I've got an 1841 with two separate Internet connections via separate ISP's, one using fe0/1 and the other using ser0/0/0. fe0/1 currently provides all Internet including two L2L VPN's and all general Internet via NAT overload using fe0/1 IP. With second Internet T1 on ser0/0/0 I want to accomplish two things - dedicate all traffic from all inside hosts destined to a specific public IP out this line, and provide failover for this traffic back to the Internet on fe0/1 if this line drops. I'm not looking to provide two way failover from either line back to the other, only one way from ser0/0/0 back to fe0/1. Right now I've got separate public IP's on each interface with NAT overload ACL's on each. I've got fe0/1 set as the gateway of last resort, and static routes built to route traffic destined for the two specific public hosts over to ser0/0/0. Based on my limited testing so far, it looks like I also have to mirror permit/deny on the two NAT oveload ACL's for each interface:
ip nat inside source list 105 interface FastEthernet0/1 overload
ip nat inside source list 106 interface Serial0/0/0 overload
access-list 105 deny ip 172.20.11.0 0.0.0.255 host <static host public IP>
access-list 105 permit ip 172.20.11.0 0.0.0.255 any
access-list 106 permit ip 172.20.11.0 0.0.0.255 host <static host public IP>
access-list 106 deny ip 172.20.11.0 0.0.0.255 any
If that's the case then the failover won't work. What am I missing?
It will most likely be easier to use route-maps on your nat overload statements to do the selection. You can match the interface rather than IP's This allows you to control the nat selection via routing rather than ip addresses.
This document gives several answers on frequently asked questions for PFRv3 channel state behavior.
Q1: What are all the channel operational states from a BR (border role) perspective and what are the rules/conditions to be in each st...
The need was to reach an host inside a LAN through a VPN connection managed by the LAN gateway (Cisco 1921).
The LAN gateway performs NAT and there was a dedicate nat rule for the host i wanted to reach through VPN.
I couldn't connect to the hos...
We have 3 identical switches configured by someone else and would like to claim some of the Gigabit ports(G1/G2/G3/G4) for use on servers. When we try to change the wiring and configuration, we run in to connectivity issues. Attached is a des...