You'll have to excuse me, for I'm quite new at this. Our company just purchased an 1811 integrated services router that has two wan ports. I would like to configure the router to support one local LAN subnet with NAT and failover on the two WAN ports. We have SDSL and a T1 for failover. How difficult would this be and where can I look to find out how to configure it? Is it even possible to do via SDM or must it be done via command line?
think, you can use SNAT - Stateful Failover of Network Address Translation for thsi case, check out the following link for more information :
I assume you are going to use a single router to do this with your lan and both your primary and backup internet connection all attached to this router.
If you are going to use 2 routers this gets even more complex and even on a single router this a little confusing for people new to cisco.
This link has a example that is close to what you will need.
Your basic problem is that you cannot tell when these interfaces go down in most cases. This is done at large locations with a routing protocol like BGP. In smaller location cisco has this new feature I linked above. This allows you to in effect ping something our each connection to determine if its active. It then uses policy routing to select a path based on the results of the ping.
This is precisely what I'm trying to achieve. What complicates it further for us is that we're also trying to use NAT with publicly accessible servers behind the NAT. I would have to allow port forwarding. Now I beleive there's a way to allow for port forwarding until I mention that one of the services is a PPTP VPN. I don't believe GRE pass-through will work behind a NAT with this particular configuration.
Yes Brett, please do post it if it's not too much trouble. Any assistance you can offer would be great. We need to get this router into place on our network and it can't be done until I can get the config correct.
Yes, it gets confusing with NAT involved. Here is a config that will work. You need to adjust your sla monitor timeout and thresholds to suit your environment. In my case the user had satellite on FE0 and cell on FE1, therefore my sla timeout and thresholds had to be adjusted to 2500 each due to the high ping times across the satellite link. For T1 and DSL the 1000 in the config should work fine. Keep in mind that the 184.108.40.206 is the far-end address to tell the cisco that FE0 is up or down.
A couple of things to help troubleshooting are:
show ip route track-table
show ip route
show ip sla statistics
Remeber the basic concept is the primary route to 220.127.116.11 is a "floating" route based on whether or not the sla monitor gets icmp echos back from the 18.104.22.168 via the FE0 interface within the allowed time frames. If not then it drops the route and the lower priority route of 192.168.2.1 (254) becomes the gateway of last resort. Once the sla monitor gets packets back from the 22.214.171.124 and meets the allowed time frames it switches back to the 126.96.36.199 as gateway of last resort. By natting the route maps and not the interfaces it controls which interface to send traffic out.
Hope this helps and be sure to rate, also post back and let me know how it goes for you!
Should i have 12.4 + Enterprise Base IOS Feature set to use your screen or it will work without feature set too?
Hi, I just reaad this conversation and this is the exact problem I am having.
The problem is that I can't see your sample config because it already expired.
Could you please re-post it? I have been loosing sleep because of this setup.
I will greatly appreciated
I believe the relevant portion of the config is contained in the attached txt. If there is anything missing, I hope someone will correct. This was taking from our working 1811 with failover.
In our case, this is setup to check FE-0 and failover to FE-1 in the event that icmp-echo fails over FE-0. Once icmp-echo on FE-0 is successful, it fails back.
I already have this setup, and I am not using a single object, I am using multiple objects which are being tracked by icmp using the interface facing my ISP1. I am using Boolean OR to get this done.
What I am really looking for is something exactly the same as Steve Goldman is facing.
I have a network wich has 4 internal servers in the inside with static 1-to-10 NAT translations.
In the event that my ISP1 fells, and my tracking process determines that those 2 objects that I am tracking using the interface facing ISP1 are not reachable, the router routes all the traffic to the ISP2, using my interface fas3 which faces this ISP2.
The problem is that GRE does not work when ISP1 goes down.
Also, my internal servers dont work either.
So I am trying to get a solution for this but even after talking to a few cisco engineers (TAC), they didnt even know the answers... I have the case unresolved with them..
any help on this will be greatly appreciated
This IS Steve Goldman. The same that made the previous posts.
I am using 1 to 1 NAT translations as well which uses a setup with two separate access lists, one for FE 1 and one for FE 0. Both contain the entry:
access-list ### permit gre any any
We then use a simple DNS entry that resolves to both IP addresses. Clients automatically connect to the available line.
What do you mean when you say "also, my internal servers don't work either"?
With ISP1, my internal servers have their one public IP address (1-to-10 static NAT) so they can be accessed from the internet.
When ISP1 fails, my router re-routes the traffic properly, but my internal servers don't get their IP addresses. This beats the hell out of me.
I can provide you with my current config if you want. I really need to get this going.
I am using route-map except on the GRE line, because it does not work when used with a route-map. But it only works wwith ISP1; it does not failover to ISP2. I worked with 2 TAC guys and they had no clue.
Don't think it will help but here is my config on an 1811W, I have also set this up on an ASA 5510 using the same method but have found that I had to add static routes for the VPN tunnel's endpoint LAN subnets pointing them to the IP of my primary ISP interface or they would not fail-over. That might give you a clue as to your problem.