c871 ISP change without outage

Unanswered Question
Nov 27th, 2009

hello guys,

I'm not sure about cisco871 and his FastEthernet4 interface .


I have connection to ISP1, fa4 is used as outside interface. LAN is connected using fa0 (trunk for 3 networks inside LAN, vlan routing on c871). this design is clear and working without problem.


interface FastEthernet4
description uplink to ISP1
ip address ISP1 netmask
ip access-group Internet in
ip mtu 1300
ip nat outside
ip inspect MyInspect out
ip virtual-reassembly
no ip mroute-cache
duplex auto
speed auto
crypto map IPSec
end


Now I have connected ISP2 (in near future this will replace ISP1). ISP2 is connected to fa3:


interface FastEthernet3

description new uplink to ISP2

switchport access vlan 50

end


interface Vlan50
  ip address ISP2 netmask
  ip access-group Internet-sanet in
  ip nat outside
  ip nat enable
  ip virtual-reassembly
end


connectivity to both providers is ok. default gw is to ISP1. when I set static route for some dst through ISP2, connectivity from this dst to router is successful.ok, it looks, that all is working. I tried change default GW to ISP2.


connectivity to/from router is ok. problem is nat for clients in lan. after default gw change are lan clients translated always to ISP1 outside address


ip nat inside source list nat-isp1 interface FastEthernet4 overload
ip nat inside source list nat-isp2 interface Vlan50 overload


acl nat-isp1 and nat-isp2 are same:

    10 deny ip 192.168.1.0 0.0.0.255 192.168.254.0 0.0.0.255
    20 deny ip 192.168.2.0 0.0.0.255 192.168.254.0 0.0.0.255
    30 deny ip 192.168.10.0 0.0.0.255 192.168.254.0 0.0.0.255
    40 permit ip 192.168.1.0 0.0.0.255 any

    50 permit ip 192.168.2.0 0.0.0.255 any
    60 permit ip 192.168.10.0 0.0.0.255 any


#sh ip int brie
FastEthernet4     ISP1       YES manual up                    up     
Vlan1                 192.168.1.1     YES NVRAM  up                    up     
NVI0                  ISP1      YES unset  up                    up     
Vlan2                 192.168.2.1     YES NVRAM  up                    up     
Vlan10               192.168.10.1    YES NVRAM  up                    up     
Vlan50                ISP2 YES NVRAM  up                    up


NVI0 interface is using address of fa4.


my questions are:

1. It's possible change NVI0 address to other IP as IP of fa4 interface?

2. It's possible change NAT for connectivity through ISP2 (fa3) change to other public address? I'm not sure, because fa0-3 are switched ports and it's not possible change fa3 to L3 only (no switchport).


router is cisco 871, c870-advipservicesk9-mz.124-15.T7.bin.


thanks for any help.

--

martin

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Phillip Remaker Tue, 12/01/2009 - 06:40

OK, let me take a stab here.  Disclaimer: I have not used NVI, or the 871 series but have worked with classic NAT.


Seems like you are mixing NAT NVI config with classic NAT config.


Since you have specified the interfaces as "outside" I presume that they will be classic NAT, not NVI. Why use NVI here?


You are correct that the 4 interfaces cannot act independently as L3 entities on an 871.


Nat Order Of Operation mey be insightful:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml


What is the crypto-map doing?

Actions

This Discussion