Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

Config help plse - dual WAN on 1811.

Hi, I have a

1811 router with one connection to the internet. This connection is going to be tu

rned off for a while, so I would like to set up another interface as a fall back for when it does.

The second WAN connection will be DHCP connected via ethernet.

I have to confiure this remotely prior to changeover, and I am paranoid about locking myself out of the router if I make a wrong turn.

I would like to ask if anyone can help me so that the primary WAN (the one in there now) is always used, and when it goes down, the secondary one will route traffic to the internet.

I am sure it's a simple config to add a second WAN port, all help gratefully received.

NM

Here is current config, some identifying details have been masked.

router.1811#show run
Building configuration...

Current configuration : 5505 bytes
!
! Last configuration change at 09:18:51 UTC Fri Aug 27 2010 by xxxxx
! NVRAM config last updated at 12:29:28 UTC Fri Oct 30 2009 by xxxxx
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname router.1811
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
!
resource policy
!
!
!
ip cef
!
!
ip name-server 216.7.159.195
ip name-server 216.7.159.133
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
!
!
crypto pki trustpoint TP-self-signed-2663121659
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2663121659
revocation-check none
rsakeypair TP-self-signed-2663121659
!
!
crypto pki certificate chain TP-self-signed-2663121659
certificate self-signed 01
  30820246 308201AF A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 32363633 31323136 3539301E 170D3039 31303239 30373333
  34315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 36363331
  32313635 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100C737 EB0584C5 AA2ADD1F 90B3586B 873DF4EE 1FA55B68 202F08E2 BFF052A8
  056D6BC7 5FECDCC1 4570C547 EFA239FA 4D0816F8 E00AAEBE 36038FEB 0CD6978C
  9A6305E5 1518BC21 AE2259D4 01D784DF 58C63DC7 49A70B66 9A6C4396 B8FE1F6C
  D00ED195 5D6F62DE 99714942 69EB6286 17E8D19E AB95ED39 316971A0 37E05088
  A23B0203 010001A3 6E306C30 0F060355 1D130101 FF040530 030101FF 30190603
  551D1104 12301082 0E63322E 726F7574 65722E31 38313130 1F060355 1D230418
  30168014 6B11EFF2 E7635566 19AC68F9 431C274C 84CEF1D0 301D0603 551D0E04
  1604146B 11EFF2E7 63556619 AC68F943 1C274C84 CEF1D030 0D06092A 864886F7
  0D010104 05000381 81008F34 15ED6E3B 329073CF CA64939F FC0EADDF E1034B8D
  3231D662 9132BBD4 B3E577F3 5270A020 7E180030 BA54582B 38CD6E03 C22D67B1
  A279E24E 8E250061 C5FEF223 CB8C2432 4ED46E6B 9072DBDC 5E2187A9 899FB6C0
  6016586F 940A4760 6E34E55E 48A9998B F5FCD8A3 6772123B C39F32FA 86D0AFFE
  638EB9AA AAEF6F57 AA38
  quit
username xxxx privilege 15 secret 5 xxxx
!
!
!
!
interface FastEthernet0
description $FW_OUTSIDE$$ETH-WAN$
ip address 216.7.xxx.xx 255.255.255.252
ip verify unicast reverse-path
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet1
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
switchport mode trunk
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$FW_INSIDE$
ip address 192.168.8.10 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Async1
no ip address
encapsulation slip
shutdown
!
ip route 0.0.0.0 0.0.0.0 216.7.149.33
ip route 192.168.3.0 255.255.255.0 192.168.8.1
ip route 192.168.4.0 255.255.255.0 192.168.8.1
ip route 192.168.5.0 255.255.255.0 192.168.8.1
ip route 192.168.6.0 255.255.255.0 192.168.8.2
ip route 192.168.7.0 255.255.255.0 192.168.8.1
!
ip dns server
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet0 overload
ip nat inside source static tcp 192.168.8.2 5045 interface FastEthernet0 5045
ip nat inside source static tcp 192.168.8.2 4125 interface FastEthernet0 4125
ip nat inside source static tcp 192.168.8.2 3389 interface FastEthernet0 3389
ip nat inside source static tcp 192.168.8.2 3085 interface FastEthernet0 3085
ip nat inside source static tcp 192.168.8.2 443 interface FastEthernet0 443
ip nat inside source static tcp 192.168.8.11 22 interface FastEthernet0 22
ip nat inside source static tcp 192.168.8.11 57 interface FastEthernet0 57
ip nat inside source static tcp 192.168.8.11 80 interface FastEthernet0 80
ip nat inside source static tcp 192.168.8.11 3660 interface FastEthernet0 3660
ip nat inside source static tcp 192.168.8.11 3663 interface FastEthernet0 3663
ip nat inside source static tcp 192.168.8.11 4665 interface FastEthernet0 4665
ip nat inside source static tcp 192.168.8.11 3000 interface FastEthernet0 3000
ip nat inside source static tcp 192.168.8.11 4000 interface FastEthernet0 4000
!
access-list 1 permit any
no cdp run
!
!
!
!
!
!
control-plane
!
!
line con 0
login local
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
line vty 5 15
privilege level 15
login local
transport input telnet ssh
!
ntp clock-period 17180445
ntp server 192.168.8.2 key 0 prefer
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end

router.1811#

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Gold

Re: Config help plse - dual WAN on 1811.

NM

The biggest problem that I see in the most recent config is that while you have added the translate statements that use route maps you have left the original translate statement in place which will translate everythig to the address of FastEthernet0. Try removing this statement from the config and let us know what happens

ip nat inside source list 1 interface FastEthernet0 overload

I would also note that access list 1 is a bit different from what I suggested that it be

access-list 1 permit any
access-list 1 permit 192.168.8.0 0.0.0.255

I am not sure that it is a big deal but I would suggest that you change the access list to remove the permit any.

HTH

Rick

31 REPLIES
Hall of Fame Super Silver

Re: Config help plse - dual WAN on 1811.

Hello Neil,

you need a floating default static route using second wan like

ip route 0.0.0.0 0.0.0.0 wan2 201

and you need a NAT configuration that uses route-maps to check what is the current exit interface of traffic in order to perform a correct NAT translation

see

https://supportforums.cisco.com/thread/2039029?tstart=0

Hope to help

Giuseppe

Hall of Fame Super Gold

Re: Config help plse - dual WAN on 1811.

The response by Giuseppe is a good start and correctly addresses the need for a floating static route and the need to perform address translation  on the second/backup interface. I have a couple of things to add to his suggestions.

- it should be pretty obvious that you need to configure the second Fastethernet to use DHCP to obtain its IP address.

- the syntax that Giuseppe suggests for the floating static route works fine if you know the next hop address (the provider device that you are connecting to). With DHCP sometimes you do know that address and sometimes you do not. If you do not know the next hop address then there is an optional parameter on the static route that I have seen used that uses information from DHCP to construct the static default route.

- the floating static route works well if the primary route is removed from the routing table. We do not know anything about your primary connection on Fastethernet0 and do not know exactly what you mean about it will be turned off. So it is hard to know whether the primary static default route will be removed from the routing table. If Fastethernet0 goes to protocol down state then the static default route should be removed from the routing table. But if turning off is just stopping the provider from responding to you then it might leave the interface in the protocol up state. And in that case the original static default route would still be in the routing table and the backup floating static route would not work. In this case you may need to configure IP SLA to track the primary provider connection and to remove the primary static default route when the primary provider is not accessible.

Also if you are worried that you might lock yourself out while making the config changes I would suggest that you schedule a reload before you start your changes. That means that if you do lock yourself out that the router will reboot, come back without your changes and allow you access again. The process might look something like this:

! first make sure that the current config is saved

copy running startup

! then schedule a reload to occur in 45 minutes (or however long you think it might take)

reload in 45

! respond to the prompt to confirm the reload

! then begin your config changes

config t

end

! if things are working then you need to cancel the reload

reload cancel

HTH

Rick

New Member

Re: Config help plse - dual WAN on 1811.

Thanks for the help.

I haven't had time to look into this so I am going to go for an easy way out, and that's to set WAN1 to DHCP and swap cables.

However, I am stuck with this default route:

ip route 0.0.0.0 0.0.0.0 216.7.149.33

So this will clearly change.

Please would you tell me how to make this dynamic (floating ?)

Many thanks,

NM

New Member

Re: Config help plse - dual WAN on 1811.

I am sorry to bump this thread up again !

I am still looking for any advice or help that will allow me to fall over from fa0 to fa1 automatically.

Fa1 is going to pick up dhcp and then I will cut the device on fa0, the aim is to have the internet flowing then via fa1.

The problems I have are the default route, ip route 0.0.0.0 0.0.0.0 216.7.149.33, I can't work out how to make this a floating default route that works.

I have been playing with the config, but can't get anything to work.

I would like to ask if anyone would give me the steps needed to achieve this, on the face of it it looks like it should be easy.

Many thanks in advance for any help.

NM

Hall of Fame Super Gold

Re: Config help plse - dual WAN on 1811.

NM

I believe that the feature that will help you is sometimes called Reliable Static Routing Using Object Tracking. I believe that this link has helpful information that should help to get you started

http://www.cisco.com/en/US/partner/docs/ios/12_3/12_3x/12_3xe/feature/guide/dbackupx.html

HTH

Rick

New Member

Re: Config help plse - dual WAN on 1811.

Hi NM,

Let me give you my two cents....

Do the following steps and check after every step:

1. Check whether the secondary link is working as expected

Plug in your secondary provider in Fa1 and under the interface give the command 'ip address dhcp'

Run 'show ip interface brief'

Check whether now fa1 has any ip address associated to it.

If you can see an ip address on the interface. See if you can ping this address from the outside.

Note down this ip address.

2. If step 1 succeeds continue to 2..

Let us create now a static route that is less preferable than say the one through Fa0. This is called a floating static route.

You can do this using

ip route 0.0.0.0 0.0.0.0 interface fa1 100

The above command would create a static route through the secondary ISP and  make it come into play only if the path through fa0 is down.

3. Before you do this make sure you do what one of the earlier answers quoted...

under config mode - run timed reload command , just in case something gets messed up.

          reload in 20

Now, go ahead and shut down the interface fa0.  Check whether you can now reach the router using the ip address on fa1 which you now know because you had noted it down earlier.

If you can telnet to the router using the ip address of fa1... then our failover was successful!

Lets do steps 1,2 &3 and check how it goes...

Once you have the three working.... do a no shut on interface fa0 to revert things back to the way it was.

Please let me know once you have achieved the above and then we can start working on NAT.

Cheers,

Manas

Hall of Fame Super Gold

Re: Config help plse - dual WAN on 1811.

NM

I like most of the suggestions from Manas and how he presents them (and I certainly agree that going through things step by step is good). But I disagree with his suggestion of how to configure the floating static default route. His suggestion was:

ip route 0.0.0.0 0.0.0.0 interface fa1 100

I would advocate that you not point the static default route at interface FastEthernet1. If you do this then part of the result is that the router must ARP for every destination to which it forwards a packet. There are a number of implications of doing this:

- this depends on whether the ISP router has enabled proxy arp. If proxy arp is enabled then your floating static default route will work. But if proxy arp is not enabled then your floating static route will not be able to forward any packets.

- the ARP table will grow large and consume more memory.

- the router will consume more CPU cycles in maintaining the large ARP table and in searching the ARP table.

- since IOS refreshes entries in the ARP table every 4 hours the resources required to put an address in the ARP table is not a one time thing but will be done over and over every 4 hours - for every entry in the ARP table.

- it will increase the amount of traffic on the link to the ISP since every 4 hours the router will send an ARP request and will receive an ARP response and do this for every entry in the ARP table.

I have 2 suggestions about how to configure the floating static default route.

- if you know the address of the ISP router then put that address into the floating static default route

ip route 0.0.0.0 0.0.0.0  A.B.C.D 100

- if you do not know the address of the ISP router then configure the floating static default route like this

ip route 0.0.0.0 0.0.0.0 dhcp 100

HTH

Rick

New Member

Re: Config help plse - dual WAN on 1811.

Thanks to you both for this really excellent help and advice.

I will be going to the site on Friday for a couple of hours to try to get this implemented.

I will let you know how it goes.

Of course, if you have any more thoughts between now and then please keep them coming.

Many thanks again,

NM

New Member

Re: Config help plse - dual WAN on 1811.

I completely agree with Richard on that note about implication of simply using the interface... my bad there...

Niel... what you can do to avoid it in the process get the best of both worlds is to use the following....

ip route 0.0.0.0 0.0.0.0 fa1 dhcp 100

What the above will do is it will create the default route out fastethernet 1 but get the next hop using DHCP.

I have tried the above on a enterprise services image running 12.4(24)T1.

I hope this helps...

We'll wait for your update when you can try this out.

Cheers,

New Member

Re: Config help plse - dual WAN on 1811.

OK, this is starting to really promising now !

Just to clarify, this entry for default route, it's an additional entry ?

So I would have:

ip route 0.0.0.0 0.0.0.0 216.7.149.33
ip route 0.0.0.0 0.0.0.0 fa1 dhcp 100

Is that right ?

NM

Hall of Fame Super Gold

Re: Config help plse - dual WAN on 1811.

NM

Yes the floating static default route is a second statement.

HTH

Rick

New Member

Re: Config help plse - dual WAN on 1811.

Hi ,

I think with this config the failover wont work. We need to add track for the primary link default route.

Sumit

New Member

Re: Config help plse - dual WAN on 1811.

Yep that's bang on target...

So you'll be on site later during the weeked looking at this issue?

Let me know how this goes...

Cheers,

Manas

New Member

Re: Config help plse - dual WAN on 1811.

Hi ,

I think only floating static route will not help for failover. We need to add track with the  primary default route.

Sumit

New Member

Re: Config help plse - dual WAN on 1811.

Static route failover works as long as the link you are failing for is the one directly connected to the router.

Router (interface e) -------Link-------(interface f)Provider

If the above is the setup and interface e is on our router and interface f is on the provider router...

Then static route failover would work as long as is the that link between e and f that goes down.

For some setups that is all we need. 

If you want to track failover more than that particular link... (for example multiple hops down the path) you'll need to use IP SLA and configure tracking say using ICMP echo.

Hope this helps.

New Member

Re: Config help plse - dual WAN on 1811.

Hi Manas ,

You are absolutely right but the only problem is this link is terminated on a fastethernet port. Fastethernet is normally physically connected to a modem located at site so the physical link normally doesn't go down even if the actual link is down.

Hope this helps.

Sumit

New Member

Re: Config help plse - dual WAN on 1811.

That's an interesting thought...good catch...  but yes if the inteface is connected to a modem then only if the link between router and modem goes down the failover will happen.

Now even if it is a cable modem, shutting down the fast ethernet port will make it failover.

But no... fast ethernet interfaces do not need to be always connected to a modem. We can get a direct link from the provider that plugs into an RJ45 jack on the router. But yeah generally these setups with generally give you a static ip address from the provider.

In this case since it is over DHCP - its more probable its a cable modem.

I'm not sure what it is in this case though...

Cheers,

Manas

New Member

Re: Config help plse - dual WAN on 1811.

OK, followed the instructions and it's not working :>(

fa0 is a broadband connection, when it goes down the next hop will still be up so I plan to disable it by shutting fa0, thereby hoping that fa1 will then take over.

I changed the config to that shown below. I also addess the ip nat outside command to fa1.

I can ping external addresses from the router. If I ping externally from a client on the network, I get request timed out or destination host unreachable.

So, did I miss something ?

Thanks again guys, it's such a small thing yet it seems so difficult to get right. I value your assistance.

NM

router#show run
Building configuration...

Current configuration : 5592 bytes
!
! Last configuration change at 12:29:34 UTC Fri Sep 24 2010 by admin
! NVRAM config last updated at 12:27:03 UTC Fri Sep 24 2010 by admin
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname router!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
!
resource policy
!
!
!
ip cef
!
!
ip name-server 216.7.159.195
ip name-server 216.7.159.133
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
!
!
crypto pki trustpoint TP-self-signed-2663121659
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2663121659
revocation-check none
rsakeypair TP-self-signed-2663121659
!
!
crypto pki certificate chain TP-self-signed-2663121659
certificate self-signed 01
  xxxxx  quit
username xxxxx!
!
!
!
!
!
interface FastEthernet0
description $FW_OUTSIDE$$ETH-WAN$
ip address 216.7.149.34 255.255.255.252
ip verify unicast reverse-path
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly
shutdown
duplex auto
speed auto
!
interface FastEthernet1
ip address dhcp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
switchport mode trunk
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$FW_INSIDE$$ES_LAN$
ip address 192.168.8.10 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Async1
no ip address
encapsulation slip
!
ip route 0.0.0.0 0.0.0.0 216.7.149.33
ip route 192.168.3.0 255.255.255.0 192.168.8.1
ip route 192.168.4.0 255.255.255.0 192.168.8.1
ip route 192.168.5.0 255.255.255.0 192.168.8.1
ip route 192.168.6.0 255.255.255.0 192.168.8.2
ip route 192.168.7.0 255.255.255.0 192.168.8.1
ip route 0.0.0.0 0.0.0.0 FastEthernet1 dhcp 100
!
ip dns server
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet0 overload
ip nat inside source static tcp 192.168.8.11 4000 interface FastEthernet0 4000
ip nat inside source static tcp 192.168.8.11 3000 interface FastEthernet0 3000
ip nat inside source static tcp 192.168.8.11 4665 interface FastEthernet0 4665
ip nat inside source static tcp 192.168.8.11 3663 interface FastEthernet0 3663
ip nat inside source static tcp 192.168.8.11 3660 interface FastEthernet0 3660
ip nat inside source static tcp 192.168.8.11 80 interface FastEthernet0 80
ip nat inside source static tcp 192.168.8.11 57 interface FastEthernet0 57
ip nat inside source static tcp 192.168.8.11 22 interface FastEthernet0 22
ip nat inside source static tcp 192.168.8.2 443 interface FastEthernet0 443
ip nat inside source static tcp 192.168.8.2 3085 interface FastEthernet0 3085
ip nat inside source static tcp 192.168.8.2 3389 interface FastEthernet0 3389
ip nat inside source static tcp 192.168.8.2 4125 interface FastEthernet0 4125
ip nat inside source static tcp 192.168.8.2 5045 interface FastEthernet0 5045
!
access-list 1 permit any
no cdp run
!
!
!
!
!
!
control-plane
!
!
line con 0
login local
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
line vty 5 15
privilege level 15
login local
transport input telnet ssh
!
ntp clock-period 17180462
ntp server 192.168.8.2 key 0 prefer
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end

router#

Hall of Fame Super Gold

Re: Config help plse - dual WAN on 1811.

NM

If your plan for failover is that your will manually shut down FastEth0 when there are problems then failover should work and you will not need to use IP SLA as we have been suggesting. But that means that your failover requires manual intervention (you must recognize that there is a problem, then you must access the router, and you must make a config change). But what will be the situation when the problem occurs on the day that you are on vacation, or happens when you are busy in an important meeting, etc?

The problem in the config that you have posted is that there are no address translations configured for when traffic is going out FastEth1. All the translations use the address of FastEth0, and if it is shut down then the translations will not work. You need to configure translations that use the address of FastEthe1 when traffic is going out that interface.

HTH

Rick

New Member

Re: Config help plse - dual WAN on 1811.

Rick, would you mind telling me how to do that ?

NM

Hall of Fame Super Gold

Re: Config help plse - dual WAN on 1811.

NM

Your explanation of the environment verifies that you do not need to configure IP SLA. We did not realize that you were not looking for a dynamic failover. If the failover is planned and will be accomplished by shutting down the first FastEthernet then the original static default route will certainly be removed from the routing table and the floating static default route should be used.

Doing address translation when the translation needs to change depending on which interface is being used is a bit more complex than translation using only a single outbound interface. It is usually accomplished by using a route map which can match on both the souce address (as is done in your current configuration) but can also match on the outbound interface.

Here is an example of PAT (interface overload) which I modified a bit. It is a fairly close fit to your environment and I think should give you what you need to do on your router.

!
interface Vlan1
description inside private LAN interface
ip address 192.168.8.10 255.255.255.0
ip nat inside
!--This connects to the private LAN, designated as the NAT inside interface. 
interface FastEthernet0
description first outbound link
ip address 192.168.1.2 255.255.255.252
ip nat outside
!---This connects to the outside and is designated as the NAT outside interface. 
!
interface FastEthernet1
description second outbound link
ip address 192.168.2.2 255.255.255.252
ip nat outside
!---This connects to the outside and is designated as the NAT outside interface. 
!
ip nat inside source route-map link-1 interface Serial0 overload
!---The above line will translate for traffic matched by the route-map link-1. 
!
ip nat inside source route-map link-2 interface Serial1 overload
!---The above line will translate for traffic matched by the route-map link-2. 
!
access-list 1 permit 192.168.8.0 0.0.0.255
!---This ACL permits traffic from all hosts in the private LAN. 
!
route-map link-2 permit 10
match ip address 1
match interface FastEthernet1
!---This route-map matches all traffic matched by ACL 1 and going out of interface FastEthernet1. In other words, all traffic from the private LAN through link-2 is matched. 
!
route-map link-1 permit 10
match ip address 1
match interface FastEthernet0
!---This route-map matches all traffic matched by ACL 1 and going out of interface FastEthernet0. In other words, all traffic from the private LAN through link-1 is matched. 
!

This takes care of the dynamic translations. If you need the same kind of port translations that are in your posted config I guess that you could also use the route map approach to translate them.

HTH

Rick

New Member

Re: Config help plse - dual WAN on 1811.

Hi, Rick.

Unfortunatley I only had an hour on site between flights, it's a shame I didn't have enough time or information to configure the router correctly. I am back to working remotely again.

OK, I am going to follow your instructions, however I have to say that it does seem to be excessively complex, and not at all intuitive.

Surely there is an easier way to have to possible WAN connections, whichever one is up gets the traffic... well, I would have hoped there was an easier way....

I'll feed back once I have tested.

NM

Hall of Fame Super Gold

Re: Config help plse - dual WAN on 1811.

NM

My suggestions for config changes may be complex but that is because doing translation one way if going out one interface and doing translation differently if going out the other interface is complex. I am not aware of any config that is more simple that would make the appropriate translations.

HTH

Rick

Hall of Fame Super Gold

Re: Config help plse - dual WAN on 1811.

I agree with Sumit that  while we do not know the details of the connection to the second provider on FastEthernet and so can not know for sure whether the link will fail if they lose connectivity to the provider, that it is likely to be a problem and that IP SLA would be a prudent thing to include in the config. I raised exactly this issue in my first post in this thread on August 27.

HTH

Rick

New Member

Re: Config help plse - dual WAN on 1811.

Hopefully I can clear up.

Fa0 is an expensive service that can be truned of for periods of up one to three months, in order to reduce costs.

While it is off, we can connect a lan to Fa1, it's not an ISP as such, but piggy backing off someone else's network.

I am remote to the site, so I would like to be able to remote in and issue the shut/ no shut command on fa0 as a means of switching over.

The idea here is to take away the need for anyone on site to get involved in the changeover.

NM

New Member

Re: Config help plse - dual WAN on 1811.

Latest Show run...

Not sure if it works yet, I have to wait for the reload...

NM

New Member

Re: Config help plse - dual WAN on 1811.

OK, this current configuration does not work.

If I disable Fa0 then the network dows not get access to the internet. It's difficult to give you more info as I am remote, so not sure what connectivity if any is there once I drop fa0.

I really need a solution here as fa0 is going to be disconnected this week and we need fa1 to be routing traffic. I am running out of time :>(

Have I missed a step ?

Anyone ?

Hall of Fame Super Gold

Re: Config help plse - dual WAN on 1811.

NM

The biggest problem that I see in the most recent config is that while you have added the translate statements that use route maps you have left the original translate statement in place which will translate everythig to the address of FastEthernet0. Try removing this statement from the config and let us know what happens

ip nat inside source list 1 interface FastEthernet0 overload

I would also note that access list 1 is a bit different from what I suggested that it be

access-list 1 permit any
access-list 1 permit 192.168.8.0 0.0.0.255

I am not sure that it is a big deal but I would suggest that you change the access list to remove the permit any.

HTH

Rick

New Member

Re: Config help plse - dual WAN on 1811.

Beautiful....

Rick, thank you so much, I just grabbed this from a remote connection via the second WAN port.

You are an absolute champ for giving up your time to guide me through this.

Brilliant !!

NM


router#show ip interface brief
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0              216.7.xxx.xxx.xxx    YES NVRAM  administratively down down  
FastEthernet1              192.168.1.41    YES DHCP   up                    up    
FastEthernet2              unassigned      YES unset  up                    down  
FastEthernet3              unassigned      YES unset  up                    down  
FastEthernet4              unassigned      YES unset  up                    down  
FastEthernet5              unassigned      YES unset  up                    down  
FastEthernet6              unassigned      YES unset  up                    down  
FastEthernet7              unassigned      YES unset  up                    down  
FastEthernet8              unassigned      YES unset  up                    up    
FastEthernet9              unassigned      YES unset  up                    down  
Vlan1                      192.168.8.10    YES NVRAM  up                    up    
Async1                     unassigned      YES NVRAM  down                  down  
NVI0                       unassigned      NO  unset  up                    up    
router#

1822
Views
19
Helpful
31
Replies
CreatePlease to create content