Solved: NAT with bridge and failover issue - Page 2

crashdump · ‎07-23-2012

I have two ISP, the main on Dialer0 and the backup on Fa0/1,

I have setup an ip sla on the ADSL link to check if he's up

or not and then fallback on the second provider link (fa0/1).

Everything works well when the ADSL is down (when the nat goes

through the backup link) but as soon as the ADSL is ok the

NAT doesn't want to work. I've tried to nat overload on BVI1

or on Dialer0 (where I use to do when there were no bridge)

it makes no differences

I've already done a lot of theses setups with two isp and it

works well but without the bridge (and I realy need it here)

Thank you !

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

FastEthernet0/0 : LAN (nat inside) - Here I plug my laptop with ip 10.0.0.2/24

FastEthernet0/1 : Backup WAN (nat outside)

Dialer0 : Main WAN (nat outside)

FastEthernet0/1/0 - 3 : WAN Bridge Dialer0

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

boot-start-marker

boot system flash c2800nm-adventerprisek9-mz.124-25e.bin

boot-end-marker

!

ip cef

!

ip sla monitor 1

type pathEcho protocol ipIcmpEcho 8.8.4.4

timeout 1000

threshold 3

ip sla monitor schedule 1 life forever start-time now

ip sla monitor 2

type pathEcho protocol ipIcmpEcho 109.159.248.158

timeout 1000

frequency 3

ip sla monitor schedule 2 life forever start-time now

!

track 1 rtr 1 reachability

!

track 2 rtr 2 reachability

!

track 101 list boolean or

object 1

object 2

!

bridge irb

!

interface FastEthernet0/0

description LAN /w NAT inet and failover

ip address 10.0.0.1 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet0/1

description Demon's network 193.195.220.x

ip address 193.195.220.236 255.255.255.240

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet0/2/0

switchport access vlan 2

!

interface FastEthernet0/2/1

switchport access vlan 2

!

interface FastEthernet0/2/2

switchport access vlan 2

!

interface FastEthernet0/2/3

switchport access vlan 2

!

interface ATM0/1/0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip route-cache flow

atm restart timer 300

no atm ilmi-keepalive

dsl operating-mode auto

!

interface ATM0/1/0.1 point-to-point

pvc 0/38

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

interface Vlan1

no ip address

!

interface Vlan2

description BT's network 217.36.70.x

no ip address

no ip unreachables

ip tcp adjust-mss 1452

bridge-group 1

!

interface Dialer0

ip unnumbered BVI1

no ip redirects

no ip unreachables

no ip proxy-arp

encapsulation ppp

ip route-cache flow

dialer pool 1

dialer-group 1

no cdp enable

ppp authentication chap pap callin

ppp chap hostname XXXXXXXXXX

ppp chap password 7 XXXXXXXXXX

ppp pap sent-username XXXXXXXXX password 7 XXXXXXXXXX

!

interface BVI1

description BT's network 217.36.70.x

ip address 217.36.70.157 255.255.255.248

ip nat outside

ip virtual-reassembly

ip tcp adjust-mss 1452

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer0 track 101

ip route 0.0.0.0 0.0.0.0 FastEthernet0/1 193.195.220.225 250

ip route 8.8.4.4 255.255.255.255 Dialer0

ip route 109.159.248.158 255.255.255.255 Dialer0

!

ip nat inside source route-map isp1 interface BVI1 overload

ip nat inside source route-map isp2 interface FastEthernet0/1 overload

!

ip access-list extended LAN_RANGE

permit ip 10.0.0.0 0.0.0.255 any

!

route-map isp2 permit 10

match ip address LAN_RANGE

match interface FastEthernet0/1

!

route-map isp1 permit 10

match ip address LAN_RANGE

match interface BVI1

!

control-plane

!

bridge 1 protocol ieee

bridge 1 route ip

!

end

paolo bevilacqua · ‎07-24-2012

What is the default gateway address fro "main wan" ? It need to be configured as defafult route.

crashdump · ‎07-24-2012

Ok, the gateway is 217.32.141.129, so i've set

ip route 0.0.0.0 0.0.0.0 Dialer0 217.32.141.129

ip default-gateway 217.32.141.129

but still doesn't work. I can't ping 217.36.70.157 from a laptop on a Fe0/2/x int

Here is my updated config for information:

version 12.4

!

ip cef

!

(snipped track stuff here)

!

interface FastEthernet0/0

description LAN /w NAT inet and failover

ip address 10.0.0.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

interface FastEthernet0/1

description Demon's network 193.195.220.x

ip address 193.195.220.236 255.255.255.240

ip nat outside

ip virtual-reassembly

!

interface FastEthernet0/2/0

!

interface FastEthernet0/2/1

!

interface FastEthernet0/2/2

!

interface FastEthernet0/2/3

!

interface ATM0/1/0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip route-cache flow

atm restart timer 300

no atm ilmi-keepalive

dsl operating-mode auto

!

interface ATM0/1/0.1 point-to-point

pvc 0/38

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

interface Vlan1

description BT's network 217.36.70.x

no ip address

!

interface Dialer0

ip address 217.36.70.157 255.255.255.248

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly

encapsulation ppp

ip route-cache flow

dialer pool 1

dialer-group 1

no cdp enable

ppp authentication chap pap callin

ppp chap hostname xxx

ppp chap password 7 xxx

ppp pap sent-username xxx password 7 xxx

!

ip default-gateway 217.32.141.129

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer0 217.32.141.129

ip route 0.0.0.0 0.0.0.0 FastEthernet0/1 193.195.220.225 250

!

ip nat inside source route-map isp1 interface Dialer0 overload

ip nat inside source route-map isp2 interface FastEthernet0/1 overload

!

ip access-list extended LAN_RANGE

permit ip 10.0.0.0 0.0.0.255 any

!

route-map isp2 permit 10

match ip address LAN_RANGE

match interface FastEthernet0/1

!

route-map isp1 permit 10

match ip address LAN_RANGE

match interface Dialer0

!

end

paolo bevilacqua · ‎07-24-2012

Again, if you have regular etherner connection, dialer do not apply, and vice-versa.

Please clarify and post here all the connection details as have been given to you by ISP.

crashdump · ‎07-24-2012

Here is a small explanation, I hope you will understand better like that

____________

| |

LAN (nated access to --|- Fa0/0 |

internet 10.0.0.0/24) | |

| Fa0/1 -|-- (193.195.220.236)

| | --Provider backup ----->

| |

| | ----- Main ISP ------>

| ATM0/1/0 -|-- (217.36.70.157) ADSL PPPoE

| | 217.36.70.152/29

| | (GW: 217.32.141.129)

Servers on the BT's --|- Fa0/2/0-3 |

Subnet |____________|

I'll use the 10.0.0.0/24 network for computers to access internet through NAT

I'll use the 4 port WIC module to connect some servers directly on the main isp network

NAT will failover on the Fa0/1 if the ADSL is down.

paolo bevilacqua · ‎07-24-2012

I understand all that. I was thinking you had ethernet from BT, now I realize you have ADSL instead.

The next question is if BT give you a separate address for terminating PPP, let assume for now they don't.

So based on the last config you sent, change:

interface Vlan1

ip address 217.36.70.157 255.255.255.248

interface Dialer0

ip unnumbered vlan1

ppp ipcp route default

no ip route 0.0.0.0 0.0.0.0 Dialer0 217.32.141.129

And please take "debug ppp neg" with "term mon" when you connect ADSL

crashdump · ‎07-25-2012

Ok, here is the result:

...

*Jul 25 13:06:19.887: Vi2 CHAP: I SUCCESS id 1 len 43 msg is "CHAP authentication success, unit 14144"

*Jul 25 13:06:19.887: Vi2 PPP: Phase is FORWARDING, Attempting Forward

*Jul 25 13:06:19.887: Vi2 PPP: Queue IPCP code[1] id[204]

*Jul 25 13:06:19.887: Vi2 PPP: Phase is ESTABLISHING, Finish LCP

*Jul 25 13:06:19.887: Vi2 PPP: Phase is UP

*Jul 25 13:06:19.887: Vi2 IPCP: O CONFREQ [Closed] id 1 len 10

*Jul 25 13:06:19.887: Vi2 IPCP: Address 217.36.70.157 (0x0306D924469D)

*Jul 25 13:06:19.887: Vi2 PPP: Process pending ncp packets

*Jul 25 13:06:19.887: Vi2 IPCP: Redirect packet to Vi2

*Jul 25 13:06:19.887: Vi2 IPCP: I CONFREQ [REQsent] id 204 len 10

*Jul 25 13:06:19.887: Vi2 IPCP: Address 217.32.141.129 (0x0306D9208D81)

*Jul 25 13:06:19.887: Vi2 IPCP: O CONFACK [REQsent] id 204 len 10

*Jul 25 13:06:19.891: Vi2 IPCP: Address 217.32.141.129 (0x0306D9208D81)

*Jul 25 13:06:19.915: Vi2 IPCP: I CONFNAK [ACKsent] id 1 len 10

*Jul 25 13:06:19.915: Vi2 IPCP: Address 86.140.19.226 (0x0306568C13E2)

*Jul 25 13:06:19.915: Vi2 IPCP: O CONFREQ [ACKsent] id 2 len 4

*Jul 25 13:06:19.943: Vi2 IPCP: I CONFNAK [ACKsent] id 2 len 10

*Jul 25 13:06:19.943: Vi2 IPCP: Address 86.140.19.226 (0x0306568C13E2)

*Jul 25 13:06:19.943: Vi2 IPCP: Ignoring unrequested options!

*Jul 25 13:06:19.943: Vi2 IPCP: O CONFREQ [ACKsent] id 3 len 4

*Jul 25 13:06:19.967: Vi2 IPCP: I CONFACK [ACKsent] id 3 len 4

*Jul 25 13:06:19.967: Vi2 IPCP: State is Open

*Jul 25 13:06:19.971: Di0 IPCP: Install default route thru 217.32.141.129

*Jul 25 13:06:19.971: Di0 IPCP: Install route to 217.32.141.129

*Jul 25 13:06:19.971: Vi2 IPCP: Add link info for cef entry 217.32.141.129

*Jul 25 13:06:20.399: %LINEPROTO-5-UPDOWN: Line protocol on Interface ATM0/0/0, changed state to up

Thanks.

paolo bevilacqua · ‎07-25-2012

I think that BT wants you have "ip address negotiated" under dialer0, however can you now ping 217.32.141.129 from router or devices on vlan 1 ?

Said devices will have default-gateway 217.36.70.157 and must be able to ping it.

crashdump · ‎07-27-2012

Everything work but the NAT. It's odd.

I start to think it's not feasible.

.

paolo bevilacqua · ‎07-27-2012

Can you try

int dialer0

ip address negotiated.

No other changes.

crashdump · ‎07-30-2012

It work. Thank you a lot Paolo !

Finally you were right, with "ip address negotiated" BT assigned me a completelly different ip on the dialer. The subnet also works nice and this way the router is not lost anymore with the NAT. Brilliant !

Where does I send the coffee ?

Again, thank you.

Here is the final complete config with all the stuff for the nat, sla failover, etc (It's for information is someone need it one day, like me)

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname inet-failover-rt

!

boot-start-marker

boot system flash c2800nm-adventerprisek9-mz.124-25e.bin

boot-end-marker

!

logging buffered 51200 debugging

logging console critical

enable secret 5 XXXXXXXXXX

!

no aaa new-model

!

ip cef

!

no ip bootp server

no ip domain lookup

ip domain name aac-services.co.uk

ip name-server 62.6.40.162

ip name-server 194.74.65.69

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

ip sla monitor 1

type pathEcho protocol ipIcmpEcho 8.8.4.4

timeout 999

threshold 500

owner GOOGLE DNS

frequency 2

ip sla monitor schedule 1 life forever start-time now

ip sla monitor 2

type pathEcho protocol ipIcmpEcho 193.0.14.129

timeout 999

threshold 500

owner RIPE DNS

frequency 2

ip sla monitor schedule 2 life forever start-time now

!

username admin privilege 15 password 7 XXXXXXXXXX

archive

log config

hidekeys

!

ip tcp synwait-time 10

ip ssh authentication-retries 2

ip ssh logging events

ip ssh version 2

!

track 1 rtr 1 reachability

!

track 2 rtr 2 reachability

!

track 3 interface ATM0/2/0 line-protocol

!

track 10 list boolean or

object 1

object 2

!

track 101 list boolean and

object 3

object 10

!

track 102 interface FastEthernet0/1 line-protocol

!

interface FastEthernet0/0

description ***** LAN ******

ip address 10.10.10.1 255.255.255.0

ip access-group FW-LAN-IN in

ip access-group FW-LAN-OUT out

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet0/1

description ***** Demon's Backup Broadband *****

ip address 193.195.220.236 255.255.255.240

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet0/0/0

!

interface FastEthernet0/0/1

!

interface FastEthernet0/0/2

!

interface FastEthernet0/0/3

!

interface ATM0/2/0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip route-cache flow

atm restart timer 300

no atm ilmi-keepalive

dsl operating-mode auto

!

interface ATM0/2/0.1 point-to-point

pvc 0/38

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

interface Vlan1

description ***** BT network *****

ip address 217.36.70.157 255.255.255.248

!

interface Dialer0

ip address negotiated

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly

encapsulation ppp

ip route-cache flow

dialer pool 1

dialer-group 1

no cdp enable

ppp authentication chap pap callin

ppp chap hostname XXXXXXXXXX

ppp chap password 7 XXXXXXXXXX

ppp pap sent-username XXXXXXXXXX password 7 XXXXXXXXXX

!

ip default-gateway 217.36.70.157

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer0 track 101

ip route 0.0.0.0 0.0.0.0 FastEthernet0/1 193.195.220.225 250 track 102

ip route 8.8.4.4 255.255.255.255 Dialer0

ip route 193.0.14.129 255.255.255.255 Dialer0

!

no ip http server

no ip http secure-server

ip nat inside source route-map ISP_1 interface Dialer0 overload

ip nat inside source route-map ISP_2 interface FastEthernet0/1 overload

!

ip access-list extended FW-LAN-IN

permit icmp any any

permit tcp any gt 1024 any eq 22

permit tcp any gt 1024 any eq www

permit tcp any gt 1024 any eq 443

permit tcp any gt 1024 any eq domain

permit udp any gt 1024 any eq domain

deny ip any any log

ip access-list extended FW-LAN-OUT

permit icmp any any

permit tcp any eq 22 any gt 1024

permit tcp any eq www any gt 1024

permit tcp any eq 443 any gt 1024

permit tcp any eq domain any gt 1024

permit udp any eq domain any gt 1024

ip access-list extended LAN_RANGE

permit ip 10.10.10.0 0.0.0.255 any

!

route-map ISP_1 permit 10

match ip address LAN_RANGE

match interface Dialer0

!

route-map ISP_2 permit 10

match ip address LAN_RANGE

match interface FastEthernet0/1

!

control-plane

!

line con 0

line aux 0

line vty 0 4

login local

transport input ssh

line vty 5 15

login local

transport input ssh

!

scheduler allocate 20000 1000

!

end

paolo bevilacqua · ‎07-30-2012

We should have tried that at the beginning, it's a common configuration.

Thank you for the nice rating and good luck!