Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
679
Views
0
Helpful
4
Replies

Backing up an ISP's ADSL connection with another ISP's ISDN connection

computer_dept
Level 1
Level 1

‎01-05-2007 11:19 AM

Greetings to all

I am trying to use DDR to backup an ADSL line with an ISDN using the backup interface method.

When the primary connection goes down (I pull out the cable), the backup interface is brought up but I cannot route interesting traffic to make it dial.

With my limited knowledge the only time I made interface BRI0 to successfully dial (and it works ok) is when I manually changed "ip nat inside source list 102 interface Dialer1 overload" to "ip nat inside source list 102 interface Dialer2 overload" and shutdown dialer1. Note that both ISPs assign dynamic IPs.

My configuration file follows; any suggestions and help would be much appreciated.

Thank you.

!

version 12.2

no service pad

!

hostname router

!

username xxx password 7 xxxx

ip subnet-zero

no ip source-route

ip telnet hidden addresses

ip name-server xxxx.xxxx.xxxx.xxxx

ip name-server xxxx.xxxx.xxxx.xxxx

!

no ip bootp server

ip inspect name myfw cuseeme timeout 3600

ip inspect name myfw realaudio timeout 3600

ip inspect name myfw smtp timeout 3600

ip inspect name myfw tftp timeout 30

ip inspect name myfw udp timeout 15

ip urlfilter alert

ip audit notify log

ip audit po max-events 100

password encryption aes

isdn switch-type basic-net3

!

!

!

!

!

!

interface Ethernet0

ip address 192.168.0.8 255.255.255.0

ip access-group 111 out

ip nat inside

no ip mroute-cache

no cdp enable

!

interface BRI0

no ip address

encapsulation ppp

dialer pool-member 2

isdn switch-type basic-net3

!

interface ATM0

no ip address

backup interface BRI0

no ip mroute-cache

atm vc-per-vp 64

no atm ilmi-keepalive

pvc 8/35

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

dsl operating-mode annexb-ur2

!

interface Dialer1

ip address negotiated

ip access-group 112 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip inspect myfw out

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname xxxxxxxxxxxxxxxxx

ppp chap password 7 xxxxxxxxxxxx

ppp pap sent-username xxxxxxxxxx password 7 xxxxxxxxxxxx

hold-queue 224 in

!

interface Dialer2

ip address negotiated

ip access-group 112 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip inspect myfw out

encapsulation ppp

dialer pool 2

dialer string 8962545555

dialer hold-queue 10

dialer load-threshold 10 either

dialer-group 2

ppp authentication chap pap callin

ppp chap hostname xxxx

ppp chap password 7 xxxxxxxxxxx

ppp pap sent-username xxxxxxx password 7 xxxxxxxxxx

ppp multilink

!

ip nat inside source list 102 interface Dialer1 overload

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

ip route 0.0.0.0 0.0.0.0 Dialer2 2

no ip http server

no ip http secure-server

!

!

access-list 23 remark controls vty access

access-list 23 deny any

access-list 102 remark controls inside packet access to interface Dialer1 for NAT

access-list 102 permit ip 192.168.0.0 0.0.0.255 any

access-list 102 deny ip any any

access-list 111 remark controls inside packet access to leave interface Ethernet0

access-list 111 permit ip any 192.168.0.0 0.0.0.255

access-list 111 deny ip any any

access-list 112 remark controls outside packet access to enter interface Dialer1

access-list 112 permit icmp any any echo-reply

access-list 112 permit icmp any any time-exceeded

access-list 112 permit icmp any any packet-too-big

access-list 112 permit icmp any any traceroute

access-list 112 permit icmp any any unreachable

access-list 112 deny udp any any range 33400 34400

access-list 112 deny ip any any

dialer-list 1 protocol ip permit

dialer-list 2 protocol ip permit

!

line con 0

exec-timeout 120 0

login local

stopbits 1

line vty 0 4

access-class 23 in

exec-timeout 120 0

login local

no exec

length 0

transport input none

!

scheduler max-task-time 5000

no rcapi server

!

end

Labels:
0 Helpful
4 Replies 4

kamal-learn
Level 4
Level 4

‎01-06-2007 06:35 AM

hi

to make your configuration working first u have to add

ip nat inside source list 102 interface Dialer2 overload in your global config

and under atm interface use :

backup interface dialer 2 (and no bri since bri have no config i mean ip address...)

also to enable ppp multilink also you need to add ppp multilink under the bri interface also specify the chap authentication under bri

using ppp authentication chap.

HTH

please do rate the post if it does help

0 Helpful

computer_dept
Level 1
Level 1
In response to kamal-learn

‎01-08-2007 02:46 AM

Thank you for your answer.

When I add

ip nat inside source list 102 interface Dialer2 overload

I get the following message;

"Dynamic mapping in use, cannot change"

The thing is I must be able to use inside nat translation from one Dialer when the other is brought down.

Regards.

0 Helpful

kamal-learn
Level 4
Level 4
In response to computer_dept

‎01-08-2007 09:28 AM

hi

the problem here is that your router is already has done some translations so the nat translation table is not empty there is some translation , first you have to success in adding that statement in the config and test it after by just shuting down the dialer 1 interface.

so try to clear all the nat table by

clear ip nat transalation * , but it can give a result as it cannot since the time between clearing it and trying to add your new statement it may do another translation !!!

so an easy way is to remove temporarily the nat outside from dialer 1 interface this will prohibit any new translation from occuring, do a clear ip nat tran.. and add your statement . after that go back to dialr 1 and add the ip nat outside, that you ve removed.

test the solution by bringing down the dialer 1.

and let s us know the result

HTH

0 Helpful

computer_dept
Level 1
Level 1
In response to kamal-learn

‎01-09-2007 07:05 AM

Following your suggestions I was able to change from

ip nat inside source list 102 interface Dialer1 overload to

ip nat inside source list 102 interface Dialer2 overload.

With the following updated config it works even when dialer1 is up.

The problem is that I can't have both dialer interaces with the same access list to do inside NAT.

When I tried the 2 access list aproach (102 & 103), interesting traffic gets stuck in the preceding one :(

Any ideas?

Thank you for your help.

hostname router

!

no logging buffered

!

username * password *

ip subnet-zero

no ip source-route

ip name-server *

!

no ip bootp server

ip inspect name myfw

ip urlfilter alert

isdn switch-type basic-net3

!

interface Ethernet0

ip address 192.168.0.8 255.255.255.0

ip access-group 111 out

ip nat inside

no ip mroute-cache

no cdp enable

!

interface BRI0

no ip address

encapsulation ppp

no ip mroute-cache

dialer pool-member 2

isdn switch-type basic-net3

ppp multilink

!

interface ATM0

no ip address

backup interface BRI0

no ip mroute-cache

atm vc-per-vp 64

no atm ilmi-keepalive

pvc 8/35

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

dsl operating-mode annexb-ur2

!

interface Dialer1

ip address negotiated

ip access-group 112 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip inspect myfw out

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname *

ppp chap password *

ppp pap sent-username * password *

hold-queue 224 in

!

interface Dialer2

ip address negotiated

ip access-group 112 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip inspect myfw out

encapsulation ppp

dialer pool 2

dialer string *

dialer hold-queue 10

dialer load-threshold 10 either

dialer-group 2

ppp authentication chap pap callin

ppp chap hostname *

ppp chap password *

ppp pap sent-username * password *

ppp multilink

!

ip nat inside source list 102 interface Dialer1 overload

ip nat inside source list 103 interface Dialer2 overload

ip classless

ip route 0.0.0.0 0.0.0.0

ip route 0.0.0.0 0.0.0.0 Dialer2 150

no ip http server

no ip http secure-server

!

access-list 102 remark controls inside packet access to interface Dialer1 for NAT

access-list 102 permit ip 192.168.0.0 0.0.0.255 any

access-list 102 deny ip any any

access-list 103 remark controls inside packet access to interface Dialer2 for NAT

access-list 103 permit ip 192.168.0.0 0.0.0.255 any

access-list 103 deny ip any any

access-list 111 remark controls inside packet access to leave interface Ethernet0

access-list 111 permit icmp any any

access-list 111 deny icmp any any

access-list 111 permit ip any 192.168.0.0 0.0.0.255

access-list 111 deny ip any any

access-list 112 remark controls outside packet access to enter interface Dialer(s)

access-list 112 deny tcp any any

access-list 112 deny udp any any

access-list 112 permit icmp any any

access-list 112 deny ip any any

dialer-list 1 protocol ip permit

dialer-list 2 protocol ip permit

0 Helpful
Customers Also Viewed These Support Documents