Re: Internet access through router with failover

itdata123 · ‎08-08-2013

Hi. We are 2 IT students trying to configure a router for our school. Our Router is a 1841 with a switch modul.

It is a learning experience for us, where we have to make due with whatever equipment we have.

Thanks for your time!

We are having some problems, first and most important, users cant access the internet.

Users can ping to the routers interfaces. Both on the inside and outside, but cannot communicate with either the firewall or the other way out to the internet.

The idea is. We want to make a failover line going from the router to the ISP. It should only be used if the firewall crash (due to old hardware)

Most important is the line through the firewall to the ISP.

vlan on a switch modul from the router to the user switch. (the router only have to normal interfaces) 192.168.0.1 255.255.255.0

eth0/0 192.168.1.2 255.255.255.252 is the interface to the firewall.

eth0/1 is used as failover to the isp directly.

The firewall is allso our dhcp-server at the moment.

Building configuration...

Current configuration : 1841 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname *****
!
boot-start-marker
boot system flash c1841-adventerprisek9-mz.123-14.t5.bin
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
!
!
no ip domain lookup
ip domain name ****

ip ssh version 2
no ip ips deny-action ips-interface
!
no ftp-server write-enable
!

username ***** password 0 *****
archive
log config
hidekeys
!
!
no crypto isakmp ccm
!
!interface FastEthernet0/0
ip address 192.168.1.2 255.255.255.252
duplex auto
speed auto
!
interface FastEthernet0/1
ip address ******
ip access-group indin in
ip access-group udout out
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1/0
switchport access vlan 192
!
interface FastEthernet0/1/1
!
interface FastEthernet0/1/2
!
interface FastEthernet0/1/3
!
interface Vlan1
no ip address
!
interface Vlan192
ip address 192.168.0.1 255.255.255.0
ip helper-address 192.168.1.1
ip nat inside
ip virtual-reassembly
!
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0 2
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1 3
!
!
ip http server
no ip http secure-server
ip nat inside source list 1 interface Vlan192 overload
!
ip access-list extended indin
evaluate iptraffic
ip access-list extended udout
permit ip any any reflect iptraffic
!
access-list 1 permit any
no cdp run
!

!
control-plane
!

!
line con 0
password ******

logging synchronous
login
line aux 0
line vty 0 4
logging synchronous
login local
transport input ssh
!
scheduler allocate 20000 1000
end

jeffrrod · ‎08-12-2013

Dear Henrik,

Thank you for reaching Small Business Support Community.

The Cisco1841 router is not a Small Business device, it is considered an enterprise device and therefore you should inquire about it on the proper forum;

https://supportforums.cisco.com/community/netpro/network-infrastructure/switching

You can also move this post from the "Actions" top right panel. Thank you for your time.

Kind regards,

Jeffrey Rodriguez S. .:|:.:|:.
Cisco Customer Support Engineer

*Please rate the Post so other will know when an answer has been found.

Jeffrey Rodriguez S. .:|:.:|:. Cisco Customer Support Engineer *Please rate the Post so other will know when an answer has been found.

sivasivabalan461 · ‎09-25-2025

good

julian.bendix · ‎09-27-2025

Does the firewall have a route for the internal networks pointing to the router? That could be missing..

For the failover, you could use a tracker to track the reachability of Google via the Firewall:

ip sla 1
icmp-echo 8.8.8.8 source-interface FastEthernet0/0
frequency 10
ip sla schedule 1 life forever start-time now

track 1 ip sla 1 reachability

ip route 0.0.0.0 0.0.0.0 FastEthernet0/0 1 track 1
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1 5

MD Irshad Ansari · ‎09-27-2025

Hi there,

Nice work experimenting with the 1841 — that’s the best way to learn! From your config I noticed a few things that may be blocking Internet access.

1. NAT (Translation)
You’re currently using this:
ip nat inside source list 1 interface Vlan192 overload

That should actually point to the outside interface (facing ISP/firewall). For example:
ip nat inside source list 1 interface FastEthernet0/0 overload

Make sure:

Vlan192 = ip nat inside
Fa0/0 (or Fa0/1 if that’s your outside) = ip nat outside

2. Routing
Current routes in config:
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0 2
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1 3

Better to use next‑hop IPs:
ip route 0.0.0.0 0.0.0.0 192.168.1.1 2
ip route 0.0.0.0 0.0.0.0 <ISP-Gateway-IP> 3

That way the router knows exactly where to send traffic (instead of ARP flooding out).

3. Failover
The static routes above give you:

Firewall path first (AD 2).
ISP direct only if firewall path fails (AD 3).

Exactly what you want!

4. DHCP Relay
You’ve set:
ip helper-address 192.168.1.1

That’s correct if your firewall gives DHCP. Just confirm ACL/firewall allows DHCP.

5. ACLs
Your ACLs with “reflect iptraffic” look a bit experimental. I’d recommend disabling them temporarily until NAT + routing are confirmed to work, then re‑applying them.

Quick Fix Checklist:

NAT overload → set to Fa0/0 (outside).
Static routes → use next‑hop IPs, not just interface.
Confirm NAT inside/outside placement.
Remove ACLs temporarily, test connectivity, re‑apply later.

Once fixed, users should get out to Internet via the firewall → ISP, and fallback to ISP direct if firewall fails.

Keep going — you’re definitely on the right track

Md. Irshad Ansari