- Cisco Community
- Technology and Support
- Networking
- Switching
- NAT, dual WAN, and IP SLA...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
NAT, dual WAN, and IP SLA...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-18-2020 04:43 PM
I'm slowly getting this together, but I keep tripping.
I have an ISR4331 at our main office. There are two WAN connections (ISP1 and ISP2). ISP1 has 6 IP addresses, while ISP2 has only the one. In-house, I have a pretty large array of networked equipment, but the big pools are this: VPN, IP Phones, Servers, and everything else.
Right off, I needed to get the dual wans configured in such a way that should ISP1 fail, all traffic needs to route over to ISP2. For this I used IP SLA as described here. It works, but it won't fail back in the event ISP1 returns to normal (I have to shut the port linking ISP2, then it comes back online).
That brings me to problem #2; there are two services that need to fail over to ISP2 and continue functioning. A site to site VPN server and a voip server. both operate on a range of ports and those ports MUST forward correctly regardless of the external IP. presently everything I care about is operating on a craptastic non-cisco router with a single IP. There is no port overlap so I know this is possible... but I cant see how to do it on the cisco.
on a single wan, I can do this:
ip nat inside source static tcp 192.168.24.5 500 interface GigabitEthernet0/0/0 500
ip nat inside source static tcp 192.168.24.5 4500 interface GigabitEthernet0/0/0 4500
ip nat inside source static tcp 192.168.24.6 1190 interface GigabitEthernet0/0/0 1190
ip nat inside source static tcp 192.168.24.6 1194 interface GigabitEthernet0/0/0 1194
ip nat inside source static tcp 192.168.24.6 1195 interface GigabitEthernet0/0/0 1195
ip nat inside source static tcp 192.168.22.10 5001 interface GigabitEthernet0/0/0 5001
ip nat inside source static tcp 192.168.22.10 5060 interface GigabitEthernet0/0/0 5060
ip nat inside source static udp 192.168.22.10 5060 interface GigabitEthernet0/0/0 5060
ip nat inside source static tcp 192.168.22.10 5061 interface GigabitEthernet0/0/0 5061
ip nat inside source static tcp 192.168.22.10 5090 interface GigabitEthernet0/0/0 5090
ip nat inside source static udp 192.168.22.10 5090 interface GigabitEthernet0/0/0 5090
ip nat inside source static udp 192.168.22.10 9000 interface GigabitEthernet0/0/0 9000
ip nat inside source static udp 192.168.22.10 9001 interface GigabitEthernet0/0/0 9001
ip nat inside source static udp 192.168.22.10 9002 interface GigabitEthernet0/0/0 9002
...repeat above...
ip nat inside source static udp 192.168.22.10 10999 interface GigabitEthernet0/0/0 10999
And it works fine... however If ISP1 fails, I have to hop into putty and copy/paste all that to swap those ports over to Gi 0/0/1 and bring voip/vpn back up! Of course that brings me to the THIRD problem... as you see at the end, udp ports 9000-10999 ALL have to be forwarded and that makes for a pretty large config file.
So, how do I setup NAT in as few lines as possible (preferable in a route-map of some sort), how do I set it to follow the active internet port, and how do I get it to fail back correctly?
Also please bear in mind I will also have a series of other servers in the network using nat. They will be configured first knowing they will fall offline, and remain offline entirely, in the event of a wan failover. I'd LIKE to set it up so they still have basic internet connectivity in an outage, but I'm not too terribly worried about it.
My current running config (distinguishing info has been removed):
Building configuration...
Current configuration : 7414 bytes
!
! Last configuration change at 23:42:03 UTC Sat Jan 18 2020
!
version 16.9
service timestamps debug datetime msec
service timestamps log datetime msec
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
!
hostname admin-isr
!
boot-start-marker
boot system flash bootflash:isr4300-universalk9.16.09.04.SPA.bin
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
enable secret 5 [removed]
enable password [removed]
!
no aaa new-model
!
ip name-server 208.67.222.222 208.67.220.220 8.8.8.8
!
!
!
login on-success log
!
!
!
!
!
!
!
subscriber templating
ipv6 unicast-routing
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint TP-self-signed-1403732793
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1403732793
revocation-check none
rsakeypair TP-self-signed-1403732793
!
!
crypto pki certificate chain TP-self-signed-1403732793
certificate self-signed 01
[removed]
quit
!
license udi pid ISR4331/K9 sn FDO22442L4L
no license smart enable
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
!
!
username [removed] privilege 15 password 0 [removed]
!
redundancy
mode none
!
!
vlan internal allocation policy ascending
!
track 8 ip sla 1 reachability
!
!
!
!
!
!
interface GigabitEthernet0/0/0
description ISP1
ip address 100.100.100.27 255.255.255.248 secondary
ip address 100.100.100.28 255.255.255.248 secondary
ip address 100.100.100.29 255.255.255.248 secondary
ip address 100.100.100.30 255.255.255.248 secondary
ip address 100.100.100.26 255.255.255.248
ip nat outside
negotiation auto
!
interface GigabitEthernet0/0/1
description ISP2
ip address 200.200.200.70 255.255.255.252
ip nat outside
negotiation auto
ipv6 address dhcp
ipv6 address autoconfig
ipv6 enable
ipv6 nd autoconfig default-route
ipv6 dhcp client request vendor
!
interface GigabitEthernet0/0/2
description LanLink
no ip address
ip nat inside
negotiation auto
!
interface GigabitEthernet0/0/2.21
encapsulation dot1Q 21
ip address 192.168.21.1 255.255.255.0
ip nat inside
!
interface GigabitEthernet0/0/2.22
encapsulation dot1Q 22
ip address 192.168.22.1 255.255.255.0
ip nat inside
!
interface GigabitEthernet0/0/2.23
encapsulation dot1Q 23
ip address 192.168.23.1 255.255.255.0
ip nat inside
!
interface GigabitEthernet0/0/2.24
encapsulation dot1Q 24
ip address 192.168.24.1 255.255.255.0
ip nat inside
!
interface GigabitEthernet0/0/2.25
encapsulation dot1Q 25
ip address 192.168.25.1 255.255.255.0
ip nat inside
!
interface GigabitEthernet0/0/2.26
encapsulation dot1Q 26
ip address 192.168.26.1 255.255.255.0
ip nat inside
!
interface GigabitEthernet0/1/0
switchport access vlan 21
!
interface GigabitEthernet0/1/1
switchport access vlan 21
!
interface GigabitEthernet0/1/2
switchport access vlan 22
!
interface GigabitEthernet0/1/3
switchport access vlan 22
!
interface GigabitEthernet0/1/4
switchport access vlan 23
!
interface GigabitEthernet0/1/5
switchport access vlan 23
!
interface GigabitEthernet0/1/6
switchport access vlan 24
!
interface GigabitEthernet0/1/7
switchport access vlan 24
!
interface GigabitEthernet0/2/0
switchport access vlan 24
!
interface GigabitEthernet0/2/1
switchport access vlan 24
!
interface GigabitEthernet0/2/2
switchport access vlan 24
!
interface GigabitEthernet0/2/3
switchport access vlan 24
!
interface GigabitEthernet0/2/4
switchport access vlan 25
!
interface GigabitEthernet0/2/5
switchport access vlan 25
!
interface GigabitEthernet0/2/6
switchport access vlan 25
!
interface GigabitEthernet0/2/7
switchport access vlan 25
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
shutdown
negotiation auto
!
interface Vlan1
no ip address
!
interface Vlan21
description network
no ip address
!
interface Vlan22
description voice
no ip address
!
interface Vlan23
description security
no ip address
!
interface Vlan24
description server
no ip address
!
interface Vlan25
description workstation
no ip address
!
interface Vlan26
description IoT
no ip address
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http client source-interface GigabitEthernet0/0/1
no ip nat service sip tcp port 5060
no ip nat service sip udp port 5060
ip nat inside source static 192.168.24.22 100.100.100.28 extendable
ip nat inside source static 192.168.24.21 100.100.100.27 extendable
ip nat inside source route-map NAT_ISP1 interface GigabitEthernet0/0/0 overload
ip nat inside source route-map NAT_ISP2 interface GigabitEthernet0/0/1 overload
ip route 0.0.0.0 0.0.0.0 100.100.100.25 track 8
ip route 0.0.0.0 0.0.0.0 200.200.200.69 10
!
!
ip sla 1
icmp-echo 100.100.100.25 source-ip 100.100.100.26
ip sla schedule 1 life forever start-time now
ip access-list extended 101
permit ip 192.168.21.0 0.0.0.255 any
permit ip 192.168.22.0 0.0.0.255 any
permit ip 192.168.23.0 0.0.0.255 any
permit ip 192.168.24.0 0.0.0.255 any
permit ip 192.168.25.0 0.0.0.255 any
!
!
route-map NAT_ISP2 permit 10
match ip address 101
match interface GigabitEthernet0/0/1
!
route-map NAT_ISP1 permit 10
match ip address 101
match interface GigabitEthernet0/0/0
!
!
!
control-plane
!
!
line con 0
transport input none
stopbits 1
line aux 0
stopbits 1
line vty 0 4
password [removed]
login
!
!
!
!
!
!
end
- Labels:
-
Branch Router
-
Other Switching
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-19-2020 07:58 AM - edited 01-20-2020 09:44 AM
Hello
Does your tracking initiate by any chance?
Try adding the following so that monitored ip address is reachable via ISP 2
ip route 100.100.100.255.255.255.255 gig0/0/0 100.100.100.25
ip route 100.100.100.255.255.255.255 null 0 10
Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.
Kind Regards
Paul
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-20-2020 08:31 AM
@paul driver wrote:Hello
Does your tracking initiate by any chance?
Try adding the following so that monitored ip address is reachable via ISP 2
ip route 100.100.100.255.255.255.255 gig0/0/0 100.100.100.25
ip route 100.100.100.255.255.255.255 null 0 10
couple questions... was that a type? did you mean:
ip route 100.100.100.25 255.255.255.255 gig0/0/0 100.100.100.25 ip route 100.100.100.25 255.255.255.255 null 0 10
also, I assume you mean return from fail... right? because tracking to fail works fine with this:
ip sla 1
icmp-echo 100.100.100.25 source-ip 100.100.100.26
ip sla schedule 1 life forever start-time now
ip route 0.0.0.0 0.0.0.0 100.100.100.25 track 8
ip route 0.0.0.0 0.0.0.0 200.200.200.69 10and the guide indicated fail-back would work because icmp-echo would resume and cause traffic to default back to track 8
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-20-2020 09:45 AM - edited 01-20-2020 09:54 AM
Hello
i see a typos in my post OP it was meant to say
Try adding the following so that monitored ip address ISNT reachable via ISP 2
ip route 100.100.100.25 255.255.255.255 gig0/0/0 100.100.100.x
ip route 100.100.100.25 255.255.255.255 null 0 10
So with the above command it would negate reachability towards 100.100.100.25 via ISP2 however i notice now that monitored ip is directly connected which really isn't an applicable way to monitor with ip sla , in this topology it should be to a external address residing off ISP 1 not a local ip address of the rtr
Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.
Kind Regards
Paul
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-20-2020 01:19 PM
Hello,
you could also automate whatever you are doing manually by configuring the two EEM scripts below. One would run when the SLA is down, the other one when it is up:
event manager applet TRACK_8_DOWN
even track 8 state down
action 1.0 cli command "enable"
action 2.0 cli command "conf t"
action 3.0 cli command "no ip nat inside source route-map NAT_ISP1 interface GigabitEthernet0/0/0 overload"
action 3.1 cli command "ip nat inside source route-map NAT_ISP2 interface GigabitEthernet0/0/1 overload"
action 4.0 cli command "interface GigabitEthernet0/0/0"
action 5.0 cli command "shut"
action 5.1 cli command "exit"
action 5.2 cli command "interface GigabitEthernet0/0/1"
action 5.3 cli command "no shut"
action 5.4 cli command "do clear ip nat translation *"
action 5.5 cli command "exit"
action 6.0 cli command "no ip nat inside source static tcp 192.168.24.5 500 interface GigabitEthernet0/0/0 500"
action 6.1 cli command "no ip nat inside source static tcp 192.168.24.5 4500 interface GigabitEthernet0/0/0 4500"
action 6.2 cli command "no ip nat inside source static tcp 192.168.24.6 1190 interface GigabitEthernet0/0/0 1190"
action 6.3 cli command "no ip nat inside source static tcp 192.168.24.6 1194 interface GigabitEthernet0/0/0 1194"
action 6.4 cli command "no ip nat inside source static tcp 192.168.24.6 1195 interface GigabitEthernet0/0/0 1195"
action 6.5 cli command "no ip nat inside source static tcp 192.168.22.10 5001 interface GigabitEthernet0/0/0 5001"
action 6.6 cli command "no ip nat inside source static tcp 192.168.22.10 5060 interface GigabitEthernet0/0/0 5060"
action 6.7 cli command "no ip nat inside source static udp 192.168.22.10 5060 interface GigabitEthernet0/0/0 5060"
action 6.8 cli command "no ip nat inside source static tcp 192.168.22.10 5061 interface GigabitEthernet0/0/0 5061"
action 6.9 cli command "no ip nat inside source static tcp 192.168.22.10 5090 interface GigabitEthernet0/0/0 5090"
action 7.0 cli command "no ip nat inside source static udp 192.168.22.10 5090 interface GigabitEthernet0/0/0 5090"
action 7.1 cli command "no ip nat inside source static udp 192.168.22.10 9000 interface GigabitEthernet0/0/0 9000"
action 7.2 cli command "no ip nat inside source static udp 192.168.22.10 9001 interface GigabitEthernet0/0/0 9001"
action 7.3 cli command "no ip nat inside source static udp 192.168.22.10 9002 interface GigabitEthernet0/0/0 9002"
action 7.4 cli command "no ip nat inside source static udp 192.168.22.10 10999 interface GigabitEthernet0/0/0 10999"
action 7.5 cli command "ip nat inside source static tcp 192.168.24.5 500 interface GigabitEthernet0/0/1 500"
action 7.6 cli command "ip nat inside source static tcp 192.168.24.5 4500 interface GigabitEthernet0/0/1 4500"
action 7.7 cli command "ip nat inside source static tcp 192.168.24.6 1190 interface GigabitEthernet0/0/1 1190"
action 7.8 cli command "ip nat inside source static tcp 192.168.24.6 1194 interface GigabitEthernet0/0/1 1194"
action 7.9 cli command "ip nat inside source static tcp 192.168.24.6 1195 interface GigabitEthernet0/0/1 1195"
action 8.0 cli command "ip nat inside source static tcp 192.168.22.10 5001 interface GigabitEthernet0/0/1 5001"
action 8.1 cli command "ip nat inside source static tcp 192.168.22.10 5060 interface GigabitEthernet0/0/1 5060"
action 8.2 cli command "ip nat inside source static udp 192.168.22.10 5060 interface GigabitEthernet0/0/1 5060"
action 8.3 cli command "ip nat inside source static tcp 192.168.22.10 5061 interface GigabitEthernet0/0/1 5061"
action 8.4 cli command "ip nat inside source static tcp 192.168.22.10 5090 interface GigabitEthernet0/0/1 5090"
action 8.5 cli command "ip nat inside source static udp 192.168.22.10 5090 interface GigabitEthernet0/0/1 5090"
action 8.6 cli command "ip nat inside source static udp 192.168.22.10 9000 interface GigabitEthernet0/0/1 9000"
action 8.7 cli command "ip nat inside source static udp 192.168.22.10 9001 interface GigabitEthernet0/0/1 9001"
action 8.8 cli command "ip nat inside source static udp 192.168.22.10 9002 interface GigabitEthernet0/0/1 9002"
action 8.9 cli command "ip nat inside source static udp 192.168.22.10 10999 interface GigabitEthernet0/0/1 10999"
action 9.0 cli command "end"
event manager applet TRACK_8_UP
even track 8 state up
action 1.0 cli command "enable"
action 2.0 cli command "conf t"
action 3.0 cli command "ip nat inside source route-map NAT_ISP1 interface GigabitEthernet0/0/0 overload"
action 3.1 cli command "no ip nat inside source route-map NAT_ISP2 interface GigabitEthernet0/0/1 overload"
action 4.0 cli command "interface GigabitEthernet0/0/0"
action 5.0 cli command "no shut"
action 5.1 cli command "exit"
action 5.2 cli command "interface GigabitEthernet0/0/1"
action 5.3 cli command "shut"
action 5.4 cli command "do clear ip nat translation *"
action 5.5 cli command "exit"
action 6.0 cli command "no ip nat inside source static tcp 192.168.24.5 500 interface GigabitEthernet0/0/1 500"
action 6.1 cli command "no ip nat inside source static tcp 192.168.24.5 4500 interface GigabitEthernet0/0/1 4500"
action 6.2 cli command "no ip nat inside source static tcp 192.168.24.6 1190 interface GigabitEthernet0/0/1 1190"
action 6.3 cli command "no ip nat inside source static tcp 192.168.24.6 1194 interface GigabitEthernet0/0/1 1194"
action 6.4 cli command "no ip nat inside source static tcp 192.168.24.6 1195 interface GigabitEthernet0/0/1 1195"
action 6.5 cli command "no ip nat inside source static tcp 192.168.22.10 5001 interface GigabitEthernet0/0/1 5001"
action 6.6 cli command "no ip nat inside source static tcp 192.168.22.10 5060 interface GigabitEthernet0/0/1 5060"
action 6.7 cli command "no ip nat inside source static udp 192.168.22.10 5060 interface GigabitEthernet0/0/1 5060"
action 6.8 cli command "no ip nat inside source static tcp 192.168.22.10 5061 interface GigabitEthernet0/0/1 5061"
action 6.9 cli command "no ip nat inside source static tcp 192.168.22.10 5090 interface GigabitEthernet0/0/1 5090"
action 7.0 cli command "no ip nat inside source static udp 192.168.22.10 5090 interface GigabitEthernet0/0/1 5090"
action 7.1 cli command "no ip nat inside source static udp 192.168.22.10 9000 interface GigabitEthernet0/0/1 9000"
action 7.2 cli command "no ip nat inside source static udp 192.168.22.10 9001 interface GigabitEthernet0/0/1 9001"
action 7.3 cli command "no ip nat inside source static udp 192.168.22.10 9002 interface GigabitEthernet0/0/1 9002"
action 7.4 cli command "no ip nat inside source static udp 192.168.22.10 10999 interface GigabitEthernet0/0/1 10999"
action 7.5 cli command "ip nat inside source static tcp 192.168.24.5 500 interface GigabitEthernet0/0/0 500"
action 7.6 cli command "ip nat inside source static tcp 192.168.24.5 4500 interface GigabitEthernet0/0/0 4500"
action 7.7 cli command "ip nat inside source static tcp 192.168.24.6 1190 interface GigabitEthernet0/0/0 1190"
action 7.8 cli command "ip nat inside source static tcp 192.168.24.6 1194 interface GigabitEthernet0/0/0 1194"
action 7.9 cli command "ip nat inside source static tcp 192.168.24.6 1195 interface GigabitEthernet0/0/0 1195"
action 8.0 cli command "ip nat inside source static tcp 192.168.22.10 5001 interface GigabitEthernet0/0/0 5001"
action 8.1 cli command "ip nat inside source static tcp 192.168.22.10 5060 interface GigabitEthernet0/0/0 5060"
action 8.2 cli command "ip nat inside source static udp 192.168.22.10 5060 interface GigabitEthernet0/0/0 5060"
action 8.3 cli command "ip nat inside source static tcp 192.168.22.10 5061 interface GigabitEthernet0/0/0 5061"
action 8.4 cli command "ip nat inside source static tcp 192.168.22.10 5090 interface GigabitEthernet0/0/0 5090"
action 8.5 cli command "ip nat inside source static udp 192.168.22.10 5090 interface GigabitEthernet0/0/0 5090"
action 8.6 cli command "ip nat inside source static udp 192.168.22.10 9000 interface GigabitEthernet0/0/0 9000"
action 8.7 cli command "ip nat inside source static udp 192.168.22.10 9001 interface GigabitEthernet0/0/0 9001"
action 8.8 cli command "ip nat inside source static udp 192.168.22.10 9002 interface GigabitEthernet0/0/0 9002"
action 8.9 cli command "ip nat inside source static udp 192.168.22.10 10999 interface GigabitEthernet0/0/0 10999"
action 9.0 cli command "end"
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-21-2020 08:44 AM
@Georg Pauwen wrote:Hello,
you could also automate whatever you are doing manually by configuring the two EEM scripts below. One would run when the SLA is down, the other one when it is up:
event manager applet TRACK_8_DOWN
even track 8 state down
action 1.0 cli command "enable"
action 2.0 cli command "conf t"
action 3.0 cli command "no ip nat inside source route-map NAT_ISP1 interface GigabitEthernet0/0/0 overload"
action 3.1 cli command "ip nat inside source route-map NAT_ISP2 interface GigabitEthernet0/0/1 overload"
action 4.0 cli command "interface GigabitEthernet0/0/0"
action 5.0 cli command "shut"
action 5.1 cli command "exit"
action 5.2 cli command "interface GigabitEthernet0/0/1"
action 5.3 cli command "no shut"
action 5.4 cli command "do clear ip nat translation *"
action 5.5 cli command "exit"
action 6.0 cli command "no ip nat inside source static tcp 192.168.24.5 500 interface GigabitEthernet0/0/0 500"
action 6.1 cli command "no ip nat inside source static tcp 192.168.24.5 4500 interface GigabitEthernet0/0/0 4500"
action 6.2 cli command "no ip nat inside source static tcp 192.168.24.6 1190 interface GigabitEthernet0/0/0 1190"
action 6.3 cli command "no ip nat inside source static tcp 192.168.24.6 1194 interface GigabitEthernet0/0/0 1194"
action 6.4 cli command "no ip nat inside source static tcp 192.168.24.6 1195 interface GigabitEthernet0/0/0 1195"
action 6.5 cli command "no ip nat inside source static tcp 192.168.22.10 5001 interface GigabitEthernet0/0/0 5001"
action 6.6 cli command "no ip nat inside source static tcp 192.168.22.10 5060 interface GigabitEthernet0/0/0 5060"
action 6.7 cli command "no ip nat inside source static udp 192.168.22.10 5060 interface GigabitEthernet0/0/0 5060"
action 6.8 cli command "no ip nat inside source static tcp 192.168.22.10 5061 interface GigabitEthernet0/0/0 5061"
action 6.9 cli command "no ip nat inside source static tcp 192.168.22.10 5090 interface GigabitEthernet0/0/0 5090"
action 7.0 cli command "no ip nat inside source static udp 192.168.22.10 5090 interface GigabitEthernet0/0/0 5090"
action 7.1 cli command "no ip nat inside source static udp 192.168.22.10 9000 interface GigabitEthernet0/0/0 9000"
action 7.2 cli command "no ip nat inside source static udp 192.168.22.10 9001 interface GigabitEthernet0/0/0 9001"
action 7.3 cli command "no ip nat inside source static udp 192.168.22.10 9002 interface GigabitEthernet0/0/0 9002"
action 7.4 cli command "no ip nat inside source static udp 192.168.22.10 10999 interface GigabitEthernet0/0/0 10999"
action 7.5 cli command "ip nat inside source static tcp 192.168.24.5 500 interface GigabitEthernet0/0/1 500"
action 7.6 cli command "ip nat inside source static tcp 192.168.24.5 4500 interface GigabitEthernet0/0/1 4500"
action 7.7 cli command "ip nat inside source static tcp 192.168.24.6 1190 interface GigabitEthernet0/0/1 1190"
action 7.8 cli command "ip nat inside source static tcp 192.168.24.6 1194 interface GigabitEthernet0/0/1 1194"
action 7.9 cli command "ip nat inside source static tcp 192.168.24.6 1195 interface GigabitEthernet0/0/1 1195"
action 8.0 cli command "ip nat inside source static tcp 192.168.22.10 5001 interface GigabitEthernet0/0/1 5001"
action 8.1 cli command "ip nat inside source static tcp 192.168.22.10 5060 interface GigabitEthernet0/0/1 5060"
action 8.2 cli command "ip nat inside source static udp 192.168.22.10 5060 interface GigabitEthernet0/0/1 5060"
action 8.3 cli command "ip nat inside source static tcp 192.168.22.10 5061 interface GigabitEthernet0/0/1 5061"
action 8.4 cli command "ip nat inside source static tcp 192.168.22.10 5090 interface GigabitEthernet0/0/1 5090"
action 8.5 cli command "ip nat inside source static udp 192.168.22.10 5090 interface GigabitEthernet0/0/1 5090"
action 8.6 cli command "ip nat inside source static udp 192.168.22.10 9000 interface GigabitEthernet0/0/1 9000"
action 8.7 cli command "ip nat inside source static udp 192.168.22.10 9001 interface GigabitEthernet0/0/1 9001"
action 8.8 cli command "ip nat inside source static udp 192.168.22.10 9002 interface GigabitEthernet0/0/1 9002"
action 8.9 cli command "ip nat inside source static udp 192.168.22.10 10999 interface GigabitEthernet0/0/1 10999"action 9.0 cli command "end"
event manager applet TRACK_8_UP
even track 8 state up
action 1.0 cli command "enable"
action 2.0 cli command "conf t"
action 3.0 cli command "ip nat inside source route-map NAT_ISP1 interface GigabitEthernet0/0/0 overload"
action 3.1 cli command "no ip nat inside source route-map NAT_ISP2 interface GigabitEthernet0/0/1 overload"
action 4.0 cli command "interface GigabitEthernet0/0/0"
action 5.0 cli command "no shut"
action 5.1 cli command "exit"
action 5.2 cli command "interface GigabitEthernet0/0/1"
action 5.3 cli command "shut"
action 5.4 cli command "do clear ip nat translation *"
action 5.5 cli command "exit"
action 6.0 cli command "no ip nat inside source static tcp 192.168.24.5 500 interface GigabitEthernet0/0/1 500"
action 6.1 cli command "no ip nat inside source static tcp 192.168.24.5 4500 interface GigabitEthernet0/0/1 4500"
action 6.2 cli command "no ip nat inside source static tcp 192.168.24.6 1190 interface GigabitEthernet0/0/1 1190"
action 6.3 cli command "no ip nat inside source static tcp 192.168.24.6 1194 interface GigabitEthernet0/0/1 1194"
action 6.4 cli command "no ip nat inside source static tcp 192.168.24.6 1195 interface GigabitEthernet0/0/1 1195"
action 6.5 cli command "no ip nat inside source static tcp 192.168.22.10 5001 interface GigabitEthernet0/0/1 5001"
action 6.6 cli command "no ip nat inside source static tcp 192.168.22.10 5060 interface GigabitEthernet0/0/1 5060"
action 6.7 cli command "no ip nat inside source static udp 192.168.22.10 5060 interface GigabitEthernet0/0/1 5060"
action 6.8 cli command "no ip nat inside source static tcp 192.168.22.10 5061 interface GigabitEthernet0/0/1 5061"
action 6.9 cli command "no ip nat inside source static tcp 192.168.22.10 5090 interface GigabitEthernet0/0/1 5090"
action 7.0 cli command "no ip nat inside source static udp 192.168.22.10 5090 interface GigabitEthernet0/0/1 5090"
action 7.1 cli command "no ip nat inside source static udp 192.168.22.10 9000 interface GigabitEthernet0/0/1 9000"
action 7.2 cli command "no ip nat inside source static udp 192.168.22.10 9001 interface GigabitEthernet0/0/1 9001"
action 7.3 cli command "no ip nat inside source static udp 192.168.22.10 9002 interface GigabitEthernet0/0/1 9002"
action 7.4 cli command "no ip nat inside source static udp 192.168.22.10 10999 interface GigabitEthernet0/0/1 10999"
action 7.5 cli command "ip nat inside source static tcp 192.168.24.5 500 interface GigabitEthernet0/0/0 500"
action 7.6 cli command "ip nat inside source static tcp 192.168.24.5 4500 interface GigabitEthernet0/0/0 4500"
action 7.7 cli command "ip nat inside source static tcp 192.168.24.6 1190 interface GigabitEthernet0/0/0 1190"
action 7.8 cli command "ip nat inside source static tcp 192.168.24.6 1194 interface GigabitEthernet0/0/0 1194"
action 7.9 cli command "ip nat inside source static tcp 192.168.24.6 1195 interface GigabitEthernet0/0/0 1195"
action 8.0 cli command "ip nat inside source static tcp 192.168.22.10 5001 interface GigabitEthernet0/0/0 5001"
action 8.1 cli command "ip nat inside source static tcp 192.168.22.10 5060 interface GigabitEthernet0/0/0 5060"
action 8.2 cli command "ip nat inside source static udp 192.168.22.10 5060 interface GigabitEthernet0/0/0 5060"
action 8.3 cli command "ip nat inside source static tcp 192.168.22.10 5061 interface GigabitEthernet0/0/0 5061"
action 8.4 cli command "ip nat inside source static tcp 192.168.22.10 5090 interface GigabitEthernet0/0/0 5090"
action 8.5 cli command "ip nat inside source static udp 192.168.22.10 5090 interface GigabitEthernet0/0/0 5090"
action 8.6 cli command "ip nat inside source static udp 192.168.22.10 9000 interface GigabitEthernet0/0/0 9000"
action 8.7 cli command "ip nat inside source static udp 192.168.22.10 9001 interface GigabitEthernet0/0/0 9001"
action 8.8 cli command "ip nat inside source static udp 192.168.22.10 9002 interface GigabitEthernet0/0/0 9002"
action 8.9 cli command "ip nat inside source static udp 192.168.22.10 10999 interface GigabitEthernet0/0/0 10999"action 9.0 cli command "end"
I smell what you're cooking there... I'm still hoping for a more elegant solution for the port range. You only listed 9000, 9001, 9002, and 10999... in reality its the entire range of ports 9000-10999, so thats gonna be a pretty large script for my liking, but hey! if it works, use it!
I have to wait till saturday to attempt implementation again, but I'll give this a shot.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-25-2020 03:00 PM - edited 01-25-2020 03:01 PM
@Georg Pauwen wrote:Hello,
you could also automate whatever you are doing manually by configuring the two EEM scripts below. One would run when the SLA is down, the other one when it is up:
negative. the eem script KINDA worked...
I set it up small at first, changing over just the primary ports for the PBX, vpn, and interface overload, and up front it worked like a champ! It took about 2 minutes and ip-sla flopped over triggering eem and the ports moved from gi0/0/0 to gi0/0/1. but then I added the media ports for the PBX... that's when it fell on it's face.
The eem seems to be only able to handle a hundred or so lines of commands before it stops. I'm not sure what's stopping it because the logs aren't exactly clear. so this SEEMS to be the way to go for the most part, but that port range HAS to move over to the backup wan in an outage and the PBX software DEMANDS that range or it won't even try to connect to the sip provider.
Is there seriously no way to specify and NAT a range of ports at once? That's a pretty dang common feature in just about every router I've seen, yet cisco (the oldest name in the business) cant do it? I cant imagine that's the case, especially considering this is a pretty common configuration these days.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:
