255.255.0

this makes no sence.

Plese use a gateway address or inertior routing protocol.

Patrick,

From inside the clients access to Internet but through wan2. I would like the traffic going to wan1 only, and to wan2 only if wan1 is down.

I will look forward to the link you send.

By at the same time I mean I can access to ssh from outside through public ip of wan1 and wan2. However I am not sure if it is possible to do that.

About the tunnel 0, it is a vti between two offices. I understood a vti needs it's own subnet to work and encapsulate the traffic in it. The network 192.168.11.0 is the second office subnet. Maybe I misunderstand something when I set up the tunnel. However, this tunnel was always up during the differents configurations I tested.

I will give you some data after the reading...

Thanks again,

Olivier

Sent from Cisco Technical Support iPad App

Hi Oliver

ok things getting clearer for me.

Can you tell me what version and feature set you are running ?

Here you are facing some diffculties with cisco routers.

1) Dialer Interface do not realy go down. so the route over d1 is allway there.

     Because it must know when to dial ... :-)

2) Simultan access over both can be done no problem

    You have it configured.

3) Access over the dialer and if this is not possible go over Fa0 can also be done.

    a) Track something over the dialer that triggers Policy Based  Routing

    b) Make a static route over d0 for one host as tracked object. and bind the default route to the tracker.

        Tracker will Trigger the dialer and install the default route when possible

4) Access to both WAN Addresses via SSH

    Yes it is possible, you need active default routes over both interfaces.

    This gives you two possible soulutions

     a) Policy Based Routing

         A Little Complex but can be handelt good

     b) VRF-Lite

         More complex ....

Policy Based Routing

http://www.cisco.com/en/US/docs/ios/12_2/qos/configuration/guide/qcfpbr_ps1835_TSD_Products_Configuration_Guide_Chapter.html

PBR with Tracked Objects

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gtpbrtrk.html

A Relativ Complete Example:

https://supportforums.cisco.com/docs/DOC-8313

From my Point of view that should do the trick

and btw route the traffic for the other office over the next hop gateway tunnel address at the remote location.

HTH

Patrick  

Hi Patrick,

I am running 15.1(3)T adventerprisek9-m.

After several hours of reading, and trying, now it is working !

During the process I have lost the IPSec VPN server, but the tunnel is still working.

I will post the new config during the weekend.

Thank you so much for your help, and the links.

Best regards,

Olivier

Sent from Cisco Technical Support iPad App

Hi Patrick,

To get this config I have used the links you gave and this one which is with nat:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a00808d2b72.shtml

I struggled with the route-map "ToISP" because i read somewhere that we must use a match command for nat. This is right for the interfaces refering to wan but not for lan.

In the config below, the trackers are working properly, the traffic is going to IspADSL by default and to IspSDSL ifIspADSL is down.

However, and I don't know why the default interface just after rebooting is to dialer 0 and after a few minute is goes to theSDSL link. I also didn't manage to get the two default route. I have found this article which suggest to create a loopbackinterface with pbr, but it is a bit confusing for me (https://supportforums.cisco.com/thread/2067691
) and I don't know which ip I should use in my case. Do you have any example for it ?

For the tunnel, you suggest I should add the address in quote to the config :

ip route 192.168.11.0 255.255.255.0 Tunnel0 "192.168.50.2"

Should I do the same thing for dialer 0 with "10.X.X.13" ?

Thanks in advance,

Olivier

Here is the config without the crypto part:

aaa new-model

!

aaa session-id common

!

ip cef

ip domain name XXX

ip name-server 192.168.10.3

no ipv6 cef

!

multilink bundle-name authenticated

!

redundancy

!

track 1 ip sla 1 reachability

delay down 60 up 60

!

track 2 ip sla 2 reachability

delay down 60 up 60

!

!

interface FastEthernet0/0

description LAN Interface

ip address 192.168.10.254 255.255.255.0

ip nat inside

ip virtual-reassembly in

ip tcp adjust-mss 1452

ip policy route-map ToISP

duplex auto

speed auto

!

interface FastEthernet0/1

description To SDSL

ip address 62.X.X.10 255.255.255.252

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

!

interface ATM0/0/0

no ip address

no atm ilmi-keepalive

!

interface ATM0/0/0.1 point-to-point

pvc 8/35

  encapsulation aal5mux ppp dialer

  dialer pool-member 1

!

!

interface Dialer0

description To ADSL

ip address negotiated

ip nat outside

ip virtual-reassembly in

encapsulation ppp

dialer pool 1

ppp authentication chap callin

ppp chap hostname XXX

ppp chap password 7 XXX

!

ip forward-protocol nd

ip http server

ip http authentication local

ip http secure-server

!

!

ip nat inside source route-map IspADSL interface Dialer0 overload

ip nat inside source route-map IspSDSL interface FastEthernet0/1 overload

ip route 0.0.0.0 0.0.0.0 Dialer0 track 1

ip route 0.0.0.0 0.0.0.0 FastEthernet0/1 62.X.X.9 track 2 # gateway provided by IspSDSL

!

ip sla 1

icmp-echo 193.X.X.3 # ip only reachable by IspADSL

ip sla schedule 1 life forever start-time now

ip sla 2

icmp-echo 62.X.X.215 # ip only reachable by IspSDSL

ip sla schedule 2 life forever start-time now

logging esm config

access-list 10 permit 192.168.10.0 0.0.0.255

access-list 10 deny   any

access-list 100 permit ip any any

dialer-list 1 protocol ip permit

!

route-map IspSDSL permit 1

match ip address 10

match interface FastEthernet0/1

!

route-map IspADSL permit 1

match ip address 10

match interface Dialer0

!

route-map ToISP permit 10

match ip address 100

set ip next-hop verify-availability 10.X.X.13 1 track 1 # First ip retruned by traceroute with IspADSL

!

route-map ToISP permit 20

match ip address 100

set ip next-hop verify-availability 62.X.X.215 2 track 2 # First ip returned by traceroute with IspSDSL

!

end

Hi Oliver

First of all routing for dialer points allways to the interface,

because dialer are point to point.

For interfaces not point-to-point, mostly anything else please use a address to route to (Works better:-).

We deal with two points first the routing:

yes you need matches here only the source traffic and we set only the next hop or the exit interface.

so far so good.

For you tracker please add a source to the tracker, this is to keep the packets where we need them:-)

ip sla 1

icmp-echo 193.X.X.3 source dialer 1

ip sla schedule 1 life forever start-time now

!

ip sla 2

icmp-echo 62.X.X.215 source XXXX

ip sla schedule 2 life forever start-time now

!

The delay you are experience is because the tracker is assumed to be up after a reload. then you say you track it for 60 seconds down ...

Because you are using pbr (So default routing table is only the fallback) you don't need the

ip route 0.0.0.0 0.0.0.0 Dialer0 track 1

ip route 0.0.0.0 0.0.0.0 62.X.X.9 track 2

That you don't see both default maybe cause by the trackers.

ip route 0.0.0.0 0.0.0.0 Dialer0

ip route 0.0.0.0 0.0.0.0 62.X.X.9

Should be ok ...

Please remove the interface from the second one.

Please turn "ip virtual-reassembly in" of if you don't realy need it ...

Cheers Patrick

Hi Oliver

Route-maps are a great tool not only for nat. Primary they came from the Routing Tasks, PBR, Route filtering during redistribution, BGP and so on :-)

Cheers Patrick

Hi Patrick,

I applied the changes your suggested.

I don't have anymore the default route which is changing after reboot, howerver, the SDHL (fastethernet 0/1) public IP doesn't respond to ping nor ssh.

Do you have any ideas ?

Regards,

Olivier

Olivier Joly
Level 1
Level 1

Hi Patrick,

I finally found a way to get ssh on both wan interface. Furthermore, I figured out the ToISP pbr policy wasn't working as expected, so I removed it from fastethernet0/0 and added a metric to the SDSL route.

Thanks again for the help you provided.

Here is the working config:

track 1 ip sla 1 reachability

delay down 1 up 1

!

interface FastEthernet0/0

description LAN Interface

ip address 192.168.10.254 255.255.255.0

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

!

interface FastEthernet0/1

description To SDSL

ip address 62.x.x.10 255.255.255.252

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

!

interface ATM0/0/0

no ip address

no atm ilmi-keepalive

!

interface ATM0/0/0.1 point-to-point

pvc 8/35

  encapsulation aal5mux ppp dialer

  dialer pool-member 1

!

!

interface Dialer1

description To ADSL

ip address negotiated

ip nat outside

ip virtual-reassembly in

encapsulation ppp

dialer pool 1

ppp authentication chap callin

ppp chap hostname

ppp chap password

!

ip local policy route-map IspSDSL-Redirect

ip forward-protocol nd

!

!

ip nat inside source route-map IspADSL interface Dialer1 overload

ip nat inside source route-map IspSDSL interface FastEthernet0/1 overload

ip route 0.0.0.0 0.0.0.0 Dialer1 track 1

ip route 0.0.0.0 0.0.0.0 62.x.x.9 10

!

ip access-list extended SSH

permit tcp host 62.x.x.10 eq 22 any

!

ip sla 1

icmp-echo 193.x.x.3 source-interface Dialer1

threshold 60

timeout 1000

ip sla schedule 1 life forever start-time now

logging esm config

access-list 10 permit 192.168.10.0 0.0.0.255

access-list 10 deny   any

access-list 100 permit ip any any

dialer-list 1 protocol ip permit

!

!

!

!

route-map IspSDSL permit 1

match ip address 10

match interface FastEthernet0/1

!

route-map IspADSL permit 1

match ip address 10

match interface Dialer1

!

route-map IspSDSL-Redirect permit 10

match ip address SSL SSH

match interface FastEthernet0/1

set ip next-hop 62.X.X.9

!

!

!

line con 0

line aux 0

line vty 0 4

access-class 10 in

authorization exec XauthRadius

login authentication XauthRadius

transport input telnet

line vty 5 8

authorization exec XauthRadius

login authentication XauthRadius

transport input ssh

!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: