07-23-2012 05:54 AM - edited 03-04-2019 05:02 PM
I have two ISP, the main on Dialer0 and the backup on Fa0/1,
I have setup an ip sla on the ADSL link to check if he's up
or not and then fallback on the second provider link (fa0/1).
Everything works well when the ADSL is down (when the nat goes
through the backup link) but as soon as the ADSL is ok the
NAT doesn't want to work. I've tried to nat overload on BVI1
or on Dialer0 (where I use to do when there were no bridge)
it makes no differences
I've already done a lot of theses setups with two isp and it
works well but without the bridge (and I realy need it here)
Thank you !
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
FastEthernet0/0 : LAN (nat inside) - Here I plug my laptop with ip 10.0.0.2/24
FastEthernet0/1 : Backup WAN (nat outside)
Dialer0 : Main WAN (nat outside)
FastEthernet0/1/0 - 3 : WAN Bridge Dialer0
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
boot-start-marker
boot system flash c2800nm-adventerprisek9-mz.124-25e.bin
boot-end-marker
!
ip cef
!
ip sla monitor 1
type pathEcho protocol ipIcmpEcho 8.8.4.4
timeout 1000
threshold 3
ip sla monitor schedule 1 life forever start-time now
ip sla monitor 2
type pathEcho protocol ipIcmpEcho 109.159.248.158
timeout 1000
frequency 3
ip sla monitor schedule 2 life forever start-time now
!
track 1 rtr 1 reachability
!
track 2 rtr 2 reachability
!
track 101 list boolean or
object 1
object 2
!
bridge irb
!
interface FastEthernet0/0
description LAN /w NAT inet and failover
ip address 10.0.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
description Demon's network 193.195.220.x
ip address 193.195.220.236 255.255.255.240
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/2/0
switchport access vlan 2
!
interface FastEthernet0/2/1
switchport access vlan 2
!
interface FastEthernet0/2/2
switchport access vlan 2
!
interface FastEthernet0/2/3
switchport access vlan 2
!
interface ATM0/1/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
atm restart timer 300
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0/1/0.1 point-to-point
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Vlan1
no ip address
!
interface Vlan2
description BT's network 217.36.70.x
no ip address
no ip unreachables
ip tcp adjust-mss 1452
bridge-group 1
!
interface Dialer0
ip unnumbered BVI1
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname XXXXXXXXXX
ppp chap password 7 XXXXXXXXXX
ppp pap sent-username XXXXXXXXX password 7 XXXXXXXXXX
!
interface BVI1
description BT's network 217.36.70.x
ip address 217.36.70.157 255.255.255.248
ip nat outside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0 track 101
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1 193.195.220.225 250
ip route 8.8.4.4 255.255.255.255 Dialer0
ip route 109.159.248.158 255.255.255.255 Dialer0
!
!
ip nat inside source route-map isp1 interface BVI1 overload
ip nat inside source route-map isp2 interface FastEthernet0/1 overload
!
ip access-list extended LAN_RANGE
permit ip 10.0.0.0 0.0.0.255 any
!
route-map isp2 permit 10
match ip address LAN_RANGE
match interface FastEthernet0/1
!
route-map isp1 permit 10
match ip address LAN_RANGE
match interface BVI1
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
!
end
Solved! Go to Solution.
07-24-2012 02:26 AM
What is the default gateway address fro "main wan" ? It need to be configured as defafult route.
07-24-2012 03:53 AM
Ok, the gateway is 217.32.141.129, so i've set
ip route 0.0.0.0 0.0.0.0 Dialer0 217.32.141.129
ip default-gateway 217.32.141.129
but still doesn't work. I can't ping 217.36.70.157 from a laptop on a Fe0/2/x int
Here is my updated config for information:
version 12.4 ! ip cef ! (snipped track stuff here) ! interface FastEthernet0/0 description LAN /w NAT inet and failover ip address 10.0.0.1 255.255.255.0 ip nat inside ip virtual-reassembly ! interface FastEthernet0/1 description Demon's network 193.195.220.x ip address 193.195.220.236 255.255.255.240 ip nat outside ip virtual-reassembly ! interface FastEthernet0/2/0 ! interface FastEthernet0/2/1 ! interface FastEthernet0/2/2 ! interface FastEthernet0/2/3 ! interface ATM0/1/0 no ip address no ip redirects no ip unreachables no ip proxy-arp ip route-cache flow atm restart timer 300 no atm ilmi-keepalive dsl operating-mode auto ! interface ATM0/1/0.1 point-to-point pvc 0/38 encapsulation aal5mux ppp dialer dialer pool-member 1 ! interface Vlan1 description BT's network 217.36.70.x no ip address ! interface Dialer0 ip address 217.36.70.157 255.255.255.248 no ip redirects no ip unreachables no ip proxy-arp ip nat outside ip virtual-reassembly encapsulation ppp ip route-cache flow dialer pool 1 dialer-group 1 no cdp enable ppp authentication chap pap callin ppp chap hostname xxx ppp chap password 7 xxx ppp pap sent-username xxx password 7 xxx ! ip default-gateway 217.32.141.129 ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 Dialer0 217.32.141.129 ip route 0.0.0.0 0.0.0.0 FastEthernet0/1 193.195.220.225 250 ! ip nat inside source route-map isp1 interface Dialer0 overload ip nat inside source route-map isp2 interface FastEthernet0/1 overload ! ip access-list extended LAN_RANGE permit ip 10.0.0.0 0.0.0.255 any ! route-map isp2 permit 10 match ip address LAN_RANGE match interface FastEthernet0/1 ! route-map isp1 permit 10 match ip address LAN_RANGE match interface Dialer0 ! end |
07-24-2012 05:58 AM
Again, if you have regular etherner connection, dialer do not apply, and vice-versa.
Please clarify and post here all the connection details as have been given to you by ISP.
07-24-2012 06:59 AM
Here is a small explanation, I hope you will understand better like that
____________
| |
LAN (nated access to --|- Fa0/0 |
internet 10.0.0.0/24) | |
| Fa0/1 -|-- (193.195.220.236)
| | --Provider backup ----->
| |
| | ----- Main ISP ------>
| ATM0/1/0 -|-- (217.36.70.157) ADSL PPPoE
| | 217.36.70.152/29
| | (GW: 217.32.141.129)
Servers on the BT's --|- Fa0/2/0-3 |
Subnet |____________|
I'll use the 10.0.0.0/24 network for computers to access internet through NAT
I'll use the 4 port WIC module to connect some servers directly on the main isp network
NAT will failover on the Fa0/1 if the ADSL is down.
07-24-2012 10:47 AM
I understand all that. I was thinking you had ethernet from BT, now I realize you have ADSL instead.
The next question is if BT give you a separate address for terminating PPP, let assume for now they don't.
So based on the last config you sent, change:
interface Vlan1
ip address 217.36.70.157 255.255.255.248
interface Dialer0
ip unnumbered vlan1
ppp ipcp route default
no ip route 0.0.0.0 0.0.0.0 Dialer0 217.32.141.129
And please take "debug ppp neg" with "term mon" when you connect ADSL
07-25-2012 05:38 AM
Ok, here is the result:
... *Jul 25 13:06:19.887: Vi2 CHAP: I SUCCESS id 1 len 43 msg is "CHAP authentication success, unit 14144" *Jul 25 13:06:19.887: Vi2 PPP: Phase is FORWARDING, Attempting Forward *Jul 25 13:06:19.887: Vi2 PPP: Queue IPCP code[1] id[204] *Jul 25 13:06:19.887: Vi2 PPP: Phase is ESTABLISHING, Finish LCP *Jul 25 13:06:19.887: Vi2 PPP: Phase is UP *Jul 25 13:06:19.887: Vi2 IPCP: O CONFREQ [Closed] id 1 len 10 *Jul 25 13:06:19.887: Vi2 IPCP: Address 217.36.70.157 (0x0306D924469D) *Jul 25 13:06:19.887: Vi2 PPP: Process pending ncp packets *Jul 25 13:06:19.887: Vi2 IPCP: Redirect packet to Vi2 *Jul 25 13:06:19.887: Vi2 IPCP: I CONFREQ [REQsent] id 204 len 10 *Jul 25 13:06:19.887: Vi2 IPCP: Address 217.32.141.129 (0x0306D9208D81) *Jul 25 13:06:19.887: Vi2 IPCP: O CONFACK [REQsent] id 204 len 10 *Jul 25 13:06:19.891: Vi2 IPCP: Address 217.32.141.129 (0x0306D9208D81) *Jul 25 13:06:19.915: Vi2 IPCP: I CONFNAK [ACKsent] id 1 len 10 *Jul 25 13:06:19.915: Vi2 IPCP: Address 86.140.19.226 (0x0306568C13E2) *Jul 25 13:06:19.915: Vi2 IPCP: O CONFREQ [ACKsent] id 2 len 4 *Jul 25 13:06:19.943: Vi2 IPCP: I CONFNAK [ACKsent] id 2 len 10 *Jul 25 13:06:19.943: Vi2 IPCP: Address 86.140.19.226 (0x0306568C13E2) *Jul 25 13:06:19.943: Vi2 IPCP: Ignoring unrequested options! *Jul 25 13:06:19.943: Vi2 IPCP: O CONFREQ [ACKsent] id 3 len 4 *Jul 25 13:06:19.967: Vi2 IPCP: I CONFACK [ACKsent] id 3 len 4 *Jul 25 13:06:19.967: Vi2 IPCP: State is Open *Jul 25 13:06:19.971: Di0 IPCP: Install default route thru 217.32.141.129 *Jul 25 13:06:19.971: Di0 IPCP: Install route to 217.32.141.129 *Jul 25 13:06:19.971: Vi2 IPCP: Add link info for cef entry 217.32.141.129 *Jul 25 13:06:20.399: %LINEPROTO-5-UPDOWN: Line protocol on Interface ATM0/0/0, changed state to up |
Thanks.
07-25-2012 07:39 AM
I think that BT wants you have "ip address negotiated" under dialer0, however can you now ping 217.32.141.129 from router or devices on vlan 1 ?
Said devices will have default-gateway 217.36.70.157 and must be able to ping it.
07-27-2012 05:25 AM
Everything work but the NAT. It's odd.
I start to think it's not feasible.
.
07-27-2012 10:30 AM
Can you try
int dialer0
ip address negotiated.
No other changes.
07-30-2012 05:36 AM
It work. Thank you a lot Paolo !
Finally you were right, with "ip address negotiated" BT assigned me a completelly different ip on the dialer. The subnet also works nice and this way the router is not lost anymore with the NAT. Brilliant !
Where does I send the coffee ?
Again, thank you.
Here is the final complete config with all the stuff for the nat, sla failover, etc (It's for information is someone need it one day, like me)
no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers ! hostname inet-failover-rt ! boot-start-marker boot system flash c2800nm-adventerprisek9-mz.124-25e.bin boot-end-marker ! logging buffered 51200 debugging logging console critical enable secret 5 XXXXXXXXXX ! no aaa new-model ! ip cef ! no ip bootp server no ip domain lookup ip domain name aac-services.co.uk ip name-server 62.6.40.162 ip name-server 194.74.65.69 ip auth-proxy max-nodata-conns 3 ip admission max-nodata-conns 3 ip sla monitor 1 type pathEcho protocol ipIcmpEcho 8.8.4.4 timeout 999 threshold 500 owner GOOGLE DNS frequency 2 ip sla monitor schedule 1 life forever start-time now ip sla monitor 2 type pathEcho protocol ipIcmpEcho 193.0.14.129 timeout 999 threshold 500 owner RIPE DNS frequency 2 ip sla monitor schedule 2 life forever start-time now ! ! username admin privilege 15 password 7 XXXXXXXXXX archive log config hidekeys ! ip tcp synwait-time 10 ip ssh authentication-retries 2 ip ssh logging events ip ssh version 2 ! track 1 rtr 1 reachability ! track 2 rtr 2 reachability ! track 3 interface ATM0/2/0 line-protocol ! track 10 list boolean or object 1 object 2 ! track 101 list boolean and object 3 object 10 ! track 102 interface FastEthernet0/1 line-protocol ! interface FastEthernet0/0 description ***** LAN ****** ip address 10.10.10.1 255.255.255.0 ip access-group FW-LAN-IN in ip access-group FW-LAN-OUT out ip nat inside ip virtual-reassembly duplex auto speed auto ! interface FastEthernet0/1 description ***** Demon's Backup Broadband ***** ip address 193.195.220.236 255.255.255.240 ip nat outside ip virtual-reassembly duplex auto speed auto ! interface FastEthernet0/0/0 ! interface FastEthernet0/0/1 ! interface FastEthernet0/0/2 ! interface FastEthernet0/0/3 ! interface ATM0/2/0 no ip address no ip redirects no ip unreachables no ip proxy-arp ip route-cache flow atm restart timer 300 no atm ilmi-keepalive dsl operating-mode auto ! interface ATM0/2/0.1 point-to-point pvc 0/38 encapsulation aal5mux ppp dialer dialer pool-member 1 ! ! interface Vlan1 description ***** BT network ***** ip address 217.36.70.157 255.255.255.248 ! interface Dialer0 ip address negotiated no ip redirects no ip unreachables no ip proxy-arp ip nat outside ip virtual-reassembly encapsulation ppp ip route-cache flow dialer pool 1 dialer-group 1 no cdp enable ppp authentication chap pap callin ppp chap hostname XXXXXXXXXX ppp chap password 7 XXXXXXXXXX ppp pap sent-username XXXXXXXXXX password 7 XXXXXXXXXX ! ip default-gateway 217.36.70.157 ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 Dialer0 track 101 ip route 0.0.0.0 0.0.0.0 FastEthernet0/1 193.195.220.225 250 track 102 ip route 8.8.4.4 255.255.255.255 Dialer0 ip route 193.0.14.129 255.255.255.255 Dialer0 ! no ip http server no ip http secure-server ip nat inside source route-map ISP_1 interface Dialer0 overload ip nat inside source route-map ISP_2 interface FastEthernet0/1 overload ! ip access-list extended FW-LAN-IN permit icmp any any permit tcp any gt 1024 any eq 22 permit tcp any gt 1024 any eq www permit tcp any gt 1024 any eq 443 permit tcp any gt 1024 any eq domain permit udp any gt 1024 any eq domain deny ip any any log ip access-list extended FW-LAN-OUT permit icmp any any permit tcp any eq 22 any gt 1024 permit tcp any eq www any gt 1024 permit tcp any eq 443 any gt 1024 permit tcp any eq domain any gt 1024 permit udp any eq domain any gt 1024 ip access-list extended LAN_RANGE permit ip 10.10.10.0 0.0.0.255 any ! route-map ISP_1 permit 10 match ip address LAN_RANGE match interface Dialer0 ! route-map ISP_2 permit 10 match ip address LAN_RANGE match interface FastEthernet0/1 ! control-plane ! line con 0 line aux 0 line vty 0 4 login local transport input ssh line vty 5 15 login local transport input ssh ! scheduler allocate 20000 1000 ! end |
07-30-2012 11:28 AM
We should have tried that at the beginning, it's a common configuration.
Thank you for the nice rating and good luck!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide