Need simple solution

Unanswered Question
Apr 7th, 2009

I have one 2800 series router which is connected to ISP providers. I dont have any FW inside my network.

Here is my requiremetns

user-- Router-- ISP1


ISP1 Public pool is

ISP2 Public POOL is

Internal private pool is

1) ISP2 should be backup to primary.

2)I hope defaults can configured like this

ip route isp1

ip route isp2 100

How the NATing will be configured to use pirmary (ISP1) and secondary as a backup(ISP2)

3) Do we need to implement the policy map?


sateesh kumar.k

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
lamav Tue, 04/07/2009 - 12:09


Yes, you can use a route map. In fact, you use two of them.

What you do is bind the NAT functions to the respective output interfaces. The output interface the router selects will depend on the availability of the route out that interface. That, in turn, will tell the router which NAT statement is applicable.

Please look at this link. I think you will find it very helpful.



sateeshk10 Tue, 04/07/2009 - 12:24


Thanks for your prompt response.

if any request comes from it will match both the route-maps. When packet leaving the outside the network how the packet know that it sholud go to ISP1? I hope it should be based on default route only ryt.

But With below mentioned default routes its not working..

ip route ISP1

ip route ISP2 5

secodnary ISP should be always as backup.



lamav Tue, 04/07/2009 - 12:58


"if any request comes from it will match both the route-maps."

No, it won't because you are using TWO criteria to match with:

1.) The source network address

2.) The output interface

The output interface is determined by the routing process on your router. In your case, it's the static routes.

"When packet leaving the outside the network how the packet know that it sholud go to ISP1?"

You are going to have two default routes available. If you want a primary/failover set up, then you will make the ISP2 default route a floating static so that it will only be placed in the routing table in the event that the link to ISP1 fails.

[EDIT] It may help for you to understand the order of operations for NAT interfaces.

When a packet enters a router through the NAT "inside" interface, it will first be routed and then NAT'ed. [EDIT]



sateeshk10 Tue, 04/07/2009 - 13:17


it will first be routed and then NAT'ed..

This cleared all my doubts. But pl.find the below final config

ip nat inside source route-map ISP-A interface Serial2/1 overload

ip nat inside source route-map ISP-B interface Serial2/0 overload



ip access-list extended LAN-NATTED-OUT

permit ip any


route-map ISP-B permit 10

match ip address LAN-NATTED-OUT

match interface Serial2/0


route-map ISP-A permit 10

match ip address LAN-NATTED-OUT

match interface Serial2/1

ip route ISPA

ip route ISPB 50

I hope with abv config it shld work ryt? but its not working what could be the issue...

With same config somebody tested live..but its not working..



lamav Tue, 04/07/2009 - 13:23


Can you post the device's entire configuration?

Can you also post the route table?

Can you lastly post a "sh ip int brief"?


sateeshk10 Tue, 04/07/2009 - 14:01


This is not yet implemented who implemented the same with the same config, its not working.

I am sorry to say that i can`t provide the required info.

Will this scenario work with the config which i have provided to you.



lamav Tue, 04/07/2009 - 14:08

From what I see, yes, the configuration looks good.

Are you sure you have configured the NAT "inside" and "outside" statements under the appropriate interfaces?


lamav Tue, 04/07/2009 - 16:37

Edison, do you see a reason right off the bat why his configuration would not work?



lamav Wed, 04/08/2009 - 04:31



Edison Ortiz Wed, 04/08/2009 - 05:50



show ip nat trans

show ip nat stat

show ip route

Will certainly help...

lamav Wed, 04/08/2009 - 06:59

Wow! What a NON-answer. :-)

If I had some equipment in front of me I would "troubleshoot." But since you recommended a thread after the OP said my set up didnt work, I thought perhaps you had a definite clue as to what was wrong.

Thanks anyway

sateeshk10 Wed, 04/08/2009 - 08:38


This much of big tread for the same.

If i follow the same will this work.



Edison Ortiz Wed, 04/08/2009 - 10:17


It is a big thread but it is a very useful thread on how to accomplish your task. Mohammed and I spent quite a bit of time in a lab coming up with 2 different solutions that worked. You can also see the steps we did for troubleshooting which can also be useful when something doesn't work.

As an Engineer, I recommend that when something doesn't work, you engage in some kind of troubleshooting.

You will find that examples posted here and/or CCO will have something missing in the config but if you are good with troubleshooting, you can find out the problem rather quickly and learn at the same time. It will definitely make you a better engineer.

Now, with that said, can you post the output from typing:

show ip nat translation

show ip nat sta

show ip route

To determine what's not working?



lamav Wed, 04/08/2009 - 10:33


I agree with Edison. Configuration commands may look good on paper, but sometimes they don't work, and when they don;t the best way to figure out what's wrong is to "lab it up," as they say. Replicate the topology and configurations in a non-production lab environment and analyze what is happening. Troubleshoot.

You said your friend created the set up I recommended, but you have not seen his set up. You are not involved in its creation or troubleshooting, and you can't vouch for the soundness of its implementation, so its going to be hard to help you - or for you to help yourself, for that matter.

I asked Edison if he saw anything wrong because, from his post and the thread he recommended, which he was thoroughly involved in, I thought he had seen something wrong with the config I suggested that was glaringly obvious. Apparently not.

Besides posting the output of those commands, you may want to post the configuration that your friend completed, to make sure it is set up according to the recommendation, and then we can move on from there.




This Discussion