Here are some of the relevant portions of my config gigabitethernet0/1 and dialer1 are the wan interfaces, I also found a new problem with this config vs the old one that just used cable and had nat staments such as ip nat inside source static tcp 192.168.1.55 1723 interface GigabitEthernet0/1 1723

with my new nat staments microsoft vpn no longer works, I am thinking it may have something to do with gre, i didn't have any nat staments for that just a firewall rule allowing it, that hasn't changed but for some reason vpn will not work with the fail over nat in place, any ideas on that as well?

thanks,

Gary

ip sla 1
  type echo protocol ipIcmpEcho 208.67.222.222
  frequency 5

ip sla monitor schedule 1 life forever start-time now

track 1 ip sla 1 reachability

ip route 208.67.222.222 255.255.255.255 gigabitethernet0/1
ip route 0.0.0.0 0.0.0.0 74.x.x.x track 1
ip route 0.0.0.0 0.0.0.0 dialer1 100

ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/1 overload
ip nat inside source route-map dslnat interface dialer1 overload

route-map dslnat permit 1
match ip address 101
match interface Dialer1

route-map cablenat permit 1
match ip address 101
match interface GigabitEthernet0/1

no ip nat inside source static tcp 192.168.1.55 80 74.x.x.x 80 route-map cablenat extendable
no ip nat inside source static tcp 192.168.1.55 443 74.x.x.x 443 route-map cablenat extendable
no ip nat inside source static tcp 192.168.1.55 1723 74.x.x.x 1723 route-map cablenat extendable

ip nat inside source static tcp 192.168.1.55 80 216.x.x.x 80 route-map dslnat extendable
ip nat inside source static tcp 192.168.1.55 443 216.x.x.x 443 route-map dslnat extendable
ip nat inside source static tcp 192.168.1.55 1723 216.x.x.x 1723 route-map dslnat extendable

ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/1 overload
ip nat inside source route-map dslnat interface dialer1 overload

access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 permit ip 192.168.12.0 0.0.0.255 any
access-list 101 permit ip 192.168.11.0 0.0.0.255 any

Hi,

Only Microsoft is not working , Dose the nat for http and 443 TCP  works fine?

where is the GRE in your config here , please post its config. Does the firewall allow thoses ports?

HTH

Mohamed

The others work, this is the only config I have for GRE

access-list 104 permit gre any host 74.x.x.x

GRE is an ip protocol so no tcp or udp ports, apparently something about the way nat works through route maps breaks the pptp/gre connection. Any ideas on this or the original question?

I am already doing this my question was how can I access services on the secondary interface when the

primary is up?

Hi,

I still couldnt understand your setup EXCPET for the NAT config you have posted, Maight be useful if you post Small diagram or the config for your firewall and GRE on the router.

However, I understand that you have NAT with floating static route configured for backup, and you dont have it for loadbalancing.

Now, you can have PBR (policy based routing) along with your NAT configured from specific source influencing the traffic to travers the DSL line, hence, this gurantee the return traffic and inbound traffic for those hosts comes through the DSL interface as long as the primary up.

HTH

Mohamed

msobier123 wrote:
Hi,
I still couldnt understand your setup EXCPET for the NAT config you have posted, Maight be useful if you post Small diagram or the config for your firewall and GRE on the router.
However, I understand that you have NAT with floating static route configured for backup, and you dont have it for loadbalancing.

Now, you can have PBR (policy based routing) along with your NAT configured from specific source influencing the traffic to travers the DSL line, hence, this gurantee the return traffic and inbound traffic for those hosts comes through the DSL interface as long as the primary up.
HTH
Mohamed

Can you give me an example on how to do the pbr for a specific source, My setup is fairly simple, I have a couple internal vlans but the main one I'm worried about is the 192.168.1.x network, I have a cable modem attached to the gigabitethernet0/1 interface on the router and a dsl card in the router. The Gigabitethernet0/0 interface is my internal one attached to a switch. My whole config is pretty long since I also have cme and phones running on this router, so I was just trying to post the relevant sections.

This is all I used to have in order for the MS vpn to work (ACL 104 is applied to interface gigabitethernet0/1)

ip nat inside source static tcp 192.168.1.55 1723 interface GigabitEthernet0/1 1723

access-list 104 permit gre any host 74.x.x.x (ip of interface Gigabitethernet0/1)

I found a post here with some info on pptp and natting that I think may be relevant to my situation.I may try to copy some things from this config and see how it works.

http://www.certforums.co.uk/forums/archive/index.php/t-15357.html

Bellow is an example for you,

interface G0/0

ip policy route-map services

Route-map services permit 10

match ip address 199

set interface dialer0

Access-list 199 permit ip 192.168.1.0 0.0.0.255 any

Note:

Leave your NAT configuration as it is, with the above config, all traffic from Source 192.168.1.0 are forced to travers the DSL link as long as its up even when the primary link is up, it wont use it, it will only use once interface Dialer 0 is down.

Let me know if you have another inquiry,

Mohamed

Thats not really what I was looking for, the only traffic I want going over the dsl are wan requests that come to that interface. For example I want to be able to ping the dsl interface from an outside source when the cable is up, or access a webpage on a server through the dsl or cable interface when both are up, and with the current configuration I cannot. My thought was that it was because the response is going out the default route rather than back out the dsl interface. Could this be the case? Again I can access services and ping stuff through the dsl interface if the cable is down but not when they both are up.

Hi,

Your first request was different, You were claiming that you need subnet 192.168.1.0 to be able use the DSL link and from outside Access should be provided through the DSL link.

Now, with the config I suggested above, this should work fine without any problems ONLY for subnet 192.168.1.0 as whenever a request comes in through the dialer interface , the router forces the traffci back through the same interface.

BUT, you wont be able to ping the diales interface from outside since the router doesnt have a route back through the dialer. (The default route and the response is going through the cable Link).

To clarify more, the Services you are trying to access from outside is subnet 192.168.1.0/24 right?

HTH

Mohamed

Pinging is not strictly neccassary as I want this for monitoring of primary and backup links from a third party failover dns provider and I can monitor a service port. Basically I want to be able to access services on the 192.168.1.x network from outside via either the dialer

or cable interface when both are up, is this possible? Is that what the config you gave accomplishes?

Hi,

No, this is not what my previous config accomplishes, my previous config basically allow you to have the subnet 192.168.1.0 to be accessed from the dialer interface and the rest of the network uses the cable while both interfaces are backup for each other. this is because you have the config of both interfaces as redundant and backup and not used for loadbalancing.

If you need to have Access from outside on both interface when they are up, then you need to have loadbalancing in place on the router.

HTH

Mohamed