Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Hi Experts

please is it possible to configure 2 default route in a router?

16 REPLIES
Hall of Fame Super Blue

Re: Hi Experts

Habib

Yes it is perfectly possible to have 2 default routes on a router. The router will load-balance across the 2 routes (providing it does not find a more specific route in the routing table).

Jon

Community Member

Re: Hi Experts

Thank you Jon for your answer,

in the attached file, you have the architecture of my network:

-R1 connects the other branches to the HQ via MPLS and those branhes go to the internet trhough R1 (in R1 I have 2 interfaces dialer: dialer0 for internet access and dialer1 for MPLS)

-R2 connects the HQ to the internet

But now I want that all my internet traffic passes trougth ASA and for that, I want to shutdown dialer0 in R1 and configure in it a second default route towards ASA.

please I want to know if this would work.

Thank you

Hall of Fame Super Blue

Re: Hi Experts

Habib

Unfortunately can't read visio files, can you post as a .jpg/.png

Jon

Community Member

Re: Hi Experts

the attached document is in .gif format hope that you can open it

Thank you

Hall of Fame Super Blue

Re: Hi Experts

So what does the first default-route on R1 point to ?

Jon

Community Member

Re: Hi Experts

Hi Mr Jon,

the first default-route on R1 point to dialer0.

Now I have to ISP, the first one is connectected trough R1 and the second one trough R2, I want to cancel the contract with the first one (contract of internet provider but maintain the contract of MPLS because I am using its infrastructure for MPLS) and maintain the second ISP for internet access.

Thank you, and il will please to read you.

Regards

Hall of Fame Super Blue

Re: Hi Experts

Habib

Okay 2 default-routes won't work because the router will not know whether to send the packet via MPLS or to the internet.

So

1) the default-route must be used for Internet traffic because the destination address could be anything -

ip route 0.0.0.0 0.0.0.0

2) You will need more specific routes for your branch networks that are reachable via MPLS. So on R1 you would need to add routes for all branch networks eg.

ip route 192.168.5.0 255.255.255.0

etc...

If you have summarised your network hopefully there won't be too many entries.

Jon

Community Member

Re: Hi Experts

Thank you very much for your answer

In R1 I have have already add routes to all my branch networks and those routes are like this:

ip route 172.16.2.0 255.255.255.0 dialer1

ip route 172.16.3.0 255.255.255.0 dialer1

etc...

In R1, I will disable the existing default route which is:

ip route 0.0.0.0 0.0.0.0 dialer0

and replace it by

ip route 0.0.0.0 0.0.0.0

I will get you know.

Regards

Hall of Fame Super Blue

Re: Hi Experts

Habib

No problem, let me know how you get on.

Jon

Community Member

Re: Hi Experts

hi M. Jon

I changed the default route in R1, and from R1 I reach the DNS of the second ISP trough R2, but when I log in the router of one of my branches I did'nt reach that DNS consequently the computers behind this router don't get access in the internet, please help me to solve this problem.

int the ASA, I have built these dynamics NAT

nat (inside) 1 network_address_branch_1

nat (inside) 1 network_address_branch_2

etc...

global (outside) 1 x.x.x.y - x.x.x.z

regards

Community Member

Re: Hi Experts

hi habib,

are x.x.x.y-x.x.x.z your public IPs? Where r u translating for Internet access? How many Public IP addresses do you have for internet?

In the above configuration if you are specifying public IP in global(outside). Only z-y inside host will be able to access internet.

So, could you please clear, where r u translating for internet access in router R2 or ASA outside interface.

Community Member

Re: Hi Experts

hi roshan

I have one public address for internet and the translation for internet is made on R2.

Rgards

Community Member

Re: Hi Experts

Hi Habib,

I have pasted sample configuration that resembles your network.

! The following are the assumption with IP addresses

! Router R2 [fa0/0]internet address=192.168.10.2 and gateway address=192.168.10.1

! Branch Networks: Branch_A =172.22.10.0/24, Branch_B=172.22.15.0/24

! R2 inside address: 172.16.10.1

! ASA outside address: 172.16.10.2, inside addresss: 172.16.20.1

! Router R1 inside address 172.16.20.2,

!

!=================================================================

! R2 configuration

ip route 0.0.0.0 0.0.0.0 192.168.10.1

ip route 172.22.0.0 255.255.0.0 172.16.10.2

ip route 172.16.20.0 255.255.255.0 172.16.10.2

!

ip access-list extended internet_access

permit ip 172.22.10.0 0.0.0.255 any

permit ip 172.22.15.0 0.0.0.255 any

!

ip nat inside source list internet_access interface fastethernet 0/0 overload

ip nat inside source static 172.16.15.20 192.168.10.20

!

===============================================================

!

! ASA configuration : assuming nat-control is enabled

!

!

no nat-control

!

route outside 0.0.0.0 0.0.0.0 172.16.10.1

route inside 172.22.0.0 255.255.0.0 172.16.20.2

!

!

====================================================================

!

! R1 configuration

!

!

ip route 172.22.0.0 255.255.0.0 dialer1

ip route 0.0.0.0 0.0.0.0 172.16.20.1

!

!

==================================================================

Community Member

Re: Hi Experts

thank you M. Roshan, thank you for your answer, I will try to apply ur sample configuration and let u know; but I also want to controled internet access on my ASA (not all computers have access to the internet), between R2 and ASA I have this network 172.16.254.0/24 which can permit me to do static nat on ASA for computers which have access to the internet, does this configuration work?

Community Member

Re: Hi Experts

Hi Habib,

You can control internet access in may ways. If you have static IP address for internet access, then I would suggest adding and acl in inside of router R2.

In the below example, the acl internet_users will control internet access.

!

ip access-list extended internet_users

permit ip host 172.22.10.1 any

permit ip 172.22.15.16 0.0.0.7 any

!

interface fastethernet 0/1

description <<<<< Inside Network >>>>>

ip access-group internet_users in

!

If you are using dynamic IP address assignment and if you have Cisco Secure ACS, then use proxy authentication on Internet Router R2.

Community Member

Re: Hi Experts

Hi Roshan and Jon

I did approximately what u ask to do and it works, now all my branches go to the internet through R2 thank you very much for your help.

regards

167
Views
0
Helpful
16
Replies
CreatePlease to create content