CISCO 1811 Dual WAN Switching Help Required

Unanswered Question

Thanks for reading,

We have just purchased a CISCO 1811 router and having no luck in configuring it. I started by using SDM to configure the router but quickly moved to telnet when SDM would not allow me to configure everything required.

Right enough with the background, here is my issue: I have a Satellite service running on FE0 and a ADSL service running on FE1. The FE0 is set with a static IP address and the FE1 is PPPOE to a simple modem with no firewall or NAT. So FE1 is currently just being the Dialer0 to use PPPOE pass-through.

What I am looking to do is have the Site-Site connection going over the Satellite service while pushing all the HTTP/HTTPs taffice through FE1. As most of you are aware Sat services carry high latency so I want Users browsing experiences to be quick while I am not so bothered about the Site-Site traffic which will be company based.

I have managed to configure the FE0 & FE1 so that both are up and online. FE0 has no issues and currently everything is working over the Sat service. I need to find someway of telling the CISCO to route web taffice over the ADSL. I am not bothered with load balancing at present so there is no need to failover. However if anyof you are able to provide a solution with failover then all the better.

Ok last but not least this is my running config from the box; I have *** some entries but if you require them please e-mail me direct. You will find the config attached to this post.

Hope I have given enough info above. Any question please post back or e-mail me direct. If any of you CISCO experts out there read this I am sure this is a walk in the park for you! Thanks in advance!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
James Coyne Sun, 10/05/2008 - 08:28

Match the traffic:

class-map match-any ASDL.TRAFFIC

match protocol http

match protocol secure-http

match protocol ftp

match protocol secure-ftp

match protocol secure-imap

Set the precedence for use in policy based routing:

policy-map ASDL.TRAFFIC


set ip precedence 1

Create the route-map for policy based routing, set the next-hop to that of the ASDL:

route-map ASDL.TRAFFIC permit 10

match ip address ASDL.TRAFFIC

set ip next-hop x.x.x.x

Apply both of these to the incoming interface

interface vlan1

ip address x.x.x.x y.y.y.y

ip policy route-map ASDL.TRAFFIC

service-policy input ASDL.TRAFFIC

James Coyne Sun, 10/05/2008 - 08:32

Forgot to include the ACL to match on precedence:

ip access-list extended ASDL.TRAFFIC

permit ip any any precedence priority

Thats great, thanks for your help! Just one question; do I need to do anything with the NAT? When I was trying to get something like this to work last time the NAT seemed to cause an issue... I was under the impression I have to put in a 'ip route'? like this:

ip route 85.***.***.1**

Also the ADSL line has a Dynamic IP. Does that effect what you have provided me?

Sorry to be a pain! As you can tell new to CISCO. Used to working with Draytek and I can hear you sigh now. ha ha.

James Coyne Sun, 10/05/2008 - 10:08

Ok, I took a closer look at your config. Why not change the ip nat statement to point to the ASDL

From this:

ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0 overload

To this:

ip nat inside source route-map SDM_RMAP_1 interface FastEthernet1 overload

Change your routes from this:

ip route 85.***.***.1**


ip route fa0/1

! Direct traffic out the ASDL

ip route 8*.7*.***.1 85.***.***.1**

! Add a specific route for the crypto tunnel via the SAT

Traffic by default is directed out the ASDL, NAT overload is enabled. A more specific route points the tunnel traffic out of the SAT link. The only thing you would need to add is a route for site to site traffic over the tunnel.

Thanks for your reply! Yes I can see that would be the best way of doing it.

Not sure if you looked in the config at this but SDM_RMAP_1 is assigned to the VPN tunnel. Think SDM created this when I setup the Site-Site link through it.

I think I will remove all ACL rules to start with till the connections are stable as I dont want to lock myself out.

If I edit the config file to your recommendation would you kindly mind checking it over and make sure I have got things right?

Thanks again, I consulted a company here in the UK and they said this would have to be a CISCO engineer project of thousands. I didnt see why it was so hard to do. Maybe they were trying to over complicate things.


This Discussion