Solved: Re: Problems configuring NAT on 1920 router with Dual WAN (ADSL)

james · ‎06-07-2013

Dear All,

Please go easy on me as i am a total newbie to IOS config and have had to do some serious learning this week.

Basically I have a simple LAN of 30 users and 2 servers that sit on a private address range (192.168.1.1 - 254). I have a Cisco 1921 router with 2 Gigabit Ethnet interfaces and have installed a 2 port Ethernet module to expand interfaces,

I have Two Internet providers that provide me an Optic connection to a converter and then a CAT 5 cable. On both of these connections have private public assigned IP addresses.

I have a email server and webserver on the LAN (192.168.2 and 192.168.1.3) and with to port forward various ports to these servers - 25, 80, 443 3389, and 2222.

In my external DNS I have two MX records for the mail server (mail.globalhomegroup.com) that point to 2 A records - one record for the publicly assigned IP address of one ISP and another IP address for the other ISP. Ideally what i would like is for mail to be delivered to the first ISP Ip address - the one with the lower MX weighting and then if that line goes down, through the IP address of the second MX record - the backup ISP we are using.

So I guess I am port forwarding to the inetrnal server IP addresses via one of the two external interfaces.

At the same time I need to allow internal users to access HTTP, HTTPS etc

So I have managed somehow to configure the external interfaces of the routers to connect to the ISPs and have managed to assign IP info to intenral LAN interface. I can telnet to the router from the Internet via Dialer0 or Dialer1. Other than that I am totally stuck - I have tried to configure and debug NAT etc but cant see wood for the trees now. Basically the port forwarding is not working and i am not sure if the config I have done is in anyway correct. Could I please ask someone with experience to cast their eyes over the config and see where I have gone wrong as I am ripping my hair out now. Thankyou

guibarati · ‎06-07-2013

Check what Ip you're using to get to the router. (Command who may do it).

Then add a route to yourself through Dialer0 before removing the track 1.

Use the command:

ip route X.X.X.X 255.255.255.255 Dialer0

x.x.x.x = your IP.

you should rate both posts if it works.

View solution in original post

cadet alain · ‎06-07-2013

Hi,

if you got 2 external paths over which you NAT then for inside to outside access you must do this:

route-map WAN1

match ip add 1

set interface dialer0

route-map WAN2

match ip add 1

set interface dialer1

no ip nat inside source list 1 interface Dialer0 overload

ip nat inside source route-map WAN1 interface Dialer0

ip nat inside source route-map WAN2 interface Dialer1

Now for outside to inside access you should do this:

no ip nat inside source static tcp 192.168.1.2 443 interface Dialer0 443

no ip nat inside source static tcp 192.168.1.2 25 interface Dialer0 25

no ip nat inside source static tcp 192.168.1.3 80 interface Dialer0 80

ip nat inside source static tcp 192.168.1.2 443 interface Dialer0 443 extendable

ip nat inside source static tcp 192.168.1.2 25 interface Dialer0 25 extendable

ip nat inside source static tcp 192.168.1.3 80 interface Dialer0 80 extendable

ip nat inside source static tcp 192.168.1.2 443 interface Dialer1 443 extendable

ip nat inside source static tcp 192.168.1.2 25 interface Dialer1 25 extendable

ip nat inside source static tcp 192.168.1.3 80 interface Dialer1 80 extendable

Now for failover:

with dialer 0 being primary and dialer1 being backup:

no track 1

no track 2

ip route 0.0.0.0 0.0.0.0 Dialer0 track 1

no ip route 0.0.0.0 0.0.0.0 dialer1 track 2

ip route 0.0.0.0 0.0.0.0 Dialer1 2

ip route 8.8.8.8 255.255.255.255 dialer0

ip sla 1

icmp-echo 8.8.8.8 source-interface dialer0

ip sla 1 life forever start now

track 1 ip sla 1 reachability

Regards

Alain

Don't forget to rate helpful posts.

james · ‎06-07-2013

Hi there, many thanks for your massively helpful suggestions. Unfortunately I hit a snag and am not sure how to correct.

Basically I was connected to the router over Internet via telnet and after I added the line no track 1 the terminal session froze and now I cannot get onto the router which sits in Vietnam some distance from me. I dont have a modem or anything attached to the router.

I do know that when this happened earlier in the week when i was in the office all I had to do was reboot the router - I assume because i had not saved the running config to the startup config? This means I can get someone in the office to reboot which is fine but I lose all the lines I added - is there a way to add your code without breaking the connection?

Many thanks again for your help

guibarati · ‎06-07-2013

Check what Ip you're using to get to the router. (Command who may do it).

Then add a route to yourself through Dialer0 before removing the track 1.

Use the command:

ip route X.X.X.X 255.255.255.255 Dialer0

x.x.x.x = your IP.

you should rate both posts if it works.

james · ‎06-10-2013

Hi there - ok your suggestion to add the route worked perfectly so many thanks for taking the time to help me. Appreciated.

james · ‎06-10-2013

Hi Alain,

Ok all your code worked until I hit the line ip sla 1 - when I entered this in config t mode, I got an error - I have attached a png of the error message. i did some reading about using sla to monitor things using the router - very interesting - I saw in some example people entering iip sla monitor (NUMBER) - I tried this but to no avail.

I take it I am setting up a constant ping to the Google DNS server here - any idea why the code is not being accepted?

many thanks for your great help so far. Saved me hours and clumps of hair

One mor einteresting thing I just noticed is that the addition of the IP nat for dialer0 was not applied to the running config - I assume becasue the overload statement swaps the whole nat to the dialer0? Anyway to test this router I need the dialer0 to be active failing over to dialer1 - from ios code beow it looks like dialer1 is main live WAN link and then dialer0 active if dialer1 fails - how do i swap that around?

!

ip nat inside source static tcp 192.168.1.2 443 interface Dialer1 443

ip nat inside source static tcp 192.168.1.2 25 interface Dialer1 25

ip nat inside source static tcp 192.168.1.3 80 interface Dialer1 80

ip nat inside source route-map WAN1 interface Dialer0 overload

ip nat inside source route-map WAN2 interface Dialer1 overload

ip route 0.0.0.0 0.0.0.0 Dialer0 track 1

ip route 0.0.0.0 0.0.0.0 Dialer1 2

ip route 8.8.8.8 255.255.255.255 Dialer0

ip route 118.173.250.55 255.255.255.255 Dialer0

!

access-list 1 permit 192.168.1.0 0.0.0.255

!

ip nat inside source static tcp 192.168.1.2 443 interface Dialer1 443

ip nat inside source static tcp 192.168.1.2 25 interface Dialer1 25

ip nat inside source static tcp 192.168.1.3 80 interface Dialer1 80

ip nat inside source route-map WAN1 interface Dialer0 overload

ip nat inside source route-map WAN2 interface Dialer1 overload

ip route 0.0.0.0 0.0.0.0 Dialer0 track 1

ip route 0.0.0.0 0.0.0.0 Dialer1 2

ip route 8.8.8.8 255.255.255.255 Dialer0

ip route 118.173.250.55 255.255.255.255 Dialer0

!

access-list 1 permit 192.168.1.0 0.0.0.255

james · ‎06-10-2013

Hi there - yeah - after a bit of research i found the doc on cisco site about sla and read about monitor so tried it - strange thing is that it did not take it - see below

% Invalid input detected at '^' marker.

GH-Router-001(config)#
GH-Router-001(config)#
GH-Router-001(config)#ip sla monitor 1
^
% Invalid input detected at '^' marker.

GH-Router-001(config)#

Any further thoughts - must be missing something

Thx for help - James

cadet alain · ‎06-10-2013

Hi,

the syntax in 15.x code is ip sla and not ip sla monitor but if it is not accepted than it is surely because you haven't got the licence with the SLA feature so in which case stick with your initial track command(with ip routing) you had and for the rest you can use the commands I posted.

Regards

Alain

Don't forget to rate helpful posts.

cadet alain · ‎06-10-2013

Hi,

as the track command is referencing an ip sla but the command is not available so there is no default route using dialer0 and so this is why your nat statement for dialer 0 is not working.

The default route via dialer1 has an AD of 2 so if the route via dialer0 gets reinstalled in the routing table it will delete the second one which has a higher AD( it will be the secondary).

Regards

Alain

Don't forget to rate helpful posts.

james · ‎06-10-2013

Hi Alain,

So I understand al your info about the sla functionality - shame thats a different license!

So I have to use the track again - does this mean I need to reinsert

track 1 interface Dialer0 ip routing

delay down 1 up 2

!

track 2 interface Dialer1 ip routing

delay down 1 up 2

into my new existing code from you which is below:- Do I need to make any other changes to the code below if I insert the track code above Alain? Thx so much for your help - wish I could buy you a virtual beer!

!
ip nat inside source static tcp 192.168.1.2 443 interface Dialer1 443
ip nat inside source static tcp 192.168.1.2 25 interface Dialer1 25
ip nat inside source static tcp 192.168.1.3 80 interface Dialer1 80
ip nat inside source route-map WAN1 interface Dialer0 overload
ip nat inside source route-map WAN2 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer0 track 1
ip route 0.0.0.0 0.0.0.0 Dialer1 2
ip route 8.8.8.8 255.255.255.255 Dialer0
ip route 118.173.250.55 255.255.255.255 Dialer0
!
access-list 1 permit 192.168.1.0 0.0.0.255
!
route-map WAN1 permit 10
match ip address 1
set interface Dialer0
!
route-map WAN2 permit 10
match ip address 1
set interface Dialer1
!
control-plane

cadet alain · ‎06-10-2013

Hi,

just use this one:

track 1 interface Dialer0 ip routing

delay down 1 up 2

then you can use rest of the code but you can get rid of the static route to 8.8.8.8 because it was used for the SLA:

no ip route 8.8.8.8 255.255.255.255 Dialer0

Regards

Alain

Don't forget to rate helpful posts.