Hi Patrick,

Thank you for your reply.

I tried at first without the metric 10. However the wan2 always becomes the default route instead of wan1. The show ip route gives without the metric 10:

Gateway of last resort is 62.x.x.9 to network 0.0.0.0

S* 0.0.0.0/0 via 62.x.x.9, FastEthernet0/1

is directly connected, Dialer0

62.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

Furthermore, with this configuration, a traceroute use wan2, and the wan2 public ip does not respond to ping nor ssh.

I read on the Cisco website that the router should use the first ip route from the config, but not is my case.

I even tried to force the default route for wan1 with no luck (ip route 0.0.0.0 0.0.0.0 dialer 0 193.x.x.3). The sh ip route gave something like:

S* 0.0.0.0/0 via 193.x.x.3, dialer 0

via 62.193.44.9, FastEthernet0/1

But still using wan2

After your reply, I looked a bit into pbr as you suggested. I added ip metric +1 to wan1 route-map and ip metric +2 for wan2, but still no change.

I will check further for pbr.

In the meantime, do you have any more suggestions ?

Best regards,

Olivier

Sent from Cisco Technical Support iPad App

Hi Oliver

this was not what i sayed.

You should basicly have following:

1) Two route-maps

matching inside traffic

and the exit interface

2) two nats for the route-maps

this ok you have this.

then you need two default routes

ip route 0/0

ip route 0/0

No Administarive Distance or the route will not inserted.

Now everybody should have internet access.

what you see in your output is right both links are active and will be used based on load sharing rules.

Mostly per Session.

What do you mean by access at the sametime? Please provide a traceroute and or a extendet Ping (soure interface will be helpful)

Please have a look into following discussion:

https://supportforums.cisco.com/thread/2117045

Its basicly the same.

Hi oliver

one more thing

ip route 192.168.11.0 255.255.255.0 Tunnel0

!

interface Tunnel0

ip address 192.168.50.1 255.255.255.0

this makes no sence.

Plese use a gateway address or inertior routing protocol.

Patrick,

From inside the clients access to Internet but through wan2. I would like the traffic going to wan1 only, and to wan2 only if wan1 is down.

I will look forward to the link you send.

By at the same time I mean I can access to ssh from outside through public ip of wan1 and wan2. However I am not sure if it is possible to do that.

About the tunnel 0, it is a vti between two offices. I understood a vti needs it's own subnet to work and encapsulate the traffic in it. The network 192.168.11.0 is the second office subnet. Maybe I misunderstand something when I set up the tunnel. However, this tunnel was always up during the differents configurations I tested.

I will give you some data after the reading...

Thanks again,

Olivier

Sent from Cisco Technical Support iPad App

Hi Patrick,

I am running 15.1(3)T adventerprisek9-m.

After several hours of reading, and trying, now it is working !

During the process I have lost the IPSec VPN server, but the tunnel is still working.

I will post the new config during the weekend.

Thank you so much for your help, and the links.

Best regards,

Olivier

Sent from Cisco Technical Support iPad App

Hi Patrick,

To get this config I have used the links you gave and this one which is with nat:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a00808d2b72.shtml

I struggled with the route-map "ToISP" because i read somewhere that we must use a match command for nat. This is right for the interfaces refering to wan but not for lan.

In the config below, the trackers are working properly, the traffic is going to IspADSL by default and to IspSDSL ifIspADSL is down.

However, and I don't know why the default interface just after rebooting is to dialer 0 and after a few minute is goes to theSDSL link. I also didn't manage to get the two default route. I have found this article which suggest to create a loopbackinterface with pbr, but it is a bit confusing for me (https://supportforums.cisco.com/thread/2067691
) and I don't know which ip I should use in my case. Do you have any example for it ?

For the tunnel, you suggest I should add the address in quote to the config :

ip route 192.168.11.0 255.255.255.0 Tunnel0 "192.168.50.2"

Should I do the same thing for dialer 0 with "10.X.X.13" ?

Thanks in advance,

Olivier

Here is the config without the crypto part:

aaa new-model

!

aaa session-id common

!

ip cef

ip domain name XXX

ip name-server 192.168.10.3

no ipv6 cef

!

multilink bundle-name authenticated

!

redundancy

!

track 1 ip sla 1 reachability

delay down 60 up 60

!

track 2 ip sla 2 reachability

delay down 60 up 60

!

!

interface FastEthernet0/0

description LAN Interface

ip address 192.168.10.254 255.255.255.0

ip nat inside

ip virtual-reassembly in

ip tcp adjust-mss 1452

ip policy route-map ToISP

duplex auto

speed auto

!

interface FastEthernet0/1

description To SDSL

ip address 62.X.X.10 255.255.255.252

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

!

interface ATM0/0/0

no ip address

no atm ilmi-keepalive

!

interface ATM0/0/0.1 point-to-point

pvc 8/35

  encapsulation aal5mux ppp dialer

  dialer pool-member 1

!

!

interface Dialer0

description To ADSL

ip address negotiated

ip nat outside

ip virtual-reassembly in

encapsulation ppp

dialer pool 1

ppp authentication chap callin

ppp chap hostname XXX

ppp chap password 7 XXX

!

ip forward-protocol nd

ip http server

ip http authentication local

ip http secure-server

!

!

ip nat inside source route-map IspADSL interface Dialer0 overload

ip nat inside source route-map IspSDSL interface FastEthernet0/1 overload

ip route 0.0.0.0 0.0.0.0 Dialer0 track 1

ip route 0.0.0.0 0.0.0.0 FastEthernet0/1 62.X.X.9 track 2 # gateway provided by IspSDSL

!

ip sla 1

icmp-echo 193.X.X.3 # ip only reachable by IspADSL

ip sla schedule 1 life forever start-time now

ip sla 2

icmp-echo 62.X.X.215 # ip only reachable by IspSDSL

ip sla schedule 2 life forever start-time now

logging esm config

access-list 10 permit 192.168.10.0 0.0.0.255

access-list 10 deny   any

access-list 100 permit ip any any

dialer-list 1 protocol ip permit

!

route-map IspSDSL permit 1

match ip address 10

match interface FastEthernet0/1

!

route-map IspADSL permit 1

match ip address 10

match interface Dialer0

!

route-map ToISP permit 10

match ip address 100

set ip next-hop verify-availability 10.X.X.13 1 track 1 # First ip retruned by traceroute with IspADSL

!

route-map ToISP permit 20

match ip address 100

set ip next-hop verify-availability 62.X.X.215 2 track 2 # First ip returned by traceroute with IspSDSL

!

end

Hi Oliver

First of all routing for dialer points allways to the interface,

because dialer are point to point.

For interfaces not point-to-point, mostly anything else please use a address to route to (Works better:-).

We deal with two points first the routing:

yes you need matches here only the source traffic and we set only the next hop or the exit interface.

so far so good.

For you tracker please add a source to the tracker, this is to keep the packets where we need them:-)

ip sla 1

icmp-echo 193.X.X.3 source dialer 1

ip sla schedule 1 life forever start-time now

!

ip sla 2

icmp-echo 62.X.X.215 source XXXX

ip sla schedule 2 life forever start-time now

!

The delay you are experience is because the tracker is assumed to be up after a reload. then you say you track it for 60 seconds down ...

Because you are using pbr (So default routing table is only the fallback) you don't need the

ip route 0.0.0.0 0.0.0.0 Dialer0 track 1

ip route 0.0.0.0 0.0.0.0 62.X.X.9 track 2

That you don't see both default maybe cause by the trackers.

ip route 0.0.0.0 0.0.0.0 Dialer0

ip route 0.0.0.0 0.0.0.0 62.X.X.9

Should be ok ...

Please remove the interface from the second one.

Please turn "ip virtual-reassembly in" of if you don't realy need it ...

Cheers Patrick

Hi Oliver

Route-maps are a great tool not only for nat. Primary they came from the Routing Tasks, PBR, Route filtering during redistribution, BGP and so on :-)

Cheers Patrick

Hi Patrick,

I applied the changes your suggested.

I don't have anymore the default route which is changing after reboot, howerver, the SDHL (fastethernet 0/1) public IP doesn't respond to ping nor ssh.

Do you have any ideas ?

Regards,

Olivier