Hello,

the config I sent should work. I don't see how your branch 2 is connected, is this through an Internet connection as well ?

The two branches are not connected by internet rather MPLS service. i dont have a problem with the MPLS connection.

My problem is i can ping 4.2.2.2 from the router itself but there is no internet connection for the inside clients

Hello,

the config you posted last won't work. Try the one I suggested and let us know the results...

Yes, Your config works but in that case i only had 2 connections. but now i added another internet connection (Third Connection), but the router has 2 Layer 2 ports and 4 Layer 2 ports.

My problem is how can i connect i use the newly added layer 2 ports with the new added internet connection.

The config that you posted is a start for using a layer 2 port to have Internet access. But there are some things that are not right in it. I do see the layer 2 port assigned to vlan 2 and I do see the layer 3 interface vlan 2 has an IP address assigned and nat outside specified. But I do not see any nat statements using this interface. You would need a nat statement for it similar to what you have for the other Internet facing interfaces. Also need a route map for that nat statement. Also I do not see any routing statements using this interface so you need to add some configuration for routing out this interface.

HTH

Rick

Thanks Richard,

Can you please fix my config, i couldn`t do any better.

Many Thanks.

I have changed the config as below, what did i miss?

interface GigabitEthernet0/0/0

 description Primary

 ip address 10.134.199.108 255.255.255.248

 ip nat outside

 negotiation auto

!

interface GigabitEthernet0/0/1

 ip address 172.19.0.1 255.255.0.0

 ip nat inside

 negotiation auto

!

interface GigabitEthernet0/1/0

 switchport access vlan 2

 switchport mode access

!

interface GigabitEthernet0/1/1

!

interface GigabitEthernet0/1/2

!

interface GigabitEthernet0/1/3

!

interface Cellular0/2/0

 description Backup

 ip address negotiated

 ip nat outside

 dialer in-band

 dialer idle-timeout 0

 dialer-group 1

 ipv6 address autoconfig

 pulse-time 1

!

interface Cellular0/2/1

 no ip address

!

interface Vlan1

 no ip address

!

interface Vlan2

 ip address 10.134.49.251 255.255.240.0

 ip nat outside

!

ip nat inside source route-map BACKUP interface Cellular0/2/0 overload

ip nat inside source route-map Internet interface Vlan2 overload

ip nat inside source route-map PRIMARY interface GigabitEthernet0/0/0 overload

ip forward-protocol nd

no ip http server

ip http secure-server

ip route 172.20.0.0 255.255.0.0 10.134.199.106 track 1

ip route 0.0.0.0 0.0.0.0 10.134.48.1

ip route 172.20.0.0 255.255.0.0 Cellular0/2/0

!

ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr

ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr

!

ip sla 1

 icmp-echo 172.20.0.27 source-interface GigabitEthernet0/0/0

 threshold 1000

 timeout 1000

 frequency 5

ip sla schedule 1 life forever start-time now

access-list 1 permit 0.0.0.0

access-list 2 permit 172.19.0.0 0.0.255.255

access-list 2 permit 172.20.0.0 0.0.255.255

access-list 10 permit 172.19.0.0 0.0.255.255

dialer-list 1 protocol ip permit

dialer-list 1 protocol ipv6 permit

!

!

route-map BACKUP permit 10

 match ip address 1 10

 match interface Cellular0/2/0

!

route-map Internet permit 10

 match ip address 1

 match interface Vlan2

!

route-map PRIMARY permit 10

 match ip address 10

 match interface GigabitEthernet0/0/0

!

The issue might be with the ACL that you are using for nat which does permit 0.0.0.0

I would suggest that you use ACL 10

route-map Internet permit 10

 match ip address 10

I also note that this posted config has only a single configured default route, which does use the new Internet connection. Was that done to enable testing? One of the things that you do need to work out is the logic of which interface to use when going outside since you now have 3 choices, primary, cellular, and this new vlan interface.

HTH

Rick