Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Dual-WAN using Cisco 1811 router

Howdy, I have a Cisco 1811 router, I also have 2 internet connections. A T1 and a Cable modem. I have them both configured on the router and they seem to be working OK. However failover is not working, What I would like is for one internet connection to take over if the other one drops out. How could I go about configuring this? I am a cisco newbie so any help would be appreciated. Thanks!

Current configuration : 11759 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname BUR-FIREWALL
!
boot-start-marker
boot system flash:c181x-advipservicesk9-mz.124-9.T7.bin
boot-end-marker
!
logging buffered 4096 debugging
enable secret 5 $1$/JpT$IjHWfHpgYWAzLe9973Xls1
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
aaa session-id common
!
!
aaa authentication login default local
aaa authorization exec default local
!
aaa session-id common
!
resource policy
!
clock timezone PCTime -8
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
!
ip cef
!
!
ip domain name hes.com
ip name-server 64.105.172.26
ip name-server 64.105.163.106
ip ssh source-interface Vlan1
ip inspect log drop-pkt
ip inspect name SDM_MEDIUM appfw SDM_MEDIUM
ip inspect name SDM_MEDIUM cuseeme
ip inspect name SDM_MEDIUM dns
ip inspect name SDM_MEDIUM ftp
ip inspect name SDM_MEDIUM h323
ip inspect name SDM_MEDIUM https
ip inspect name SDM_MEDIUM icmp
ip inspect name SDM_MEDIUM imap reset
ip inspect name SDM_MEDIUM pop3 reset
ip inspect name SDM_MEDIUM netshow
ip inspect name SDM_MEDIUM rcmd
ip inspect name SDM_MEDIUM realaudio
ip inspect name SDM_MEDIUM rtsp
ip inspect name SDM_MEDIUM esmtp
ip inspect name SDM_MEDIUM sqlnet
ip inspect name SDM_MEDIUM streamworks
ip inspect name SDM_MEDIUM tftp
ip inspect name SDM_MEDIUM tcp
ip inspect name SDM_MEDIUM udp
ip inspect name SDM_MEDIUM vdolive
ip inspect name SDM_MEDIUM pptp
ip inspect name SDM_MEDIUM l2tp
!
appfw policy-name SDM_MEDIUM
  application im aol
    service default action allow alarm
    service text-chat action allow alarm
    server permit name login.oscar.aol.com
    server permit name toc.oscar.aol.com
    server permit name oam-d09a.blue.aol.com
    audit-trail on
  application im msn
    service default action allow alarm
    server permit name login.oscar.aol.com
    server permit name toc.oscar.aol.com
    server permit name oam-d09a.blue.aol.com
    audit-trail on
  application im msn
    service default action allow alarm
    service text-chat action allow alarm
    server permit name messenger.hotmail.com
    server permit name gateway.messenger.hotmail.com
    server permit name webmessenger.msn.com
    audit-trail on
  application http
    strict-http action allow alarm
    port-misuse im action reset alarm
    port-misuse p2p action reset alarm
    port-misuse tunneling action allow alarm
  application im yahoo
    service default action allow alarm
    service text-chat action allow alarm
    server permit name scs.msg.yahoo.com
    server permit name scsa.msg.yahoo.com
    server permit name scsb.msg.yahoo.com
    server permit name scsc.msg.yahoo.com
    server permit name scsd.msg.yahoo.com
    server permit name cs16.msg.dcn.yahoo.com
    server permit name cs19.msg.dcn.yahoo.com
    server permit name cs42.msg.dcn.yahoo.com
    server permit name cs53.msg.dcn.yahoo.com
    server permit name cs54.msg.dcn.yahoo.com
    server permit name ads1.vip.scd.yahoo.com

    audit-trail on
!
!
crypto pki trustpoint TP-self-signed-1918811904
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1918811904
revocation-check none
rsakeypair TP-self-signed-1918811904
!
!
crypto pki certificate chain TP-self-signed-1918811904
certificate self-signed 01
  30820253 308201BC A0030201 02020101 300D0609 2A864886 F70D0101 04050
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657
  69666963 6174652D 31393138 38313139 3034301E 170D3038 30393230 30323
  30365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 39313
  31313930 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890
  8100C905 6B922B8D 190F89FB 58A81D65 9E5CB3F2 5ED06CFB 7AD615DC 92EAC
  754DDBD0 7AFD4646 6C76366B 8A699AB9 F723FFB3 E0517378 75790C6B F18AE
  085001F0 AC512F5F 9E39518D 6A095D77 DEAF3996 772575F7 B1E165C9 95796
  CFAD09C9 04D790F5 31864F43 02569113 C3431E9E E531396F CFFA2E42 1A3E2
  102F0203 010001A3 7B307930 0F060355 1D130101 FF040530 030101FF 30260
  551D1104 1F301D82 1B425552 2D464952 4557414C 4C2E6865 61647761 74657
  2E636F6D 301F0603 551D2304 18301680 14FE6508 4A6F58E9 00090130 88123
  DEF92653 D8301D06 03551D0E 04160414 FE65084A 6F58E900 09013088 1233B
  F92653D8 300D0609 2A864886 F70D0101 04050003 81810063 225F0108 F32D1
  1CB2F305 7641B401 9B8126A9 4B7524A8 F138C89C E8C7F4EC 0E85241A AC2FD
  6E5CE02D A7FBC5A9 78C5B277 444F86EC B485B93C 114BF6A3 F3580DEE 1F610
  8FD417E8 58110AF6 6A155462 28F1A26E 8B756E11 E8AC9E66 B7EBBD5F B35E2
  B338EE4C 069B4499 4DADA062 51102908 A6DA12BD 7AF5A8
  quit
username admin privilege 15 secret 5 $1$M58E$JPpG9FJ3nLMQtQaVSfZLV1
!
!
class-map match-any sdm_p2p_kazaa
match protocol fasttrack
match protocol kazaa2
class-map match-all site2
match access-group 120
class-map match-any sdm_p2p_edonkey
match protocol edonkey
class-map match-any sdm_p2p_gnutella
match protocol gnutella
class-map match-any sdm_p2p_bittorrent
match protocol bittorrent
!
!
policy-map VPN-output
class site2
  bandwidth 400
  police cir 5000000
policy-map sdmappfwp2p_SDM_MEDIUM
class sdm_p2p_edonkey
class sdm_p2p_gnutella
class sdm_p2p_kazaa
class sdm_p2p_bittorrent
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 5
crypto isakmp key burlingameremoteoffice1 address 66.166.76.98
crypto isakmp key burlingameremoteoffice1 address 66.7.251.138
crypto isakmp keepalive 10 3
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set vpnset esp-3des esp-sha-hmac
!
crypto map vpncrypto 1 ipsec-isakmp
description Tunnel to66.166.76.98
set peer 66.7.251.138
set transform-set ESP-3DES-SHA
match address 105
!
!
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.252
!
interface FastEthernet0
description Cable Modem$FW_OUTSIDE$$ETH-LAN$
ip address 173.8.139.169 255.255.255.252
ip access-group 103 in
ip verify unicast reverse-path
ip nat outside
ip inspect SDM_MEDIUM out
ip virtual-reassembly
speed 10
half-duplex
service-policy input sdmappfwp2p_SDM_MEDIUM
service-policy output sdmappfwp2p_SDM_MEDIUM
!
interface FastEthernet1
description T1 Line$FW_OUTSIDE$$ETH-LAN$
ip address 66.7.227.242 255.255.255.248
ip verify unicast reverse-path
ip nat outside
no ip virtual-reassembly
no ip route-cache cef
no ip route-cache
no ip mroute-cache
duplex auto
speed auto
crypto map vpncrypto
service-policy output VPN-output
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
duplex half
speed 10
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$FW_INSIDE$$ES_LAN$
ip address 10.51.10.5 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1300
ip policy route-map BYPASS-VPN
!
interface Async1
no ip address
encapsulation slip
!
ip route 0.0.0.0 0.0.0.0 66.7.227.241
ip route 10.31.10.0 255.255.255.0 66.7.227.241
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source static tcp 10.51.10.25 1723 interface FastEthernet1 1723
ip nat inside source static tcp 10.51.10.25 3389 interface FastEthernet1 3389
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet1 overload
!
ip access-list extended acl_in
remark SDM_ACL Category=1
permit ip any any
ip access-list extended acl_out
remark SDM_ACL Category=1
permit ip any any
ip access-list extended inside_outbount_nat0_acl
remark SDM_ACL Category=2
remark IPSec Rule
deny   ip 10.51.10.0 0.0.0.255 10.31.10.0 0.0.0.255
permit ip 10.51.10.0 0.0.0.255 any
ip access-list extended sau2bg
permit ip 0.0.0.0 255.255.255.0 0.0.0.0 255.255.255.0
!
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny   ip 66.7.227.240 0.0.0.7 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 100 permit ip 10.51.10.0 0.0.0.255 10.31.10.0 0.0.0.255
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp host 64.105.163.106 eq domain host 66.7.227.242
access-list 101 permit udp host 64.105.172.26 eq domain host 66.7.227.242
access-list 101 deny   ip 10.51.10.0 0.0.0.255 any
access-list 101 permit icmp any host 66.7.227.242 echo-reply
access-list 101 permit icmp any host 66.7.227.242 time-exceeded
access-list 101 permit icmp any host 66.7.227.242 unreachable
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip any any log
access-list 102 permit ip any any
access-list 102 deny   ip 127.0.0.0 0.255.255.255 any
access-list 102 deny   ip host 255.255.255.255 any
access-list 103 remark auto generated by SDM firewall configuration
access-list 103 remark SDM_ACL Category=1
access-list 103 permit udp host 66.166.76.98 host 173.8.139.170 eq non500-isakmp
access-list 103 permit udp host 66.166.76.98 host 173.8.139.170 eq isakmp
access-list 103 permit esp host 66.166.76.98 host 173.8.139.170
access-list 103 permit ahp host 66.166.76.98 host 173.8.139.170
access-list 103 deny   ip 10.51.10.0 0.0.0.255 any
access-list 103 deny   ip 66.7.227.240 0.0.0.7 any
access-list 103 permit icmp any host 173.8.139.170 echo-reply
access-list 103 permit icmp any host 173.8.139.170 time-exceeded
access-list 103 permit icmp any host 173.8.139.170 unreachable
access-list 103 deny   ip 10.0.0.0 0.255.255.255 any
access-list 103 deny   ip 172.16.0.0 0.15.255.255 any
access-list 103 deny   ip 192.168.0.0 0.0.255.255 any
access-list 103 deny   ip 127.0.0.0 0.255.255.255 any
access-list 103 deny   ip host 255.255.255.255 any
access-list 103 deny   ip host 0.0.0.0 any
access-list 103 deny   ip any any log
access-list 104 permit ip 10.51.10.0 0.0.0.255 any
access-list 105 remark SDM_ACL Category=4
access-list 105 remark IPSec Rule
access-list 105 permit ip 10.51.10.0 0.0.0.255 10.31.10.0 0.0.0.255
access-list 111 permit ip any host 10.51.10.25
access-list 111 permit ip any host 66.7.227.242
access-list 111 permit ip host 66.7.227.242 any
access-list 111 permit ip host 10.51.10.25 any
access-list 111 permit ip any any
access-list 120 permit esp any any
access-list 150 permit ip 10.51.10.0 0.0.0.255 10.31.10.0 0.0.0.255
access-list 190 permit ip 10.51.10.0 0.0.0.255 10.31.10.0 0.0.0.255
no cdp run
!
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address inside_outbount_nat0_acl
!
!
!
!
control-plane
!
banner login ^
All connections are logged and monitored.
Unauthorized access strictly forbidden.

^C
!
line con 0
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
line vty 0 4
transport input ssh
line vty 5 15
transport input telnet ssh
!
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end

BUR-FIREWALL#

2 REPLIES

Re: Dual-WAN using Cisco 1811 router

James,

To accomplish what you are looking for, two things are very important:

1. Proper routing configured for Failover

2. NAT should be configured keeping in mind that when failover happens, secondary interface will be sending out traffic and packet needs to be NATed accordingly

For your router, here is a sample config that you can use:

Note: Below config will make Cable modem as the primary link to reach internet, make changes accordingly if you want to use T1 as primary. To use port 1723 and 3389 i.e PPTP and RDP from outside, you will have to change the ip on the external client when the primary link goes down.

--------------------------------------------------------------------------------------------------------------------

interface FastEthernet0
description Cable Modem Primary connection

interface FastEthernet1
description T1 line Secondary connection

route-map cablemodem
match ip add inside_outbount_nat0_acl
match interface fa0

route-map T1line
match ip add inside_outbount_nat0_acl
match interface fa1

ip nat inside source route-map T1line interface FastEthernet1 overload
ip nat inside source route-map cablemodem interface FastEthernet0 overload

no ip nat inside source route-map SDM_RMAP_1 interface FastEthernet1 overload

no ip nat inside source static tcp 10.51.10.25 1723 interface FastEthernet1 1723
no ip nat inside source static tcp 10.51.10.25 3389 interface FastEthernet1 3389

ip nat inside source static tcp 10.51.10.25 1723 173.8.139.169 1723 route-map cablemodem
ip nat inside source static tcp 10.51.10.25 3389 173.8.139.169 3389 route-map cablemodem

ip nat inside source static tcp 10.51.10.25 1723 66.7.227.242 1723 route-map T1line
ip nat inside source static tcp 10.51.10.25 3389 66.7.227.242 3389 route-map T1line

ip route 66.7.251.138 255.255.255.255 66.7.227.241    ---> for your VPN peer, so that it keeps on using T1 link to make VPN tunnel

no ip route 0.0.0.0 0.0.0.0 66.7.227.241
ip route 0.0.0.0 0.0.0.0 66.7.227.241 200

ip route 0.0.0.0 0.0.0.0 173.8.139.170

--------------------------------------------------------------------------------------------------------------------

You can refer to the following document for getting more info about NAT config in Dual ISP situation:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a00808d2b72.shtml

Hope the above information helps.

Neeraj

Re: Dual-WAN using Cisco 1811 router

Another thing I noticed in the config which seems incorrect is:

You have "ip policy route-map BYPASS-VPN" command under interface vlan1. This route-map is not even configured. So either configure this route-map for bypassing the NATing when sending the traffic over to VPN or simply remove this statement from unde rvlan 1 interface so that it does not cause any issues in future.

1877
Views
0
Helpful
2
Replies
CreatePlease to create content