Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

891-K9 dual wan configuration

The basic setup... Newly installed redundant ISP, thus setting up the 891 with dual WAN, Using PfR to load balance between the two. Did initial config through CCP (not express), but I am familiar with the basics of IOS CLI (not used to the new zone based firewall yet, managed aour old Pix for too long, but that is a different subject!)

 

The issue - I cannot seem to get anything but Gi0 to be accepted as a WAN interface. I go through the entire setup in CCP, test each connection, etc, and it all looks good until I exit out of CCP and go back in. At that point, I get squat out of Fa8. CCP won't let me test the connection, won't let me edit the connection, wont let me delete the connection. The wizard for a new WAN connection becomes available again (Wanting to set up a "second" WAN on Fa7...)

 

Looking at the config (pasted below) I don't see any reqason why it shouldn't be working... So I turn here, hoping someone else can see my silly mistake somewhere!

 

Again, I have verified connections to each ISP line independently, either one works just fine on Gi0, neither ever works on Fa8. This is my first real foray into PfR, so any help would be appreciated!

 

 

 

 

Building configuration...

 

 

Current configuration : 21486 bytes

!

! Last configuration change at 18:59:43 UTC Mon Mar 26 2012 by admin

!

version 15.0

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname KFDA-rtr

!

boot-start-marker

boot-end-marker

!

security authentication failure rate 3 log

security passwords min-length 6

logging buffered 51200 warnings

enable secret 5 xxscrubbedxx

!

aaa new-model

!

!

aaa authentication login local_authen local

aaa authorization exec local_author local

!

!

!

!

!

aaa session-id common

!

!

!

!

crypto pki trustpoint TP-self-signed-118056709

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-118056709

revocation-check none

rsakeypair TP-self-signed-118056709

!

!

crypto pki certificate chain TP-self-signed-118056709

certificate self-signed 01

  xxscrubbedxx

            quit

no ip source-route

!

!

!

!

ip cef

no ip bootp server

ip domain name newschannel10.local

ip name-server 69.6.190.11

ip name-server 208.180.42.100

ip name-server 8.8.4.4

ip name-server 69.6.190.10

ip name-server 66.76.175.100

ip port-map user-protocol--2 port tcp 5900

ip port-map user-protocol--1 port tcp 20

no ipv6 cef

!

!

multilink bundle-name authenticated

parameter-map type protocol-info yahoo-servers

server name scs.msg.yahoo.com

server name scsa.msg.yahoo.com

server name scsb.msg.yahoo.com

server name scsc.msg.yahoo.com

server name scsd.msg.yahoo.com

server name cs16.msg.dcn.yahoo.com

server name cs19.msg.dcn.yahoo.com

server name cs42.msg.dcn.yahoo.com

server name cs53.msg.dcn.yahoo.com

server name cs54.msg.dcn.yahoo.com

server name ads1.vip.scd.yahoo.com

server name radio1.launch.vip.dal.yahoo.com

server name in1.msg.vip.re2.yahoo.com

server name data1.my.vip.sc5.yahoo.com

server name address1.pim.vip.mud.yahoo.com

server name edit.messenger.yahoo.com

server name messenger.yahoo.com

server name http.pager.yahoo.com

server name privacy.yahoo.com

server name csa.yahoo.com

server name csb.yahoo.com

server name csc.yahoo.com

 

 

parameter-map type protocol-info aol-servers

server name login.oscar.aol.com

server name toc.oscar.aol.com

server name oam-d09a.blue.aol.com

 

 

parameter-map type protocol-info msn-servers

server name messenger.hotmail.com

server name gateway.messenger.hotmail.com

server name webmessenger.msn.com

 

 

!

key chain PfR_DM

key 1

  key-string 7 097C483B26213A

oer master

policy-rules PfR_DM_MAP

!

border 10.255.1.1 key-chain PfR_DM

  interface GigabitEthernet0 external

  interface FastEthernet8 external

  interface Vlan1 internal

!

learn

  throughput

  periodic-interval 1

  monitor-period 1

!

oer border

local Loopback100

master 10.255.1.1 key-chain PfR_DM

license udi pid CISCO891-K9 sn FTX154683MX

!

!

username admin privilege 15 secret 5 xxscrubbedxx

!

!

ip tcp synwait-time 10

no ip ftp passive

!

class-map type inspect match-all sdm-nat-user-protocol--2-4

xx-scrubbed firewall classes, etc....

!

!

!

!

!

!

!

interface Loopback100

ip address 10.255.1.1 255.255.255.255

!

!

interface Null0

no ip unreachables

!

interface FastEthernet0

!

!

interface FastEthernet1

!

!

interface FastEthernet2

!

!

interface FastEthernet3

!

!

interface FastEthernet4

!

!

interface FastEthernet5

!

!

interface FastEthernet6

!

!

interface FastEthernet7

!

!

interface FastEthernet8

description AMAtechTel$ETH-WAN$$FW_OUTSIDE$

ip address 69.6.179.14 255.255.255.240

no ip redirects

no ip unreachables

no ip proxy-arp

ip verify unicast reverse-path

ip flow ingress

ip nat outside

ip virtual-reassembly

zone-member security out-zone

duplex auto

speed auto

!

!

interface GigabitEthernet0

description SuddenLink$ETH-WAN$$FW_OUTSIDE$

ip address 173.219.132.66 255.255.255.252

no ip redirects

no ip unreachables

no ip proxy-arp

ip verify unicast reverse-path

ip flow ingress

ip nat outside

ip virtual-reassembly

zone-member security out-zone

duplex auto

speed auto

!

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-FE 1$$FW_INSIDE$

ip address 10.0.0.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly

zone-member security in-zone

ip tcp adjust-mss 1452

!

!

interface Async1

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

encapsulation slip

!

!

ip forward-protocol nd

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

!

ip nat inside source list 1 interface GigabitEthernet0 overload

ip nat inside source list 2 interface FastEthernet8 overload

ip nat inside source static tcp 10.0.0.240 20 69.6.179.11 20 extendable

ip nat inside source static tcp 10.0.0.240 21 69.6.179.11 21 extendable

!

xx-scrubbed NAT rules-xx

!

ip route 0.0.0.0 0.0.0.0 173.219.132.65

ip route 0.0.0.0 0.0.0.0 69.6.179.1 2

!

access-list 1 remark INSIDE_IF=Vlan1

access-list 1 remark CCP_ACL Category=2

access-list 1 permit 10.0.0.0 0.0.0.255

access-list 2 remark CCP_ACL Category=2

access-list 2 permit 10.0.0.0 0.0.0.255

access-list 23 permit 10.0.0.0 0.0.0.255

!

xx-scrubbed-ACLs-xx

!

no cdp run

 

 

!

!

!

!

!

!

oer-map PfR_DM_MAP 200

match oer learn throughput

set delay relative 30

set mode route control

set mode monitor both

set resolve range priority 1

set resolve delay priority 2 variance 20

!

control-plane

!

!

!

line con 0

login authentication local_authen

transport output telnet

line 1

modem InOut

stopbits 1

speed 115200

flowcontrol hardware

line aux 0

login authentication local_authen

transport output telnet

line vty 0 4

access-class 23 in

authorization exec local_author

login authentication local_authen

transport input telnet ssh

line vty 5 15

access-class 23 in

authorization exec local_author

login authentication local_authen

transport input telnet ssh

!

scheduler max-task-time 5000

scheduler allocate 4000 1000

scheduler interval 500

end

Everyone's tags (3)
4 REPLIES
Hall of Fame Super Silver

891-K9 dual wan configuration

Joel

I am not so familiar with the 891. But it looks to me like fa8 is a switch port. I wonder if it would work better if you assigned it to a VLAN other than the default and put the IP addressing on a VLAN interface?

HTH

Rick

New Member

891-K9 dual wan configuration

Fa8 is dual purpose. It can be assigned to either switch or WAN. roles... But I hadn't thought of assigning it to another VLAN. I might give it a shot... Any idea how NAT and PfR would work through that VLAN? ... I might find out later!

Hall of Fame Super Silver

891-K9 dual wan configuration

Joel

In doing a quick look for information about the 891k9 I did see one reference to fa8 as WAN, but no detail about how to do it. And I saw several references to the built in switch with 8 ports. Which led to my suggestion about treating it as a switch port. Creating a separate VLAN is now we usually do it with switch ports.

I would think that there needs to be some command to tell fa8 to act as WAN rather than as normal switch port. Perhaps if you go into configuration mode on fa8 and use the ? for help it would show the available commands, and perhaps one relates to function as WAN?

I would think that NAT would be fine on the VLAN. I am not expert in PfR but would think that it would work ok on any valid interface, including VLANs. Perhaps someone with more experience with PfR can jump in here?

HTH

Rick

New Member

891-K9 dual wan configuration

Did you get this to work by setiing up another vlan interface and assigning interface FastEthernet8 to that vlan?

3021
Views
10
Helpful
4
Replies
CreatePlease login to create content