06-07-2013 01:40 AM - edited 03-07-2019 01:46 PM
Dear All,
Please go easy on me as i am a total newbie to IOS config and have had to do some serious learning this week.
Basically I have a simple LAN of 30 users and 2 servers that sit on a private address range (192.168.1.1 - 254). I have a Cisco 1921 router with 2 Gigabit Ethnet interfaces and have installed a 2 port Ethernet module to expand interfaces,
I have Two Internet providers that provide me an Optic connection to a converter and then a CAT 5 cable. On both of these connections have private public assigned IP addresses.
I have a email server and webserver on the LAN (192.168.2 and 192.168.1.3) and with to port forward various ports to these servers - 25, 80, 443 3389, and 2222.
In my external DNS I have two MX records for the mail server (mail.globalhomegroup.com) that point to 2 A records - one record for the publicly assigned IP address of one ISP and another IP address for the other ISP. Ideally what i would like is for mail to be delivered to the first ISP Ip address - the one with the lower MX weighting and then if that line goes down, through the IP address of the second MX record - the backup ISP we are using.
So I guess I am port forwarding to the inetrnal server IP addresses via one of the two external interfaces.
At the same time I need to allow internal users to access HTTP, HTTPS etc
So I have managed somehow to configure the external interfaces of the routers to connect to the ISPs and have managed to assign IP info to intenral LAN interface. I can telnet to the router from the Internet via Dialer0 or Dialer1. Other than that I am totally stuck - I have tried to configure and debug NAT etc but cant see wood for the trees now. Basically the port forwarding is not working and i am not sure if the config I have done is in anyway correct. Could I please ask someone with experience to cast their eyes over the config and see where I have gone wrong as I am ripping my hair out now. Thankyou
Solved! Go to Solution.
06-07-2013 12:44 PM
Check what Ip you're using to get to the router. (Command who may do it).
Then add a route to yourself through Dialer0 before removing the track 1.
Use the command:
ip route X.X.X.X 255.255.255.255 Dialer0
x.x.x.x = your IP.
you should rate both posts if it works.
06-07-2013 02:40 AM
Hi,
if you got 2 external paths over which you NAT then for inside to outside access you must do this:
route-map WAN1
match ip add 1
set interface dialer0
route-map WAN2
match ip add 1
set interface dialer1
no ip nat inside source list 1 interface Dialer0 overload
ip nat inside source route-map WAN1 interface Dialer0
ip nat inside source route-map WAN2 interface Dialer1
Now for outside to inside access you should do this:
no ip nat inside source static tcp 192.168.1.2 443 interface Dialer0 443
no ip nat inside source static tcp 192.168.1.2 25 interface Dialer0 25
no ip nat inside source static tcp 192.168.1.3 80 interface Dialer0 80
ip nat inside source static tcp 192.168.1.2 443 interface Dialer0 443 extendable
ip nat inside source static tcp 192.168.1.2 25 interface Dialer0 25 extendable
ip nat inside source static tcp 192.168.1.3 80 interface Dialer0 80 extendable
ip nat inside source static tcp 192.168.1.2 443 interface Dialer1 443 extendable
ip nat inside source static tcp 192.168.1.2 25 interface Dialer1 25 extendable
ip nat inside source static tcp 192.168.1.3 80 interface Dialer1 80 extendable
Now for failover:
with dialer 0 being primary and dialer1 being backup:
no track 1
no track 2
ip route 0.0.0.0 0.0.0.0 Dialer0 track 1
no ip route 0.0.0.0 0.0.0.0 dialer1 track 2
ip route 0.0.0.0 0.0.0.0 Dialer1 2
ip route 8.8.8.8 255.255.255.255 dialer0
ip sla 1
icmp-echo 8.8.8.8 source-interface dialer0
ip sla 1 life forever start now
track 1 ip sla 1 reachability
Regards
Alain
Don't forget to rate helpful posts.
06-07-2013 08:07 AM
Hi there, many thanks for your massively helpful suggestions. Unfortunately I hit a snag and am not sure how to correct.
Basically I was connected to the router over Internet via telnet and after I added the line no track 1 the terminal session froze and now I cannot get onto the router which sits in Vietnam some distance from me. I dont have a modem or anything attached to the router.
I do know that when this happened earlier in the week when i was in the office all I had to do was reboot the router - I assume because i had not saved the running config to the startup config? This means I can get someone in the office to reboot which is fine but I lose all the lines I added - is there a way to add your code without breaking the connection?
Many thanks again for your help
06-07-2013 12:44 PM
Check what Ip you're using to get to the router. (Command who may do it).
Then add a route to yourself through Dialer0 before removing the track 1.
Use the command:
ip route X.X.X.X 255.255.255.255 Dialer0
x.x.x.x = your IP.
you should rate both posts if it works.
06-10-2013 01:58 AM
Hi there - ok your suggestion to add the route worked perfectly so many thanks for taking the time to help me. Appreciated.
06-10-2013 02:21 AM
Hi Alain,
Ok all your code worked until I hit the line ip sla 1 - when I entered this in config t mode, I got an error - I have attached a png of the error message. i did some reading about using sla to monitor things using the router - very interesting - I saw in some example people entering iip sla monitor (NUMBER) - I tried this but to no avail.
I take it I am setting up a constant ping to the Google DNS server here - any idea why the code is not being accepted?
many thanks for your great help so far. Saved me hours and clumps of hair
One mor einteresting thing I just noticed is that the addition of the IP nat for dialer0 was not applied to the running config - I assume becasue the overload statement swaps the whole nat to the dialer0? Anyway to test this router I need the dialer0 to be active failing over to dialer1 - from ios code beow it looks like dialer1 is main live WAN link and then dialer0 active if dialer1 fails - how do i swap that around?
!
ip nat inside source static tcp 192.168.1.2 443 interface Dialer1 443
ip nat inside source static tcp 192.168.1.2 25 interface Dialer1 25
ip nat inside source static tcp 192.168.1.3 80 interface Dialer1 80
ip nat inside source route-map WAN1 interface Dialer0 overload
ip nat inside source route-map WAN2 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer0 track 1
ip route 0.0.0.0 0.0.0.0 Dialer1 2
ip route 8.8.8.8 255.255.255.255 Dialer0
ip route 118.173.250.55 255.255.255.255 Dialer0
!
access-list 1 permit 192.168.1.0 0.0.0.255
!
ip nat inside source static tcp 192.168.1.2 443 interface Dialer1 443
ip nat inside source static tcp 192.168.1.2 25 interface Dialer1 25
ip nat inside source static tcp 192.168.1.3 80 interface Dialer1 80
ip nat inside source route-map WAN1 interface Dialer0 overload
ip nat inside source route-map WAN2 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer0 track 1
ip route 0.0.0.0 0.0.0.0 Dialer1 2
ip route 8.8.8.8 255.255.255.255 Dialer0
ip route 118.173.250.55 255.255.255.255 Dialer0
!
access-list 1 permit 192.168.1.0 0.0.0.255
06-10-2013 02:56 AM
Hi there - yeah - after a bit of research i found the doc on cisco site about sla and read about monitor so tried it - strange thing is that it did not take it - see below
% Invalid input detected at '^' marker.
GH-Router-001(config)#
GH-Router-001(config)#
GH-Router-001(config)#ip sla monitor 1
^
% Invalid input detected at '^' marker.
GH-Router-001(config)#
Any further thoughts - must be missing something
Thx for help - James
06-10-2013 05:20 AM
Hi,
the syntax in 15.x code is ip sla and not ip sla monitor but if it is not accepted than it is surely because you haven't got the licence with the SLA feature so in which case stick with your initial track command(with ip routing) you had and for the rest you can use the commands I posted.
Regards
Alain
Don't forget to rate helpful posts.
06-10-2013 05:25 AM
Hi,
as the track command is referencing an ip sla but the command is not available so there is no default route using dialer0 and so this is why your nat statement for dialer 0 is not working.
The default route via dialer1 has an AD of 2 so if the route via dialer0 gets reinstalled in the routing table it will delete the second one which has a higher AD( it will be the secondary).
Regards
Alain
Don't forget to rate helpful posts.
06-10-2013 06:04 AM
Hi Alain,
So I understand al your info about the sla functionality - shame thats a different license!
So I have to use the track again - does this mean I need to reinsert
track 1 interface Dialer0 ip routing
delay down 1 up 2
!
track 2 interface Dialer1 ip routing
delay down 1 up 2
into my new existing code from you which is below:- Do I need to make any other changes to the code below if I insert the track code above Alain? Thx so much for your help - wish I could buy you a virtual beer!
!
ip nat inside source static tcp 192.168.1.2 443 interface Dialer1 443
ip nat inside source static tcp 192.168.1.2 25 interface Dialer1 25
ip nat inside source static tcp 192.168.1.3 80 interface Dialer1 80
ip nat inside source route-map WAN1 interface Dialer0 overload
ip nat inside source route-map WAN2 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer0 track 1
ip route 0.0.0.0 0.0.0.0 Dialer1 2
ip route 8.8.8.8 255.255.255.255 Dialer0
ip route 118.173.250.55 255.255.255.255 Dialer0
!
access-list 1 permit 192.168.1.0 0.0.0.255
!
route-map WAN1 permit 10
match ip address 1
set interface Dialer0
!
route-map WAN2 permit 10
match ip address 1
set interface Dialer1
!
control-plane
06-10-2013 06:30 AM
Hi,
just use this one:
track 1 interface Dialer0 ip routing
delay down 1 up 2
then you can use rest of the code but you can get rid of the static route to 8.8.8.8 because it was used for the SLA:
no ip route 8.8.8.8 255.255.255.255 Dialer0
Regards
Alain
Don't forget to rate helpful posts.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: