Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

Cisco871. 2 WAN with NAT overload (2 different ISP) 1 LAN.

Hello.

I have Cisco 871 c870-advipservicesk9-mz.124-4.T4.bin

I have 2 different ISP, for example

ip1 = 10.31.0.156/22 default gateway 10.31.0.1

ip2 = 10.31.24.79/22 default gateway 10.31.24.3

and LAN 10.10.10.1 255.255.255.248

I have no any dinamic routing protocol between me and ISPs.

ISP1 is main ISP, and ISP2 is back-up.

I try to configure router that while ISP1 is reacheble - all traffic come to internet trough that ISP. if ISP2 is down, the router must switch to back-up ISP2.

is it possible?

i read that document http://www.cisco.com/en/US/tech/tk364/technologies_configuration_example09186a0080211f5c.shtml

but there's no NAT in example, but i need it on both ISP's interfaces

3 REPLIES
New Member

Re: Cisco871. 2 WAN with NAT overload (2 different ISP) 1 LAN.

I've absolutely same question - two ISP, reliable static routing (with tracking), but how to configure NAT?

I've the following:

ip nat inside source route-map nat-backup interface FastEthernet0/1 overload

ip nat inside source route-map nat-main interface FastEthernet0/0 overload

route-map nat-backup permit 10

match ip next-hop 22

route-map nat-main permit 10

match ip next-hop 20

But it works only if I manually clear ip nat translation table.

Is there any other solution?

New Member

Re: Cisco871. 2 WAN with NAT overload (2 different ISP) 1 LAN.

How ACLs 20&22 look?

New Member

Re: Cisco871. 2 WAN with NAT overload (2 different ISP) 1 LAN.

i prepare config

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Router

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

!

resource policy

!

ip subnet-zero

ip cef

!

!

no ip dhcp use vrf connected

ip dhcp excluded-address 10.10.10.1

!

ip dhcp pool CLIENT

import all

network 10.10.10.0 255.255.255.0

default-router 10.10.10.1

domain-name transmark.ru

dns-server 10.31.0.50 10.31.0.59

lease 8

!

!

ip sla 1

icmp-echo 10.31.0.1 source-ip 10.31.0.154

ip sla schedule 1 life forever start-time now

ip sla 2

icmp-echo 10.31.24.3 source-ip 10.31.26.79

ip sla schedule 2 life forever start-time now

!

!

!

!

!

track 123 rtr 1 reachability

!

track 124 rtr 2 reachability

!

!

!

!

!

interface FastEthernet0

switchport access vlan 2

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

description ISP1

ip address 10.31.0.154 255.255.252.0

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

interface Vlan1

description LAN

ip address 10.10.10.1 255.255.255.0

ip nat inside

ip virtual-reassembly

ip policy route-map all-out

!

interface Vlan2

description ISP2

ip address 10.31.26.79 255.255.252.0

ip nat outside

ip virtual-reassembly

!

ip classless

!

!

no ip http server

no ip http secure-server

ip nat inside source route-map isp1 interface FastEthernet4 overload

ip nat inside source route-map isp2 interface Vlan2 overload

!

access-list 101 permit ip any any

access-list 102 deny ip any 10.31.0.0 0.0.255.255

access-list 102 permit ip any any

!

route-map all-out permit 10

match ip address 101

set ip next-hop verify-availability 10.31.0.1 20 track 123

set ip next-hop verify-availability 10.31.24.3 30 track 124

!

route-map isp2 permit 10

match interface Vlan2

!

route-map isp1 permit 10

match interface FastEthernet4

!

!

control-plane

!

!

line con 0

no modem enable

line aux 0

line vty 0 4

!

scheduler max-task-time 5000

end

but i need to configure ipsec tonnel with central office. But in that case, the traffic for ipsec must be "cut" from NAT.

I cant configure that task. help please.

1045
Views
0
Helpful
3
Replies
CreatePlease to create content