Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

NAT Outside on 2 Subinterfaces

Hi,

I have configured an 2651xm router on a cat3550 (Router on a stick)

See config of router below.

Im unable to see the net on 1 of the sub interfaces fe 0/0.2. it does work on fe 0/0.4


version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
no aaa new-model
no network-clock-participate slot 1
no network-clock-participate wic 0
ip cef
!
!
!
!
multilink bundle-name authenticated
!
!
crypto pki trustpoint TP-self-signed-672148328
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-672148328
revocation-check none
rsakeypair TP-self-signed-672148328
!
!
crypto pki certificate chain TP-self-signed-672148328
certificate self-signed 01
  3082023C 308201A5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 36373231 34383332 38301E17 0D313030 38313930 37313434
  335A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3637 32313438
  33323830 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
  DCF7A554 D229AE26 794F3559 F6F62588 245B712F E947A170 E09E4D25 564AC0F6
  CEC7CBAE 66214A9E 7DFBD18B 787DC8E8 94AA704F F8B838BC D5803262 EE122020
  8052C288 EBA2255B CB2BEB9A 9F8FC860 117971EF 8A2A1B66 BBEC6048 C985182C
  E157D614 B7EB1A4B 9DE069C8 DAD564A5 176D5E68 EC5A741D B3E73863 0DD1DECF
  02030100 01A36630 64300F06 03551D13 0101FF04 05300301 01FF3011 0603551D
  11040A30 08820652 6F757465 72301F06 03551D23 04183016 8014AD1D 14DCF6AF
  95E683EC F6EC91A5 49C8BAF7 4A87301D 0603551D 0E041604 14AD1D14 DCF6AF95
  E683ECF6 EC91A549 C8BAF74A 87300D06 092A8648 86F70D01 01040500 03818100
  5B287605 005DC89A FFDE8B40 B5369A23 A695A72E 4C93C05A 0FEAE244 6936C992
  485D9800 28C520FB 02462C7B 91E48F22 D4886C47 9F254D91 1107FA2E 89530689
  426689B8 E99AC0AE 48B63207 93BE28BA 7303B0E4 BAFA8B7D FD5A45E1 80734BC7
  22C722E2 AC22C7D3 23294E3A C6280683 46278C49 BD056904 8B4F8A1B 61C7CE0B
        quit
!
!
archive
log config
  hidekeys
!
!
!
!
!
interface FastEthernet0/0
description Trunk to 3550 FE 0/1
no ip address
speed 100
full-duplex
!
interface FastEthernet0/0.1
encapsulation dot1Q 1 native
!
interface FastEthernet0/0.2
description Link to ISP1
encapsulation dot1Q 2
ip address 192.168.0.253 255.255.255.0
ip nat outside
ip virtual-reassembly
!
interface FastEthernet0/0.4
description Link To ISP2
encapsulation dot1Q 4
ip address 192.168.4.253 255.255.255.0
ip nat outside
ip virtual-reassembly
!
interface FastEthernet0/1
description Internal LAN
ip address 192.168.223.253 255.255.255.0
ip nat inside
ip virtual-reassembly
speed 100
full-duplex
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.4.1
ip route 0.0.0.0 0.0.0.0 192.168.0.1 10
ip route 192.168.0.0 255.255.255.0 FastEthernet0/0.2
ip route 192.168.4.0 255.255.255.0 FastEthernet0/0.4
!
ip http server
ip http secure-server
ip nat source route-map ISP2 interface FastEthernet0/0.4 overload
ip nat source route-map ISP1 interface FastEthernet0/0.2 overload
!
access-list 100 permit ip 192.168.223.0 0.0.0.255 any
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
access-list 100 permit ip 192.168.4.0 0.0.0.255 any
route-map ISP1 permit 10
match ip address 100
match interface FastEthernet0/0.2
!
route-map ISP2 permit 10
match ip address 100
match interface FastEthernet0/0.4
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
login
!
!
end

Router#

i can ping both gateways

Sending 5, 100-byte ICMP Echos to 192.168.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms


Router#ping 192.168.4.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.4.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

Below are the some trace routes

Router#traceroute www.google.com.au source fastEthernet 0/0.4

Type escape sequence to abort.
Tracing the route to www.l.google.com (66.102.11.104)

  1 192.168.4.1 4 msec 4 msec 4 msec
  2 loopback1.ken10.sydney.telstra.net (165.228.2.1) 28 msec 24 msec 28 msec
  3 TenGigE0-1-0-2.ken-core4.Sydney.telstra.net (203.50.20.1) 28 msec 24 msec 24 msec
  4 Bundle-Ether1.ken39.Sydney.telstra.net (203.50.6.146) 24 msec 24 msec 24 msec
  5 72.14.222.5 24 msec 24 msec 28 msec
  6 66.249.95.232 24 msec 24 msec 28 msec
  7 64.233.174.242 28 msec 36 msec 36 msec
  8 www.l.google.com (66.102.11.104) 24 msec 24 msec 28 msec

  Router#traceroute www.google.com.au source fastEthernet 0/0.2

Type escape sequence to abort.
Tracing the route to www.l.google.com (66.102.11.104)

  1  *  *  *
  2  *  *  *
  3  *  *  *
  4  *  *  *
  5  *  *  *
30  *  *  *

Why can't i see the net on Fe 0/0.2?

Everyone's tags (3)
17 REPLIES
Hall of Fame Super Gold

Re: NAT Outside on 2 Subinterfaces

Disable the non-relevant default route when doing these tests, or you can have unexpected results.

NAT clients should work normally even in presence of both routes

Community Member

Re: NAT Outside on 2 Subinterfaces

p.bevilacqua ,

I removed the route and was able to ping using Fe0/0.2

I have now added the route back in.

When pinging and external host and shutting down fe 0/0.4 it then re routes via fe0/0.2 however when physically removing the cable from the switch it doesnt re reroute via fe 0/0.2

Cisco Employee

Re: NAT Outside on 2 Subinterfaces

Hi,

1. You don't have to put below two static routes back as your router already has both /24 routes as connected routes.

It is a good practice to remove unnecessary static routes.

ip route 192.168.0.0 255.255.255.0 FastEthernet0/0.2
ip route 192.168.4.0 255.255.255.0 FastEthernet0/0.4

2. If you know your ISP's default gateway address on both 192.168.0.0/24 and 192.168.4.0 subnets, it is better to specify that address in static route statement, instead of pointing to interface.

If you point a static route to a broadcast interface, the route is inserted into the routing table only when the broadcast interface is up. This configuration is not recommended because when the next hop of a static route points to an interface, the router considers each of the hosts within the range of the route to be directly connected through that interface. For example, ip route 0.0.0.0 0.0.0.0 Ethernet0

With this type of configuration, a router performs Address Resolution Protocol (ARP) on the Ethernet for every destination the router finds through the default route because the router considers all of these destinations as directly connected to Ethernet 0.

This kind of default route, especially if it is used by a lot of packets to many different destination subnets, can cause high processor utilization and a very large ARP cache (along with attendant memory allocation failures).

3. With current configuration and cable connection, ISP failover will not occur when you remove cable from switch to ISP because router's sub-int is still up. So, you need to use static route with SLA tracking.

With IP SLA tracking, router keep cheking if there is connectivity to your ISP default gateway and will failover to other ISP connection 

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a00808d2b72.shtml

In above example, it assumed that one ISP connection is dhcp.

In you configuration, you are using two static default route, so you need to configure both default static routes with track option.

KK.

Community Member

Re: NAT Outside on 2 Subinterfaces

Kyuhwan Kim,

Thanks for your reply.

I have implemented the changes as per your suggestion. However, I don’t have the track rtr option.

Router(config)#track 1 ?

  interface    Select an interface to track

  ip           IP protocol

  list         Group objects in a list

  stub-object  Stub tracking object

so this is what I did instead

track 123 ip route 192.168.0.1 255.255.255.255 reachability

delay down 30 up 30

!

track 456 ip route 192.168.4.1 255.255.255.255 reachability

delay down 30 up 30

ip sla 1

icmp-echo 192.168.0.1 source-interface FastEthernet0/0.2

timeout 1000

threshold 40

frequency 3

ip sla schedule 1 life forever start-time now

ip sla 2

icmp-echo 192.168.4.1 source-interface FastEthernet0/0.4

timeout 1000

threshold 40

frequency 3

ip sla schedule 2 life forever start-time now

Show ver - (C2600-IPBASEK9-M), Version 12.4(15)T11

Cisco Employee

Re: NAT Outside on 2 Subinterfaces

Hi,

It looks IPBASE image doesn't have track xxx rtr option.

A tracked IP route object is considered up and reachable when a routing table entry exists for the route and the route is not inaccessible, so it is not much helpful as your sub-interface will be up when you pull out switch cable.

Would you upgrade your IOS to advacnced-IP feature set fro current IPBASE?

KK.

Community Member

Re: NAT Outside on 2 Subinterfaces

Kyuhwan Kim,

I have upgraded to the new IOS as per suggestion.

Note i had to redo the IP SLA commands.

I can see 192.168.0.1 & 192.168.4.1 however im unable to send any traffic externaly via fe 0/0.4

when i unplug fe0/0.2 i get this message

*Aug 20 06:39:11.365: %TRACKING-5-STATE: 123 rtr 1 reachability Up->Down

and when its plugged back in i get

*Aug 20 06:41:21.370: %TRACKING-5-STATE: 123 rtr 1 reachability Down->Up

however, when doing a trace route i get

Tracing the route to www.l.google.com (66.102.11.104)

1 192.168.4.1 0 msec *  0 msec
  2  *
    loopback1.ken10.sydney.telstra.net (165.228.2.1) 24 msec *
  3 tengige0-1-0-2.ken-core4.sydney.telstra.net (203.50.20.1) 24 msec *  24 msec
  4  *
    bundle-ether1.ken39.sydney.telstra.net (203.50.6.146) 24 msec *
  5 72.14.222.5 24 msec *  24 msec
  6  *
    66.249.95.232 24 msec *
  7 64.233.174.242 32 msec *  24 msec
  8  *
    www.l.google.com (66.102.11.104) 24 msec *

and when i do a ping from the rotuer and then remove fe 0/0.2 i get

Type escape sequence to abort.
Sending 1000, 100-byte ICMP Echos to 66.102.11.104, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!..........
*Aug 20 06:46:56.416: %TRACKING-5-STATE: 456 rtr 2 reachability Up->Down............
*Aug 20 06:47:21.417: %TRACKING-5-STATE: 123 rtr 1 reachability Down->Up.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!
Success rate is 97 percent (977/1000), round-trip min/avg/max = 20/24/88 ms

Router#show run
Building configuration...

Current configuration : 4340 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot bootstrap tftp c2600-advipservicesk9-mz.124-25c.bin 255.255.255.255
boot system flash c2600-advipservicesk9-mz.124-25c.bin
boot-end-marker
!
!
no aaa new-model
no network-clock-participate slot 1
no network-clock-participate wic 0
ip cef
!
!
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip sla monitor 1
type echo protocol ipIcmpEcho 192.168.0.1 source-interface FastEthernet0/0.2
timeout 2
threshold 70
frequency 3
ip sla monitor schedule 1 life forever start-time now
ip sla monitor 2
type echo protocol ipIcmpEcho 192.168.4.1 source-interface FastEthernet0/0.4
timeout 2
threshold 40
frequency 1
ip sla monitor schedule 2 life forever start-time now
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-672148328
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-672148328
revocation-check none
rsakeypair TP-self-signed-672148328
!
!
crypto pki certificate chain TP-self-signed-672148328
certificate self-signed 01
  3082023C 308201A5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 36373231 34383332 38301E17 0D313030 38323030 35343234
  375A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3637 32313438
  33323830 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
  DCF7A554 D229AE26 794F3559 F6F62588 245B712F E947A170 E09E4D25 564AC0F6
  CEC7CBAE 66214A9E 7DFBD18B 787DC8E8 94AA704F F8B838BC D5803262 EE122020
  8052C288 EBA2255B CB2BEB9A 9F8FC860 117971EF 8A2A1B66 BBEC6048 C985182C
  E157D614 B7EB1A4B 9DE069C8 DAD564A5 176D5E68 EC5A741D B3E73863 0DD1DECF
  02030100 01A36630 64300F06 03551D13 0101FF04 05300301 01FF3011 0603551D
  11040A30 08820652 6F757465 72301F06 03551D23 04183016 8014AD1D 14DCF6AF
  95E683EC F6EC91A5 49C8BAF7 4A87301D 0603551D 0E041604 14AD1D14 DCF6AF95
  E683ECF6 EC91A549 C8BAF74A 87300D06 092A8648 86F70D01 01040500 03818100
  C5077CCC C793AAE3 F0CBD329 842B4BA4 2E8CF1F4 034CC23B EB3D7EBD 4B1E7B89
  087C8AAD 595CF7A7 B2F31D4A 67CBD006 0EA3DCC4 5CABEC5A 36C74A38 25FDD583
  8BCED3BE 6DF1680A C34EB7EF 0230B1AE 4EB088BD FB0CE092 6D54B400 194339DA
  11AC7A44 1E649A05 96D2058A F73B69FA DE1B205E 688013BA 03B3B319 BD6D51FB
  quit
archive
log config
  hidekeys
!
!
!
track 123 rtr 1 reachability
delay down 15 up 10
!
track 456 rtr 2 reachability
delay down 15 up 10
!
!
!
!
!
interface FastEthernet0/0
description Trunk to 3550 FE 0/1
no ip address
speed 100
full-duplex
!
interface FastEthernet0/0.1
encapsulation dot1Q 1 native
!
interface FastEthernet0/0.2
description Link to ISP1 VLAN
encapsulation dot1Q 2
ip address 192.168.0.253 255.255.255.0
ip nat outside
ip virtual-reassembly
!
interface FastEthernet0/0.4
description Link To ISP2
encapsulation dot1Q 4
ip address 192.168.4.253 255.255.255.0
ip nat outside
ip virtual-reassembly
!
interface FastEthernet0/1
description Internal LAN
ip address 192.168.223.253 255.255.255.0
ip nat inside
ip virtual-reassembly
speed 100
full-duplex
!
ip forward-protocol nd
ip forward-protocol spanning-tree
ip route 0.0.0.0 0.0.0.0 192.168.0.1 track 123
ip route 0.0.0.0 0.0.0.0 192.168.4.1 track 456
!
ip flow-export destination 192.168.223.168 9996
!
ip http server
ip http secure-server

ip nat source route-map ISP2 interface FastEthernet0/0.4 overload
ip nat source route-map ISP1 interface FastEthernet0/0.2 overload
!
access-list 100 permit ip 192.168.223.0 0.0.0.255 any
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
access-list 100 permit ip 192.168.4.0 0.0.0.255 any
access-list 101 remark SSHED PABX Server
!
route-map ISP1 permit 10
match ip address 100
match interface FastEthernet0/0.2
!
route-map ISP2 permit 10
match ip address 100
match interface FastEthernet0/0.4
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
password Profit2628
login
!
!
end

Router#         ping 192.168.0.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
Router#         ping 192.168.4.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.4.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms
Router#sh ip nat tra

Router#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 192.168.4.1 to network 0.0.0.0

C    192.168.4.0/24 is directly connected, FastEthernet0/0.4
C    192.168.0.0/24 is directly connected, FastEthernet0/0.2
C    192.168.223.0/24 is directly connected, FastEthernet0/1
S*   0.0.0.0/0 [1/0] via 192.168.4.1
               [1/0] via 192.168.0.1
Router#

Cisco Employee

Re: NAT Outside on 2 Subinterfaces

Hi,

By default, router is doing per-destination load-sharing with CEF.

would you try to use different destinations to see how load-sharing occurs?

KK

Community Member

Re: NAT Outside on 2 Subinterfaces

Kyuhwan,

Thanks for the responce. No i am unable to send any traffic out. I can see both 192.168.4.1 and 192.168.0.1.

When doing trace routes the first hop is * up till 30.

I have shutdown fe 0/0.2 with same results. renabled fe 0/0.2 and shutdown fe 0/0.4 with the same results.

Cisco Employee

Re: NAT Outside on 2 Subinterfaces

Hi,

Would you check below commands and post here?

sh track

sh ip sla statistics

sh ip route

KK

Community Member

Re: NAT Outside on 2 Subinterfaces

As per request,

Router#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

C    192.168.4.0/24 is directly connected, FastEthernet0/0.4
C    192.168.0.0/24 is directly connected, FastEthernet0/0.2
C    192.168.223.0/24 is directly connected, FastEthernet0/1

Router#sh ip sla monitor statistics
Round trip time (RTT)   Index 1
        Latest RTT: NoConnection/Busy/Timeout
Latest operation start time: *06:48:46.897 UTC Sat Aug 21 2010
Latest operation return code: Timeout
Number of successes: 0
Number of failures: 1565
Operation time to live: Forever

Round trip time (RTT)   Index 2
        Latest RTT: NoConnection/Busy/Timeout
Latest operation start time: *06:48:46.901 UTC Sat Aug 21 2010
Latest operation return code: Timeout
Number of successes: 0
Number of failures: 1565
Operation time to live: Forever

Router#sh track
Track 123
  Response Time Reporter 1 reachability
  Reachability is Down
    3 changes, last change 01:51:41
  Delay up 10 secs, down 15 secs
  Latest operation return code: Timeout
  Tracked by:
    STATIC-IP-ROUTING 0
Track 456
  Response Time Reporter 2 reachability
  Reachability is Down
    1 change, last change 03:25:31
  Delay up 10 secs, down 15 secs
  Latest operation return code: Timeout
  Tracked by:
    STATIC-IP-ROUTING 0

Sending 5, 100-byte ICMP Echos to 192.168.0.1, timeout is 2 seconds:

Sending 5, 100-byte ICMP Echos to 192.168.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms

Sending 5, 100-byte ICMP Echos to 192.168.4.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms

Cisco Employee

Re: NAT Outside on 2 Subinterfaces

Hi,

From sh track and sh ip sla stat, IP SLA failed to ping that address so both static route is not installed in routing table.

That's why you can't ping outside.

Please get rid of all options from both IP SLA. and check if IP SLA return with success.

conf t

no ip sla monitor 1

no ip sla monitor 2

ip sla monitor 1
type echo protocol ipIcmpEcho 192.168.0.1 source-interface FastEthernet0/0.2
ip sla monitor schedule 1 life forever start-time now

ip sla monitor 2

type echo protocol ipIcmpEcho 192.168.4.1 source-interface FastEthernet0/0.4
ip sla monitor schedule 2 life forever start-tim

It is better to use just default options then adjust later.

KK.

Community Member

Re: NAT Outside on 2 Subinterfaces

Kyuhwan Kim,

I have made the changes. See the outputs below.

Router#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

C    192.168.4.0/24 is directly connected, FastEthernet0/0.4
C    192.168.0.0/24 is directly connected, FastEthernet0/0.2
C    192.168.223.0/24 is directly connected, FastEthernet0/1
Router#sh track
Track 123
  Response Time Reporter 1 reachability
  Reachability is Down
    5 changes, last change 04:15:59
  Delay up 10 secs, down 15 secs
  Latest operation return code: Timeout
  Tracked by:
    STATIC-IP-ROUTING 0
Track 456
  Response Time Reporter 2 reachability
  Reachability is Down
    3 changes, last change 03:56:49
  Delay up 10 secs, down 15 secs
  Latest operation return code: Timeout
  Tracked by:
    STATIC-IP-ROUTING 0
Router#sh ip sl
Router#sh ip sla mo
Router#sh ip sla monitor tot
Router#sh ip sla monitor totals-statistics
Entry number: 1
Start Time Index: *14:10:23.050 est Sun Aug 22 2010
Age of statistics entry (seconds): 4166
Number of initiations: 60

Start Time Index: *15:10:23.051 est Sun Aug 22 2010
Age of statistics entry (seconds): 566
Number of initiations: 10


Entry number: 2
Start Time Index: *14:10:30.959 est Sun Aug 22 2010
Age of statistics entry (seconds): 4158
Number of initiations: 60

Start Time Index: *15:10:30.960 est Sun Aug 22 2010
Age of statistics entry (seconds): 558
Number of initiations: 10

Still unable to get any traffic through.

Cisco Employee

Re: NAT Outside on 2 Subinterfaces

HI, Louis.

I still can see IP SLA tracking is failing somehow although you can ping tracking destination fine.

would you post "sh ip sla configuration" and output of ping test from your router to ISP?

KK.

Community Member

Re: NAT Outside on 2 Subinterfaces

Hi,

Router#show ip sla monitor configuration
SA Agent, Infrastructure Engine-II
Entry number: 1
Owner:
Tag:
Type of operation to perform: echo
Target address: 203.215.19.247
Source Interface: FastEthernet0/0.2
Request size (ARR data portion): 28
Operation timeout (milliseconds): 5000
Type Of Service parameters: 0x0
Verify data: No
Operation frequency (seconds): 60
Next Scheduled Start Time: Start Time already passed
Group Scheduled : FALSE
Life (seconds): Forever
Entry Ageout (seconds): never
Recurring (Starting Everyday): FALSE
Status of entry (SNMP RowStatus): Active
Threshold (milliseconds): 5000
Number of statistic hours kept: 2
Number of statistic distribution buckets kept: 1
Statistic distribution interval (milliseconds): 20
Number of history Lives kept: 0
Number of history Buckets kept: 15
History Filter Type: None
Enhanced History:

Entry number: 2
Owner:
Tag:
Type of operation to perform: echo
Target address: 165.228.2.1
Source Interface: FastEthernet0/0.4
Request size (ARR data portion): 28
Operation timeout (milliseconds): 5000
Type Of Service parameters: 0x0
Verify data: No
Operation frequency (seconds): 60
Next Scheduled Start Time: Start Time already passed
Group Scheduled : FALSE
Life (seconds): Forever
Entry Ageout (seconds): never
Recurring (Starting Everyday): FALSE
Status of entry (SNMP RowStatus): Active
Threshold (milliseconds): 5000
Number of statistic hours kept: 2
Number of statistic distribution buckets kept: 1
Statistic distribution interval (milliseconds): 20
Number of history Lives kept: 0
Number of history Buckets kept: 15
History Filter Type: None
Enhanced History:


Router#ping 192.168.4.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.4.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
Router#ping 192.168.0.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
Router#ping 203.215.19.247

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 203.215.19.247, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Router#
Router#ping  165.228.2.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 165.228.2.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

note 192.168.4.1 and 192.168.0.1 is the internal isp router. the next hop is 203.215.19.247 and 165.228.2.1.

the router is unable to reach that address. that could be why it it is not using those routes?

i can use the internal addresses, however that doesnt mean the link is active...

Community Member

Re: NAT Outside on 2 Subinterfaces

I have made the following changes

no ip sla monitor 1

no ip sla monitor 2

ip sla monitor 1
type echo protocol ipIcmpEcho 192.168.0.1 source-interface FastEthernet0/0.2
ip sla monitor schedule 1 life forever start-time now


ip sla monitor 2

type echo protocol ipIcmpEcho 192.168.4.1 source-interface FastEthernet0/0.4
ip sla monitor schedule 2 life forever start-time now

and it appears to be working.

But as mentioned before. I want it to ping and external host to ensure the route is active till the ISP's gateway

Cisco Employee

Re: NAT Outside on 2 Subinterfaces

Hi,

You need to make your router can ping those two Internet address to IP SLA tracking working.

You said 192.168.4.1 and 192.168.0.1 is the internal isp router.

Do you mean you can telnet to these boxes or is it managed by your ISP?

You should make sure these two devices are doing NAT for your private address.

KK.

Community Member

Re: NAT Outside on 2 Subinterfaces

Thanks for your assistance. the IP SLA is not working. however, the IP CLASSLESS comand is no longer showing in the config.
i have added it multiple times but it doesnt show when i do a show run.
I can ping remote hosts from the router using both fe 0/0.2 and 0/0.4. However nothing works from 0/1 - internal lan.
this is due to ip classless correct?
4769
Views
10
Helpful
17
Replies
CreatePlease to create content