11-04-2006 03:01 AM - edited 03-03-2019 02:35 PM
Heres the scenario - I have a 2811 Router and have two wics for failover and load balancing. This is working ok.
However the NAT port 25 translation only works on one WAN address at a time, and it seems to switch from one to the other whenever it feels like it and when a fail happens, but would like it to be available on both WAN addresses at the same time.
Below is my running script the two IP addresses are the static WAN addresses given by my ISP which are recieved automatically
!
interface FastEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0/0$
ip address 192.168.4.253 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex half
speed auto
no mop enabled
!
interface ATM0/0/0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0/0/0.1 point-to-point
pvc 0/38
oam-pvc manage
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface ATM0/1/0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0/1/0.2 point-to-point
pvc 0/38
oam-pvc manage
encapsulation aal5mux ppp dialer
dialer pool-member 2
!
!
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname username
ppp chap password 0 password
!
interface Dialer1
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 2
dialer-group 2
ppp authentication chap callin
ppp chap hostname username ppp chap password 0 password
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat log translations syslog
ip nat pool ISP2 213.x.237.x.218.237.16 netmask 255.255.255.255
ip nat pool ISP1 213.x.237.x.218.237.7 netmask 255.255.255.255
ip nat inside source route-map ISP1-map interface Dialer0 overload
ip nat inside source route-map ISP2-map interface Dialer1 overload
ip nat inside source static tcp 192.168.4.1 25 213.218.237.16 25 extendable
ip nat inside source static tcp 192.168.4.1 25 213.218.237.7 25 extendable
!
dialer-list 1 protocol ip permit
dialer-list 2 protocol ip permit
!
route-map ISP2-map permit 10
match interface Dialer1
!
route-map ISP1-map permit 10
match interface Dialer0
!
!
11-13-2006 01:26 AM
Yes two interfaces would be ok.
I have already done this however, and it doesn't seem to make a difference.
do you need an ip route 0.0.0.0 0.0.0.0 DialerX command, or is there a way to do this by using a route-map. As this is what seems to be the problem as it always seems that the default gateway is Dialer0
11-13-2006 04:37 PM
CAn you share the config. of the router ? If you have two interfaces in mail server, they are located at different subnet. You can configure two NAT rule for them. One NAT for ISP1 and another for ISP2. Then there is no need to use "extendable" and both NAT will be active.
I prefer to use PBR instead of static route, e.g. if the traffic arrived from Ethernet 1 of the router, it will forward to the ISP2 by PBR. Otherwise, the traffic will follow the routing table (assume to have one static route and point to ISP2, one floating static and point to ISP2) to forward the traffic to ISP1.
Hope this helps.
11-13-2006 07:12 PM
Sorry, the statment before last statment should be "(assume to have one static route and point to ISP1.....", it should be ISP1, I assume Ethernet 0 connects to first LAN card in mail server and Ethernet 1 connects to second LAN card in mail server.
11-17-2006 05:16 AM
I've ammended my script to use route maps for the two ISP's to two lan's, but it still isn't playing ball. Heres my latest script
!This is the running config of the router: 192.168.4.253
!----------------------------------------------------------------------------
!version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ROUTER
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret xxxx
enable password xxx
!
no aaa new-model
!
resource policy
!
ip subnet-zero
!
!
ip cef
!
!
ip domain name yourdomain.com
ip name-server 213.x.128.x
ip name-server 213.x.128.x
!
!
!
interface FastEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0/0$
ip address 192.168.4.253 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex half
speed auto
no mop enabled
!
interface FastEthernet0/1
ip address 172.16.0.253 255.255.0.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface ATM0/0/0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0/0/0.1 point-to-point
pvc 0/38
oam-pvc manage
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface ATM0/1/0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0/1/0.2 point-to-point
pvc 0/38
oam-pvc manage
encapsulation aal5mux ppp dialer
dialer pool-member 2
!
!
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip policy route-map ISP1-map
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname USERNAME
ppp chap password 0 PASSWORD
!
interface Dialer1
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip policy route-map ISP2-map
dialer pool 2
dialer-group 2
ppp authentication chap callin
ppp chap hostname USERNAME
ppp chap password 0 PASSWORD
!
router ospf 1
log-adjacency-changes
maximum-paths 2
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat log translations syslog
ip nat inside source static tcp 172.16.0.1 25 interface Dialer1 25
ip nat inside source static tcp 192.168.4.1 25 interface Dialer0 25
ip nat inside source route-map ISP1-map interface Dialer0 overload
ip nat inside source route-map ISP2-map interface Dialer1 overload
!
access-list 130 permit ip 192.168.4.0 0.0.0.255 any
access-list 131 permit ip 172.16.0.0 0.0.255.255 any
dialer-list 1 protocol ip permit
dialer-list 2 protocol ip permit
!
route-map ISP2-map permit 131
match ip address 131
match interface Dialer1
set ip next-hop dynamic dhcp
!
route-map ISP1-map permit 130
match ip address 130
match interface Dialer0
set ip next-hop dynamic dhcp
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
login local
line aux 0
line vty 0 4
privilege level 15
password PASSWORD
login local
transport input telnet ssh
line vty 5 15
privilege level 15
password PASSWORD
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end
11-17-2006 08:36 AM
You should apply the policy at the incoming interface, i.e. FE0 & FE1 instead of Dialer interface.
Moreover, you do not require to use two separated access-list. Because all traffic from FE0 from forward to Dialer 0, so only require an ACL as below :
access-list 100 permit ip any any
or
access-list 1 permit ip any
then apply above access-list to the route-map.
Only one FE require policy and the other require floating static for backup.
i.e. remove route-map ISP1, corresponding policy at interface and "ip route 0.0.0.0 0.0.0.0 dialer1"
add "ip route 0.0.0.0 0.0.0.0 dialer 1 200"
It means the traffic from FE0 will follow the routing table (i.e. dialer 0 as next-hop)and the traffic from FE1 will follow the policy to forward to dialer 1. If the dialer 0 down, the floating static route will appear and all traffic will float to dialer 1. If dialer 1 down, the policy will not work and the traffic from FE 1 will also flow to dialer 0.
Hope this helps.
11-17-2006 03:09 PM
ip route 0.0.0.0 0.0.0.0 dialer 1 200
This works in a fail-over environment, but to be honest so did my original script with this route cost.
But what I am trying to achieve is to have incoming connection on both wan interfaces at the same time.
11-18-2006 07:43 AM
Due to you are using policy-based routing, once the next-hop of the PBR is available and the policy is applied on the correct interface. The traffic will be forwarded to the next-hop which is indicated in the PBR route-map. In the otherwords, you configured the PBR, it won't follow the routing table. Therefore, no matter you have both static routes w/ no cost paramter, it is no effect.
Please refer to my last post for my idea to have this works. If it is not your preferred operation or traffic flow, please let me know and I try to propose another one.
Moreover, the routing table or static route in a router is for the OUT-GOING traffic only, you cannot control the traffic from incoming side, so even you have two static routes at same cost, the incoming traffic still not be load-shared.
Hope this helps.
11-18-2006 08:54 AM
I'm guessing Paul needs to add route-maps to his NAT statements, kind of like this:
ip nat inside source static tcp 192.168.4.1 25 213.218.237.16 25 route-map ISP1-map extendable
ip nat inside source static tcp 192.168.4.1 25 213.218.237.7 25 route-map ISP2-map extendable
And check to see if you are using load-sharing per destiantion.
I take it you have allready checked for 2 default routes in the routetabel.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide