Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Dual ISP (Failover) NAT Configuration - HELP!

I have the following situation:

2 ISP, 1 with fixed IP (200.1.1.1 - fake), 1 ADSL (Backup ISP) with Dynamic IP.

CISCO 1811, 12.4

1 ISA Server 2004 in the inside working as a proxy. The only internal IP address.(10.10.10.2)

Servers published on the ISA IP.

I made it work fine for outgoing traffic but need help on incoming traffic (only working with the static IP) and with lt2p/IPsec passthrough to the ISA server. I could not make the NAT: (i.e:ip nat inside source static tcp 10.10.10.2 25 interface FastEthernet0 25) work with route-maps as stated in some documents, nor with extendable.

I culd have a 1 to 1 MAP of 10.10.10.2 with the two external interfaces but could not configure it (overload gets in automatically)

Relevant config:

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

hostname border01

!

boot-start-marker

boot-end-marker

no ip source-route

ip cef

multilink bundle-name authenticated

!

ip tcp synwait-time 10

!

track 100 ip sla 1 reachability

delay down 10 up 20

!

!****Fixed IP WAN

interface FastEthernet0

description $ES_WAN$$ETH-WAN$$FW_OUTSIDE$

ip address 200.1.1.1 255.255.255.252

ip verify unicast reverse-path

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat outside

ip virtual-reassembly

zone-member security out-zone

ip tcp adjust-mss 1412

duplex auto

speed auto

!

interface FastEthernet1

description $ETH-WAN$

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

duplex auto

speed auto

pppoe enable group global

pppoe-client dial-pool-number 1

!

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$ES_LAN$$FW_INSIDE$

ip address 10.10.10.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly

zone-member security in-zone

ip tcp adjust-mss 1412

!

!****ADLS Interface

interface Dialer0

description $FW_OUTSIDE$

ip address negotiated

no ip proxy-arp

ip mtu 1452

ip flow ingress

ip nat outside

ip virtual-reassembly

zone-member security out-zone

encapsulation ppp

dialer pool 1

dialer-group 1

no cdp enable

ppp authentication chap callin

ppp chap hostname k35035@adsl51

ppp chap password 7 060F1B321D1C5E

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 200.1.1.2 track 100

ip route 0.0.0.0 0.0.0.0 Dialer0 100

ip route 200.2.2.2 255.255.255.255 200.1.1.2

!

!

ip nat inside source static tcp 10.10.10.2 443 interface FastEthernet0 443

ip nat inside source static tcp 10.10.10.2 110 interface FastEthernet0 110

ip nat inside source static tcp 10.10.10.2 80 interface FastEthernet0 80

ip nat inside source static tcp 10.10.10.2 25 interface FastEthernet0 25

ip nat inside source route-map fixed-nat interface FastEthernet0 overload

ip nat inside source route-map ppoe-nat interface Dialer0 overload

!

ip access-list extended Entrante

remark CCP_ACL Category=128

permit ip any host 10.10.10.2

!

ip sla 1

icmp-echo 200.58.128.57 source-interface FastEthernet0

timeout 1000

frequency 3

ip sla schedule 1 life forever start-time now

logging trap debugging

access-list 1 remark INSIDE_IF=Vlan1

access-list 1 remark CCP_ACL Category=2

access-list 1 permit 10.0.0.0 0.255.255.255

access-list 23 permit 10.10.10.0 0.0.0.7

access-list 100 remark CCP_ACL Category=128

access-list 100 permit ip host 255.255.255.255 any

access-list 100 permit ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip 200.1.1.0 0.0.0.8 any

dialer-list 1 protocol ip permit

no cdp run

!!

route-map fixed-nat permit 10

match ip address 1

match interface FastEthernet0

!

route-map ppoe-nat permit 10

match ip address 1

match interface Dialer0

!

!

AN_Y HELP is greatly appreciated...I´ve pent too much time on this

Everyone's tags (4)
1722
Views
0
Helpful
0
Replies
CreatePlease to create content