Solved: Thank You for your time.

plussier1 · ‎03-06-2016

Hi, I setup a WAN Failover with IP SLA, this part is Working but I can't access Internet when the Internet switch from WAN-1 to WAN-2.

I Use a CISCO Model C881G+7-A-K9 SN#FTX18428274.

The prymary WAN is FE4 and the backup is the Integrated 3G Dialer-1.

If I want to access Internet after the internet access switch from WAN-1 to WAN-2 I need to Type this command

no ip nat inside source list 100 interface FastEthernet4 overload

If the Internet access switch Back to WAN-1 I need to type this command again to be able to access Internet

no ip nat inside source list 105 interface Dialer1 overload

ip nat inside source list 100 interface FastEthernet4 overload

Please see a part of my Config. I have DMVPN Tunnel too and IP SEC Tunnel. ( See the attached file for the Complete config. )

Here is a part of my Configuration

WAN-1 Interface FE4

interface FastEthernet4
description WAN-1 Main
ip address dhcp
ip nat outside
no ip virtual-reassembly in
duplex auto
speed auto
crypto map Netgear

WAN-2 Dialer-1

interface Dialer1
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation slip
dialer pool 1
dialer idle-timeout 0
dialer string hspa-R7
dialer persistent
dialer-group 1
crypto map Netgear

IP SLA

ip sla auto discovery
ip sla 1
icmp-echo 70.80.188.1 source-interface FastEthernet4
timeout 6000
frequency 10
ip sla schedule 1 life forever start-time now

IP Route

ip route 0.0.0.0 0.0.0.0 70.80.188.1 track 10
ip route 0.0.0.0 0.0.0.0 Dialer1 5

NAT

ip nat inside source list 100 interface FastEthernet4 overload
ip nat inside source list 105 interface Dialer1 overload

access-list 100 deny ip 192.168.254.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 100 deny ip 192.168.254.0 0.0.0.255 192.168.52.0 0.0.0.255
access-list 100 deny ip 192.168.254.0 0.0.0.255 192.168.60.0 0.0.0.255
access-list 100 deny ip 192.168.254.0 0.0.0.255 192.168.116.0 0.0.0.255
access-list 100 permit ip 192.168.254.0 0.0.0.255 any

access-list 105 deny ip 192.168.254.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 105 deny ip 192.168.254.0 0.0.0.255 192.168.52.0 0.0.0.255
access-list 105 deny ip 192.168.254.0 0.0.0.255 192.168.60.0 0.0.0.255
access-list 105 deny ip 192.168.254.0 0.0.0.255 192.168.116.0 0.0.0.255
access-list 105 permit ip 192.168.254.0 0.0.0.255 any

Let me Know.

Thank you !

Patrick Lussier

Philip D'Ath · ‎03-07-2016

You need to use route-maps. Something like this.

Delete:

no ip nat inside source list 100 interface FastEthernet4 overload
no ip nat inside source list 105 interface Dialer1 overload
no access-list 100

Add:

ip nat inside source route-map NAT-FIXED interface FastEthernet4 overload
ip nat inside source route-map NAT-CELLULAR interface Dialer1 overload

route-map NAT-FIXED permit 10
 match ip address 105
 match interface FastEthernet4
!
route-map NAT-CELLULAR permit 10
 match ip address 105
 match interface Dialer1

View solution in original post

Philip D'Ath · ‎03-08-2016

You didn't show me that config ... so I couldn't account for it.

I don't believe the issue is related to the route maps. First you need to enable a keepalive mechanism to clear broken VPNs. This needs to be done on both ends.

crypto isakmp keepalive 30

Next, is the remote end capable of handling you coming in from a different IP address?

Next DMVPN. Do the tunnels both have the same destination, or different destinations?

View solution in original post

Philip D'Ath · ‎03-07-2016

You need to use route-maps. Something like this.

Delete:

no ip nat inside source list 100 interface FastEthernet4 overload
no ip nat inside source list 105 interface Dialer1 overload
no access-list 100

Add:

ip nat inside source route-map NAT-FIXED interface FastEthernet4 overload
ip nat inside source route-map NAT-CELLULAR interface Dialer1 overload

route-map NAT-FIXED permit 10
 match ip address 105
 match interface FastEthernet4
!
route-map NAT-CELLULAR permit 10
 match ip address 105
 match interface Dialer1

plussier1 · ‎03-08-2016

Hi Philip,

I tried that and now i keep Internet on my Laptop even if I switch from WAN-1 ISP to WAN-2 ISP, I still have access to Internet even if the internet access come from WAN-1 or WAN-2. but,

Unfortunately, Now with this new setting My Site-ToSite VPN Tunnel doesn't work even if the primary ISP is WAN-1 or the Backup WAN-2.

Same thing for my DMVPN (EIGRP) Tunnel, they stop working.

Do i need to add more information on Route Map ?

Let me know.

Thank You !

Philip D'Ath · ‎03-08-2016

You didn't show me that config ... so I couldn't account for it.

I don't believe the issue is related to the route maps. First you need to enable a keepalive mechanism to clear broken VPNs. This needs to be done on both ends.

crypto isakmp keepalive 30

Next, is the remote end capable of handling you coming in from a different IP address?

Next DMVPN. Do the tunnels both have the same destination, or different destinations?

plussier1 · ‎03-08-2016

Hi Philip,

You can see on my first post the attached cisco881g.docx. all my router config is there i just remouve some Ip address.

1) Next, is the remote end capable of handling you coming in from a different IP address? YES

I have for the moment 4 Site-To-Site IP SEC VPN

2) Next DMVPN. Do the tunnels both have the same destination, or different destinations?

In fact i have 4 DMVPN tunnel with 2 HUB and for to moment only 2 active Spoke but on a near future i will have around 20 Spokes.

The DMVPN tunnel are

Spoke-1 (WAN-1) to Hub-1 (WAN-1) 172.20.1.0 /24

Spoke-1 (WAN-1) to Hub-1 (WAN-2) 172.21.1.0 /24

Spoke-1 (WAN-2 to Hub-1 (Wan-1) 172.22.1.0 /24

Spoke-1 (Wan-2 to hub-1 (Wan-2) 172.23.1.0 /24

See the Tunnel Information bellow or the complete Router config on the First Post attached

cisco881g.docx

interface Tunnel0
description WAN-1-DM-1
bandwidth 1000
ip address 172.20.1.5 255.255.255.0
no ip redirects
ip mtu 1400
no ip next-hop-self eigrp 444
no ip split-horizon eigrp 444
ip pim nbma-mode
ip pim sparse-mode
ip nhrp authentication DMVPN_NW
ip nhrp map 172.20.1.1 xxx.xxx.xxx.xxx (HUB-1)
ip nhrp map multicast xxx.xxx.xxx.xxx
ip nhrp map multicast $$$.$$$.$$.$$$ (HUB-2)
ip nhrp map 172.20.1.2 $$$.$$$.$$.$$$
ip nhrp network-id xxxx
ip nhrp holdtime 60
ip nhrp nhs 172.20.1.1
ip nhrp nhs 172.20.1.2
ip tcp adjust-mss 1360
delay 100
tunnel source FastEthernet4
tunnel mode gre multipoint
tunnel key xxxxxx

interface Tunnel3
description DM-3_WAN-2
bandwidth 500
ip address 172.22.1.5 255.255.255.0
no ip redirects
ip mtu 1400
no ip next-hop-self eigrp 444
no ip split-horizon eigrp 444
ip pim nbma-mode
ip pim sparse-mode
ip nhrp authentication DMVPN_NW
ip nhrp map multicast xxx.xxx.xxx.xxx
ip nhrp map 172.22.1.1 xxx.xxx.xxx.xxx (HUB-1)
ip nhrp map multicast $$$.$$$.$$.$$$
ip nhrp map 172.22.1.2 $$$.$$$.$$.$$$ (HUB-2)
ip nhrp network-id xxxx
ip nhrp holdtime 60
ip nhrp nhs 172.22.1.1
ip nhrp nhs 172.22.1.2
ip tcp adjust-mss 1360
delay 200
tunnel source Dialer1
tunnel mode gre multipoint
tunnel key xxxx

interface Tunnel4
description WAN-2-DM-2
bandwidth 500
ip address 172.21.1.5 255.255.255.0
no ip redirects
ip mtu 1400
no ip next-hop-self eigrp 444
no ip split-horizon eigrp 444
ip pim nbma-mode
ip pim sparse-mode
ip nhrp authentication DMVPN_NW
ip nhrp map multicast !!!.!!!.!!!.!!!
ip nhrp map 172.21.1.1 !!!.!!!.!!!.!!! (HUB-1)
ip nhrp map 172.21.1.2 **.*.**.*** (HUB-2)
ip nhrp map multicast **.*.**.***
ip nhrp network-id xxxx
ip nhrp holdtime 60
ip nhrp nhs 172.21.1.1
ip nhrp nhs 172.21.1.2
ip tcp adjust-mss 1360
delay 250
tunnel source FastEthernet4
tunnel mode gre multipoint
tunnel key xxxxxx

interface Tunnel5
description DM-4_WAN-2
bandwidth 1000
ip address 172.23.1.5 255.255.255.0
no ip redirects
ip mtu 1400
no ip next-hop-self eigrp 444
no ip split-horizon eigrp 444
ip pim nbma-mode
ip pim sparse-mode
ip nhrp authentication DMVPN_NW
ip nhrp map multicast !!!.!!!.!!!.!!!
ip nhrp map 172.23.1.1 !!!.!!!.!!!.!!! (HUB-1)
ip nhrp map 172.23.1.2 **.*.**.*** (HUB-2)
ip nhrp map multicast **.*.**.***
ip nhrp network-id xxxx
ip nhrp holdtime 60
ip nhrp nhs 172.23.1.1
ip nhrp nhs 172.23.1.2
ip tcp adjust-mss 1360
delay 150
tunnel source Dialer1
tunnel mode gre multipoint
tunnel key xxx

Thank You again !

Patrick

Philip D'Ath · ‎03-08-2016

If the hubs have two different public IP addresses, hard codes the routes to only go via one circuit. For example:

ip route a.b.c.d 255.255.255.255 70.80.188.1 permannent
ip route e.f.g.h 255.255.255.255 Dialer1 permanent

plussier1 · ‎03-08-2016

Hi Philip,

I reboot the router and retry what you send me first and now it's working OK.

I don't know what is append the first time when I test It. Probably i forgot to erase something.

Other quick Question, how can i do port fowarding with my config ?

exemple external port 1024 fowarded to ip 192.168.254.100 internal port 8080

Is the fowarded port will work on both WAN-1 and WAN-2 ?

Thank You again !

You need to use route-maps. Something like this.

Delete:

no ip nat inside source list 100 interface FastEthernet4 overload
no ip nat inside source list 105 interface Dialer1 overload
no access-list 100

Add:

ip nat inside source route-map NAT-FIXED interface FastEthernet4 overload
ip nat inside source route-map NAT-CELLULAR interface Dialer1 overload

route-map NAT-FIXED permit 10
 match ip address 105
 match interface FastEthernet4
!
route-map NAT-CELLULAR permit 10
 match ip address 105
 match interface Dialer1

Philip D'Ath · ‎03-09-2016

This is become a bit of a complex config!

The port forward will not work on both interfaces at a time. It will only work on the "active" interface that the default route is pointing via.

Basically you need something like:

ip nat inside source static tcp 192.168.254.100 8080 interface FastEthernet4 8080
ip nat inside source static tcp 192.168.254.100 8080 interface Dialer1 8080

plussier1 · ‎03-14-2016

Thank You for your time.

Wan Failover With IP SLA but The NAT don't follow the Acive Interface. ( To access Internet Manual command need to be typed )