01-18-2020 04:43 PM
I'm slowly getting this together, but I keep tripping.
I have an ISR4331 at our main office. There are two WAN connections (ISP1 and ISP2). ISP1 has 6 IP addresses, while ISP2 has only the one. In-house, I have a pretty large array of networked equipment, but the big pools are this: VPN, IP Phones, Servers, and everything else.
Right off, I needed to get the dual wans configured in such a way that should ISP1 fail, all traffic needs to route over to ISP2. For this I used IP SLA as described here. It works, but it won't fail back in the event ISP1 returns to normal (I have to shut the port linking ISP2, then it comes back online).
That brings me to problem #2; there are two services that need to fail over to ISP2 and continue functioning. A site to site VPN server and a voip server. both operate on a range of ports and those ports MUST forward correctly regardless of the external IP. presently everything I care about is operating on a craptastic non-cisco router with a single IP. There is no port overlap so I know this is possible... but I cant see how to do it on the cisco.
on a single wan, I can do this:
ip nat inside source static tcp 192.168.24.5 500 interface GigabitEthernet0/0/0 500
ip nat inside source static tcp 192.168.24.5 4500 interface GigabitEthernet0/0/0 4500
ip nat inside source static tcp 192.168.24.6 1190 interface GigabitEthernet0/0/0 1190
ip nat inside source static tcp 192.168.24.6 1194 interface GigabitEthernet0/0/0 1194
ip nat inside source static tcp 192.168.24.6 1195 interface GigabitEthernet0/0/0 1195
ip nat inside source static tcp 192.168.22.10 5001 interface GigabitEthernet0/0/0 5001
ip nat inside source static tcp 192.168.22.10 5060 interface GigabitEthernet0/0/0 5060
ip nat inside source static udp 192.168.22.10 5060 interface GigabitEthernet0/0/0 5060
ip nat inside source static tcp 192.168.22.10 5061 interface GigabitEthernet0/0/0 5061
ip nat inside source static tcp 192.168.22.10 5090 interface GigabitEthernet0/0/0 5090
ip nat inside source static udp 192.168.22.10 5090 interface GigabitEthernet0/0/0 5090
ip nat inside source static udp 192.168.22.10 9000 interface GigabitEthernet0/0/0 9000
ip nat inside source static udp 192.168.22.10 9001 interface GigabitEthernet0/0/0 9001
ip nat inside source static udp 192.168.22.10 9002 interface GigabitEthernet0/0/0 9002
...repeat above...
ip nat inside source static udp 192.168.22.10 10999 interface GigabitEthernet0/0/0 10999
And it works fine... however If ISP1 fails, I have to hop into putty and copy/paste all that to swap those ports over to Gi 0/0/1 and bring voip/vpn back up! Of course that brings me to the THIRD problem... as you see at the end, udp ports 9000-10999 ALL have to be forwarded and that makes for a pretty large config file.
So, how do I setup NAT in as few lines as possible (preferable in a route-map of some sort), how do I set it to follow the active internet port, and how do I get it to fail back correctly?
Also please bear in mind I will also have a series of other servers in the network using nat. They will be configured first knowing they will fall offline, and remain offline entirely, in the event of a wan failover. I'd LIKE to set it up so they still have basic internet connectivity in an outage, but I'm not too terribly worried about it.
My current running config (distinguishing info has been removed):
Building configuration... Current configuration : 7414 bytes ! ! Last configuration change at 23:42:03 UTC Sat Jan 18 2020 ! version 16.9 service timestamps debug datetime msec service timestamps log datetime msec platform qfp utilization monitor load 80 no platform punt-keepalive disable-kernel-core ! hostname admin-isr ! boot-start-marker boot system flash bootflash:isr4300-universalk9.16.09.04.SPA.bin boot-end-marker ! ! vrf definition Mgmt-intf ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family ! enable secret 5 [removed] enable password [removed] ! no aaa new-model ! ip name-server 208.67.222.222 208.67.220.220 8.8.8.8 ! ! ! login on-success log ! ! ! ! ! ! ! subscriber templating ipv6 unicast-routing multilink bundle-name authenticated ! ! ! crypto pki trustpoint TP-self-signed-1403732793 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-1403732793 revocation-check none rsakeypair TP-self-signed-1403732793 ! ! crypto pki certificate chain TP-self-signed-1403732793 certificate self-signed 01 [removed] quit ! license udi pid ISR4331/K9 sn FDO22442L4L no license smart enable diagnostic bootup level minimal ! spanning-tree extend system-id ! ! ! username [removed] privilege 15 password 0 [removed] ! redundancy mode none ! ! vlan internal allocation policy ascending ! track 8 ip sla 1 reachability ! ! ! ! ! ! interface GigabitEthernet0/0/0 description ISP1 ip address 100.100.100.27 255.255.255.248 secondary ip address 100.100.100.28 255.255.255.248 secondary ip address 100.100.100.29 255.255.255.248 secondary ip address 100.100.100.30 255.255.255.248 secondary ip address 100.100.100.26 255.255.255.248 ip nat outside negotiation auto ! interface GigabitEthernet0/0/1 description ISP2 ip address 200.200.200.70 255.255.255.252 ip nat outside negotiation auto ipv6 address dhcp ipv6 address autoconfig ipv6 enable ipv6 nd autoconfig default-route ipv6 dhcp client request vendor ! interface GigabitEthernet0/0/2 description LanLink no ip address ip nat inside negotiation auto ! interface GigabitEthernet0/0/2.21 encapsulation dot1Q 21 ip address 192.168.21.1 255.255.255.0 ip nat inside ! interface GigabitEthernet0/0/2.22 encapsulation dot1Q 22 ip address 192.168.22.1 255.255.255.0 ip nat inside ! interface GigabitEthernet0/0/2.23 encapsulation dot1Q 23 ip address 192.168.23.1 255.255.255.0 ip nat inside ! interface GigabitEthernet0/0/2.24 encapsulation dot1Q 24 ip address 192.168.24.1 255.255.255.0 ip nat inside ! interface GigabitEthernet0/0/2.25 encapsulation dot1Q 25 ip address 192.168.25.1 255.255.255.0 ip nat inside ! interface GigabitEthernet0/0/2.26 encapsulation dot1Q 26 ip address 192.168.26.1 255.255.255.0 ip nat inside ! interface GigabitEthernet0/1/0 switchport access vlan 21 ! interface GigabitEthernet0/1/1 switchport access vlan 21 ! interface GigabitEthernet0/1/2 switchport access vlan 22 ! interface GigabitEthernet0/1/3 switchport access vlan 22 ! interface GigabitEthernet0/1/4 switchport access vlan 23 ! interface GigabitEthernet0/1/5 switchport access vlan 23 ! interface GigabitEthernet0/1/6 switchport access vlan 24 ! interface GigabitEthernet0/1/7 switchport access vlan 24 ! interface GigabitEthernet0/2/0 switchport access vlan 24 ! interface GigabitEthernet0/2/1 switchport access vlan 24 ! interface GigabitEthernet0/2/2 switchport access vlan 24 ! interface GigabitEthernet0/2/3 switchport access vlan 24 ! interface GigabitEthernet0/2/4 switchport access vlan 25 ! interface GigabitEthernet0/2/5 switchport access vlan 25 ! interface GigabitEthernet0/2/6 switchport access vlan 25 ! interface GigabitEthernet0/2/7 switchport access vlan 25 ! interface GigabitEthernet0 vrf forwarding Mgmt-intf no ip address shutdown negotiation auto ! interface Vlan1 no ip address ! interface Vlan21 description network no ip address ! interface Vlan22 description voice no ip address ! interface Vlan23 description security no ip address ! interface Vlan24 description server no ip address ! interface Vlan25 description workstation no ip address ! interface Vlan26 description IoT no ip address ! ip forward-protocol nd ip http server ip http authentication local ip http secure-server ip http client source-interface GigabitEthernet0/0/1 no ip nat service sip tcp port 5060 no ip nat service sip udp port 5060
ip nat inside source static 192.168.24.22 100.100.100.28 extendable
ip nat inside source static 192.168.24.21 100.100.100.27 extendable ip nat inside source route-map NAT_ISP1 interface GigabitEthernet0/0/0 overload ip nat inside source route-map NAT_ISP2 interface GigabitEthernet0/0/1 overload ip route 0.0.0.0 0.0.0.0 100.100.100.25 track 8 ip route 0.0.0.0 0.0.0.0 200.200.200.69 10 ! ! ip sla 1 icmp-echo 100.100.100.25 source-ip 100.100.100.26 ip sla schedule 1 life forever start-time now ip access-list extended 101 permit ip 192.168.21.0 0.0.0.255 any permit ip 192.168.22.0 0.0.0.255 any permit ip 192.168.23.0 0.0.0.255 any permit ip 192.168.24.0 0.0.0.255 any permit ip 192.168.25.0 0.0.0.255 any ! ! route-map NAT_ISP2 permit 10 match ip address 101 match interface GigabitEthernet0/0/1 ! route-map NAT_ISP1 permit 10 match ip address 101 match interface GigabitEthernet0/0/0 ! ! ! control-plane ! ! line con 0 transport input none stopbits 1 line aux 0 stopbits 1 line vty 0 4 password [removed] login ! ! ! ! ! ! end
01-19-2020 07:58 AM - edited 01-20-2020 09:44 AM
Hello
Does your tracking initiate by any chance?
Try adding the following so that monitored ip address is reachable via ISP 2
ip route 100.100.100.255.255.255.255 gig0/0/0 100.100.100.25
ip route 100.100.100.255.255.255.255 null 0 10
01-20-2020 08:31 AM
@paul driver wrote:Hello
Does your tracking initiate by any chance?
Try adding the following so that monitored ip address is reachable via ISP 2
ip route 100.100.100.255.255.255.255 gig0/0/0 100.100.100.25
ip route 100.100.100.255.255.255.255 null 0 10
couple questions... was that a type? did you mean:
ip route 100.100.100.25 255.255.255.255 gig0/0/0 100.100.100.25 ip route 100.100.100.25 255.255.255.255 null 0 10
also, I assume you mean return from fail... right? because tracking to fail works fine with this:
ip sla 1 icmp-echo 100.100.100.25 source-ip 100.100.100.26 ip sla schedule 1 life forever start-time now ip route 0.0.0.0 0.0.0.0 100.100.100.25 track 8 ip route 0.0.0.0 0.0.0.0 200.200.200.69 10
and the guide indicated fail-back would work because icmp-echo would resume and cause traffic to default back to track 8
01-20-2020 09:45 AM - edited 01-20-2020 09:54 AM
Hello
i see a typos in my post OP it was meant to say
Try adding the following so that monitored ip address ISNT reachable via ISP 2
ip route 100.100.100.25 255.255.255.255 gig0/0/0 100.100.100.x
ip route 100.100.100.25 255.255.255.255 null 0 10
So with the above command it would negate reachability towards 100.100.100.25 via ISP2 however i notice now that monitored ip is directly connected which really isn't an applicable way to monitor with ip sla , in this topology it should be to a external address residing off ISP 1 not a local ip address of the rtr
01-20-2020 01:19 PM
Hello,
you could also automate whatever you are doing manually by configuring the two EEM scripts below. One would run when the SLA is down, the other one when it is up:
event manager applet TRACK_8_DOWN
even track 8 state down
action 1.0 cli command "enable"
action 2.0 cli command "conf t"
action 3.0 cli command "no ip nat inside source route-map NAT_ISP1 interface GigabitEthernet0/0/0 overload"
action 3.1 cli command "ip nat inside source route-map NAT_ISP2 interface GigabitEthernet0/0/1 overload"
action 4.0 cli command "interface GigabitEthernet0/0/0"
action 5.0 cli command "shut"
action 5.1 cli command "exit"
action 5.2 cli command "interface GigabitEthernet0/0/1"
action 5.3 cli command "no shut"
action 5.4 cli command "do clear ip nat translation *"
action 5.5 cli command "exit"
action 6.0 cli command "no ip nat inside source static tcp 192.168.24.5 500 interface GigabitEthernet0/0/0 500"
action 6.1 cli command "no ip nat inside source static tcp 192.168.24.5 4500 interface GigabitEthernet0/0/0 4500"
action 6.2 cli command "no ip nat inside source static tcp 192.168.24.6 1190 interface GigabitEthernet0/0/0 1190"
action 6.3 cli command "no ip nat inside source static tcp 192.168.24.6 1194 interface GigabitEthernet0/0/0 1194"
action 6.4 cli command "no ip nat inside source static tcp 192.168.24.6 1195 interface GigabitEthernet0/0/0 1195"
action 6.5 cli command "no ip nat inside source static tcp 192.168.22.10 5001 interface GigabitEthernet0/0/0 5001"
action 6.6 cli command "no ip nat inside source static tcp 192.168.22.10 5060 interface GigabitEthernet0/0/0 5060"
action 6.7 cli command "no ip nat inside source static udp 192.168.22.10 5060 interface GigabitEthernet0/0/0 5060"
action 6.8 cli command "no ip nat inside source static tcp 192.168.22.10 5061 interface GigabitEthernet0/0/0 5061"
action 6.9 cli command "no ip nat inside source static tcp 192.168.22.10 5090 interface GigabitEthernet0/0/0 5090"
action 7.0 cli command "no ip nat inside source static udp 192.168.22.10 5090 interface GigabitEthernet0/0/0 5090"
action 7.1 cli command "no ip nat inside source static udp 192.168.22.10 9000 interface GigabitEthernet0/0/0 9000"
action 7.2 cli command "no ip nat inside source static udp 192.168.22.10 9001 interface GigabitEthernet0/0/0 9001"
action 7.3 cli command "no ip nat inside source static udp 192.168.22.10 9002 interface GigabitEthernet0/0/0 9002"
action 7.4 cli command "no ip nat inside source static udp 192.168.22.10 10999 interface GigabitEthernet0/0/0 10999"
action 7.5 cli command "ip nat inside source static tcp 192.168.24.5 500 interface GigabitEthernet0/0/1 500"
action 7.6 cli command "ip nat inside source static tcp 192.168.24.5 4500 interface GigabitEthernet0/0/1 4500"
action 7.7 cli command "ip nat inside source static tcp 192.168.24.6 1190 interface GigabitEthernet0/0/1 1190"
action 7.8 cli command "ip nat inside source static tcp 192.168.24.6 1194 interface GigabitEthernet0/0/1 1194"
action 7.9 cli command "ip nat inside source static tcp 192.168.24.6 1195 interface GigabitEthernet0/0/1 1195"
action 8.0 cli command "ip nat inside source static tcp 192.168.22.10 5001 interface GigabitEthernet0/0/1 5001"
action 8.1 cli command "ip nat inside source static tcp 192.168.22.10 5060 interface GigabitEthernet0/0/1 5060"
action 8.2 cli command "ip nat inside source static udp 192.168.22.10 5060 interface GigabitEthernet0/0/1 5060"
action 8.3 cli command "ip nat inside source static tcp 192.168.22.10 5061 interface GigabitEthernet0/0/1 5061"
action 8.4 cli command "ip nat inside source static tcp 192.168.22.10 5090 interface GigabitEthernet0/0/1 5090"
action 8.5 cli command "ip nat inside source static udp 192.168.22.10 5090 interface GigabitEthernet0/0/1 5090"
action 8.6 cli command "ip nat inside source static udp 192.168.22.10 9000 interface GigabitEthernet0/0/1 9000"
action 8.7 cli command "ip nat inside source static udp 192.168.22.10 9001 interface GigabitEthernet0/0/1 9001"
action 8.8 cli command "ip nat inside source static udp 192.168.22.10 9002 interface GigabitEthernet0/0/1 9002"
action 8.9 cli command "ip nat inside source static udp 192.168.22.10 10999 interface GigabitEthernet0/0/1 10999"
action 9.0 cli command "end"
event manager applet TRACK_8_UP
even track 8 state up
action 1.0 cli command "enable"
action 2.0 cli command "conf t"
action 3.0 cli command "ip nat inside source route-map NAT_ISP1 interface GigabitEthernet0/0/0 overload"
action 3.1 cli command "no ip nat inside source route-map NAT_ISP2 interface GigabitEthernet0/0/1 overload"
action 4.0 cli command "interface GigabitEthernet0/0/0"
action 5.0 cli command "no shut"
action 5.1 cli command "exit"
action 5.2 cli command "interface GigabitEthernet0/0/1"
action 5.3 cli command "shut"
action 5.4 cli command "do clear ip nat translation *"
action 5.5 cli command "exit"
action 6.0 cli command "no ip nat inside source static tcp 192.168.24.5 500 interface GigabitEthernet0/0/1 500"
action 6.1 cli command "no ip nat inside source static tcp 192.168.24.5 4500 interface GigabitEthernet0/0/1 4500"
action 6.2 cli command "no ip nat inside source static tcp 192.168.24.6 1190 interface GigabitEthernet0/0/1 1190"
action 6.3 cli command "no ip nat inside source static tcp 192.168.24.6 1194 interface GigabitEthernet0/0/1 1194"
action 6.4 cli command "no ip nat inside source static tcp 192.168.24.6 1195 interface GigabitEthernet0/0/1 1195"
action 6.5 cli command "no ip nat inside source static tcp 192.168.22.10 5001 interface GigabitEthernet0/0/1 5001"
action 6.6 cli command "no ip nat inside source static tcp 192.168.22.10 5060 interface GigabitEthernet0/0/1 5060"
action 6.7 cli command "no ip nat inside source static udp 192.168.22.10 5060 interface GigabitEthernet0/0/1 5060"
action 6.8 cli command "no ip nat inside source static tcp 192.168.22.10 5061 interface GigabitEthernet0/0/1 5061"
action 6.9 cli command "no ip nat inside source static tcp 192.168.22.10 5090 interface GigabitEthernet0/0/1 5090"
action 7.0 cli command "no ip nat inside source static udp 192.168.22.10 5090 interface GigabitEthernet0/0/1 5090"
action 7.1 cli command "no ip nat inside source static udp 192.168.22.10 9000 interface GigabitEthernet0/0/1 9000"
action 7.2 cli command "no ip nat inside source static udp 192.168.22.10 9001 interface GigabitEthernet0/0/1 9001"
action 7.3 cli command "no ip nat inside source static udp 192.168.22.10 9002 interface GigabitEthernet0/0/1 9002"
action 7.4 cli command "no ip nat inside source static udp 192.168.22.10 10999 interface GigabitEthernet0/0/1 10999"
action 7.5 cli command "ip nat inside source static tcp 192.168.24.5 500 interface GigabitEthernet0/0/0 500"
action 7.6 cli command "ip nat inside source static tcp 192.168.24.5 4500 interface GigabitEthernet0/0/0 4500"
action 7.7 cli command "ip nat inside source static tcp 192.168.24.6 1190 interface GigabitEthernet0/0/0 1190"
action 7.8 cli command "ip nat inside source static tcp 192.168.24.6 1194 interface GigabitEthernet0/0/0 1194"
action 7.9 cli command "ip nat inside source static tcp 192.168.24.6 1195 interface GigabitEthernet0/0/0 1195"
action 8.0 cli command "ip nat inside source static tcp 192.168.22.10 5001 interface GigabitEthernet0/0/0 5001"
action 8.1 cli command "ip nat inside source static tcp 192.168.22.10 5060 interface GigabitEthernet0/0/0 5060"
action 8.2 cli command "ip nat inside source static udp 192.168.22.10 5060 interface GigabitEthernet0/0/0 5060"
action 8.3 cli command "ip nat inside source static tcp 192.168.22.10 5061 interface GigabitEthernet0/0/0 5061"
action 8.4 cli command "ip nat inside source static tcp 192.168.22.10 5090 interface GigabitEthernet0/0/0 5090"
action 8.5 cli command "ip nat inside source static udp 192.168.22.10 5090 interface GigabitEthernet0/0/0 5090"
action 8.6 cli command "ip nat inside source static udp 192.168.22.10 9000 interface GigabitEthernet0/0/0 9000"
action 8.7 cli command "ip nat inside source static udp 192.168.22.10 9001 interface GigabitEthernet0/0/0 9001"
action 8.8 cli command "ip nat inside source static udp 192.168.22.10 9002 interface GigabitEthernet0/0/0 9002"
action 8.9 cli command "ip nat inside source static udp 192.168.22.10 10999 interface GigabitEthernet0/0/0 10999"
action 9.0 cli command "end"
01-21-2020 08:44 AM
@Georg Pauwen wrote:Hello,
you could also automate whatever you are doing manually by configuring the two EEM scripts below. One would run when the SLA is down, the other one when it is up:
event manager applet TRACK_8_DOWN
even track 8 state down
action 1.0 cli command "enable"
action 2.0 cli command "conf t"
action 3.0 cli command "no ip nat inside source route-map NAT_ISP1 interface GigabitEthernet0/0/0 overload"
action 3.1 cli command "ip nat inside source route-map NAT_ISP2 interface GigabitEthernet0/0/1 overload"
action 4.0 cli command "interface GigabitEthernet0/0/0"
action 5.0 cli command "shut"
action 5.1 cli command "exit"
action 5.2 cli command "interface GigabitEthernet0/0/1"
action 5.3 cli command "no shut"
action 5.4 cli command "do clear ip nat translation *"
action 5.5 cli command "exit"
action 6.0 cli command "no ip nat inside source static tcp 192.168.24.5 500 interface GigabitEthernet0/0/0 500"
action 6.1 cli command "no ip nat inside source static tcp 192.168.24.5 4500 interface GigabitEthernet0/0/0 4500"
action 6.2 cli command "no ip nat inside source static tcp 192.168.24.6 1190 interface GigabitEthernet0/0/0 1190"
action 6.3 cli command "no ip nat inside source static tcp 192.168.24.6 1194 interface GigabitEthernet0/0/0 1194"
action 6.4 cli command "no ip nat inside source static tcp 192.168.24.6 1195 interface GigabitEthernet0/0/0 1195"
action 6.5 cli command "no ip nat inside source static tcp 192.168.22.10 5001 interface GigabitEthernet0/0/0 5001"
action 6.6 cli command "no ip nat inside source static tcp 192.168.22.10 5060 interface GigabitEthernet0/0/0 5060"
action 6.7 cli command "no ip nat inside source static udp 192.168.22.10 5060 interface GigabitEthernet0/0/0 5060"
action 6.8 cli command "no ip nat inside source static tcp 192.168.22.10 5061 interface GigabitEthernet0/0/0 5061"
action 6.9 cli command "no ip nat inside source static tcp 192.168.22.10 5090 interface GigabitEthernet0/0/0 5090"
action 7.0 cli command "no ip nat inside source static udp 192.168.22.10 5090 interface GigabitEthernet0/0/0 5090"
action 7.1 cli command "no ip nat inside source static udp 192.168.22.10 9000 interface GigabitEthernet0/0/0 9000"
action 7.2 cli command "no ip nat inside source static udp 192.168.22.10 9001 interface GigabitEthernet0/0/0 9001"
action 7.3 cli command "no ip nat inside source static udp 192.168.22.10 9002 interface GigabitEthernet0/0/0 9002"
action 7.4 cli command "no ip nat inside source static udp 192.168.22.10 10999 interface GigabitEthernet0/0/0 10999"
action 7.5 cli command "ip nat inside source static tcp 192.168.24.5 500 interface GigabitEthernet0/0/1 500"
action 7.6 cli command "ip nat inside source static tcp 192.168.24.5 4500 interface GigabitEthernet0/0/1 4500"
action 7.7 cli command "ip nat inside source static tcp 192.168.24.6 1190 interface GigabitEthernet0/0/1 1190"
action 7.8 cli command "ip nat inside source static tcp 192.168.24.6 1194 interface GigabitEthernet0/0/1 1194"
action 7.9 cli command "ip nat inside source static tcp 192.168.24.6 1195 interface GigabitEthernet0/0/1 1195"
action 8.0 cli command "ip nat inside source static tcp 192.168.22.10 5001 interface GigabitEthernet0/0/1 5001"
action 8.1 cli command "ip nat inside source static tcp 192.168.22.10 5060 interface GigabitEthernet0/0/1 5060"
action 8.2 cli command "ip nat inside source static udp 192.168.22.10 5060 interface GigabitEthernet0/0/1 5060"
action 8.3 cli command "ip nat inside source static tcp 192.168.22.10 5061 interface GigabitEthernet0/0/1 5061"
action 8.4 cli command "ip nat inside source static tcp 192.168.22.10 5090 interface GigabitEthernet0/0/1 5090"
action 8.5 cli command "ip nat inside source static udp 192.168.22.10 5090 interface GigabitEthernet0/0/1 5090"
action 8.6 cli command "ip nat inside source static udp 192.168.22.10 9000 interface GigabitEthernet0/0/1 9000"
action 8.7 cli command "ip nat inside source static udp 192.168.22.10 9001 interface GigabitEthernet0/0/1 9001"
action 8.8 cli command "ip nat inside source static udp 192.168.22.10 9002 interface GigabitEthernet0/0/1 9002"
action 8.9 cli command "ip nat inside source static udp 192.168.22.10 10999 interface GigabitEthernet0/0/1 10999"action 9.0 cli command "end"
event manager applet TRACK_8_UP
even track 8 state up
action 1.0 cli command "enable"
action 2.0 cli command "conf t"
action 3.0 cli command "ip nat inside source route-map NAT_ISP1 interface GigabitEthernet0/0/0 overload"
action 3.1 cli command "no ip nat inside source route-map NAT_ISP2 interface GigabitEthernet0/0/1 overload"
action 4.0 cli command "interface GigabitEthernet0/0/0"
action 5.0 cli command "no shut"
action 5.1 cli command "exit"
action 5.2 cli command "interface GigabitEthernet0/0/1"
action 5.3 cli command "shut"
action 5.4 cli command "do clear ip nat translation *"
action 5.5 cli command "exit"
action 6.0 cli command "no ip nat inside source static tcp 192.168.24.5 500 interface GigabitEthernet0/0/1 500"
action 6.1 cli command "no ip nat inside source static tcp 192.168.24.5 4500 interface GigabitEthernet0/0/1 4500"
action 6.2 cli command "no ip nat inside source static tcp 192.168.24.6 1190 interface GigabitEthernet0/0/1 1190"
action 6.3 cli command "no ip nat inside source static tcp 192.168.24.6 1194 interface GigabitEthernet0/0/1 1194"
action 6.4 cli command "no ip nat inside source static tcp 192.168.24.6 1195 interface GigabitEthernet0/0/1 1195"
action 6.5 cli command "no ip nat inside source static tcp 192.168.22.10 5001 interface GigabitEthernet0/0/1 5001"
action 6.6 cli command "no ip nat inside source static tcp 192.168.22.10 5060 interface GigabitEthernet0/0/1 5060"
action 6.7 cli command "no ip nat inside source static udp 192.168.22.10 5060 interface GigabitEthernet0/0/1 5060"
action 6.8 cli command "no ip nat inside source static tcp 192.168.22.10 5061 interface GigabitEthernet0/0/1 5061"
action 6.9 cli command "no ip nat inside source static tcp 192.168.22.10 5090 interface GigabitEthernet0/0/1 5090"
action 7.0 cli command "no ip nat inside source static udp 192.168.22.10 5090 interface GigabitEthernet0/0/1 5090"
action 7.1 cli command "no ip nat inside source static udp 192.168.22.10 9000 interface GigabitEthernet0/0/1 9000"
action 7.2 cli command "no ip nat inside source static udp 192.168.22.10 9001 interface GigabitEthernet0/0/1 9001"
action 7.3 cli command "no ip nat inside source static udp 192.168.22.10 9002 interface GigabitEthernet0/0/1 9002"
action 7.4 cli command "no ip nat inside source static udp 192.168.22.10 10999 interface GigabitEthernet0/0/1 10999"
action 7.5 cli command "ip nat inside source static tcp 192.168.24.5 500 interface GigabitEthernet0/0/0 500"
action 7.6 cli command "ip nat inside source static tcp 192.168.24.5 4500 interface GigabitEthernet0/0/0 4500"
action 7.7 cli command "ip nat inside source static tcp 192.168.24.6 1190 interface GigabitEthernet0/0/0 1190"
action 7.8 cli command "ip nat inside source static tcp 192.168.24.6 1194 interface GigabitEthernet0/0/0 1194"
action 7.9 cli command "ip nat inside source static tcp 192.168.24.6 1195 interface GigabitEthernet0/0/0 1195"
action 8.0 cli command "ip nat inside source static tcp 192.168.22.10 5001 interface GigabitEthernet0/0/0 5001"
action 8.1 cli command "ip nat inside source static tcp 192.168.22.10 5060 interface GigabitEthernet0/0/0 5060"
action 8.2 cli command "ip nat inside source static udp 192.168.22.10 5060 interface GigabitEthernet0/0/0 5060"
action 8.3 cli command "ip nat inside source static tcp 192.168.22.10 5061 interface GigabitEthernet0/0/0 5061"
action 8.4 cli command "ip nat inside source static tcp 192.168.22.10 5090 interface GigabitEthernet0/0/0 5090"
action 8.5 cli command "ip nat inside source static udp 192.168.22.10 5090 interface GigabitEthernet0/0/0 5090"
action 8.6 cli command "ip nat inside source static udp 192.168.22.10 9000 interface GigabitEthernet0/0/0 9000"
action 8.7 cli command "ip nat inside source static udp 192.168.22.10 9001 interface GigabitEthernet0/0/0 9001"
action 8.8 cli command "ip nat inside source static udp 192.168.22.10 9002 interface GigabitEthernet0/0/0 9002"
action 8.9 cli command "ip nat inside source static udp 192.168.22.10 10999 interface GigabitEthernet0/0/0 10999"action 9.0 cli command "end"
I smell what you're cooking there... I'm still hoping for a more elegant solution for the port range. You only listed 9000, 9001, 9002, and 10999... in reality its the entire range of ports 9000-10999, so thats gonna be a pretty large script for my liking, but hey! if it works, use it!
I have to wait till saturday to attempt implementation again, but I'll give this a shot.
01-25-2020 03:00 PM - edited 01-25-2020 03:01 PM
@Georg Pauwen wrote:Hello,
you could also automate whatever you are doing manually by configuring the two EEM scripts below. One would run when the SLA is down, the other one when it is up:
negative. the eem script KINDA worked...
I set it up small at first, changing over just the primary ports for the PBX, vpn, and interface overload, and up front it worked like a champ! It took about 2 minutes and ip-sla flopped over triggering eem and the ports moved from gi0/0/0 to gi0/0/1. but then I added the media ports for the PBX... that's when it fell on it's face.
The eem seems to be only able to handle a hundred or so lines of commands before it stops. I'm not sure what's stopping it because the logs aren't exactly clear. so this SEEMS to be the way to go for the most part, but that port range HAS to move over to the backup wan in an outage and the PBX software DEMANDS that range or it won't even try to connect to the sip provider.
Is there seriously no way to specify and NAT a range of ports at once? That's a pretty dang common feature in just about every router I've seen, yet cisco (the oldest name in the business) cant do it? I cant imagine that's the case, especially considering this is a pretty common configuration these days.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide