eedlee
asked on
Nat, T1, dhcp and failover wan
I've posted this in other threads, but I'm starting a new one because the config is apparently more complicated than I've made it sound, and I haven't followed up well in the past:
The client below has a T1 CDU/DSU serial 0/0 interface, with an IP for the line and a different IP for the internal lan interface. I need to make this switch over to NAT (there's a sonicwall firewall attached to Fast 0/1 which can be easily modified) . However I also need to be able to automatically use the cable provider's DHCP assigned secondary interface, if and only if the T1 is down (not load balancing).
Please check out what I have below which works fine for simply allowing the firewall to connect to the serial interface. How can I make this work as described above?
!
interface FastEthernet0/0
description LAN/Sonicwall Ethernet
ip address 10.10.178.161 255.255.255.240
!
interface Serial0/0
description WAN T1
ip address 10.10.24.30 255.255.255.252
service-module t1 timeslots 1-24
mtu 2048
!
interface FastEthernet0/1
description WAN Cable
ip address dhcp
no mop enabled
!
router rip
version 2
network 10.0.0.0
!
ip default-gateway 165.254.24.30
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1 10
ip http server
The lan and wan ip's are on different subnets as specified by provider. How do I make this work when converting to NAT thereby assigning an internal IP to the FE0/1?
the internal lan ip of the firewall is 192.168.0.1, so I would probably use that subnet for the router network.
The client below has a T1 CDU/DSU serial 0/0 interface, with an IP for the line and a different IP for the internal lan interface. I need to make this switch over to NAT (there's a sonicwall firewall attached to Fast 0/1 which can be easily modified) . However I also need to be able to automatically use the cable provider's DHCP assigned secondary interface, if and only if the T1 is down (not load balancing).
Please check out what I have below which works fine for simply allowing the firewall to connect to the serial interface. How can I make this work as described above?
!
interface FastEthernet0/0
description LAN/Sonicwall Ethernet
ip address 10.10.178.161 255.255.255.240
!
interface Serial0/0
description WAN T1
ip address 10.10.24.30 255.255.255.252
service-module t1 timeslots 1-24
mtu 2048
!
interface FastEthernet0/1
description WAN Cable
ip address dhcp
no mop enabled
!
router rip
version 2
network 10.0.0.0
!
ip default-gateway 165.254.24.30
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1 10
ip http server
The lan and wan ip's are on different subnets as specified by provider. How do I make this work when converting to NAT thereby assigning an internal IP to the FE0/1?
the internal lan ip of the firewall is 192.168.0.1, so I would probably use that subnet for the router network.
Set the seconadry interface with a higher administrative distance. This makes the T1 the static router and the other the floating static route.so when the T1 goes down the other route will takeover.
ASKER
What I'm looking for is a full set of code for this config. I've tried several implementations and can easily get the router to ping out the 2nd interface if the first is down, but the firewall is having trouble pinging the router and beyond once I switch to NAT. Seems I need some nat lessons.
You have nat insdie and NAT outside. what are the rest of the NAT commands you have in the config?
ASKER
Please refer to this thread for suggestions I have received to date, which have not worked out
https://www.experts-exchange.com/questions/21081016/2611-Nat-with-DHCP.html
https://www.experts-exchange.com/questions/21081016/2611-Nat-with-DHCP.html
Please post a rough sketch of your configuration, including router, firewall, internal net, etc.
I think there has been some confusion over how you have this all connected.
I think there has been some confusion over how you have this all connected.
Are you doing NAT at the firewall, or at the router? I don't see any NAT at all in your partial router config above, and that may be the problem....
In order for the fail-over to the backup interface to work, the rest of the world needs to know that that interface is where to send traffic for you. The "standard" way to do that is with BGP, and if you're hosting servers than you may not have many other choices.
But if your internal network is all clients, then there's an easy way for this to happen, and that's for your traffic to get NATted differently when it goes out the secondary route. And since the secondary route is at the router and not the firewall, that's where this NAT has to take place.
In order for the fail-over to the backup interface to work, the rest of the world needs to know that that interface is where to send traffic for you. The "standard" way to do that is with BGP, and if you're hosting servers than you may not have many other choices.
But if your internal network is all clients, then there's an easy way for this to happen, and that's for your traffic to get NATted differently when it goes out the secondary route. And since the secondary route is at the router and not the firewall, that's where this NAT has to take place.
ASKER
Here's some total clarification:
1) the above config is what is working, allowing the router and firewall to communicate and internet traffic to flow in and out. Whenever I try to change this config to NAT, even modifying the firewall's WAN address, it fails to allow packets to and from the firewall. The router seems to be handling the flow OK.
What I am looking for is a config. I have tried those printed at the above link to no avail.
Here is a basic diagram:
192.168.0.1 - LAN (Firewall) WAN - 10.10.178.162 (this can be modified to a non-nat firewall, aka 192.168.0.2 WAN)
10.10.178.161 - FE0/0 >LAN (ROUTER) WAN< SER1 - 10.10.24.30 - FE0/1 DHCP
The ISP has provided the IP addresses for SER1 (t1-csu-wic) and FE0/0
DHCP is required for FE0/0 from the local Cable monopoly provider. The address range is typically 24.30.x.x
Currently, data from S1 flows across to FE0/1 without issues. It is not properly configured to failover or perform NAT. I would like ti to be able to be able to failover. But without NAT the firewall will fail to communicate with the DHCP FE0/0 INT due to IP range. Unless someone can figure outa clever way to get the Firewall to talk to FE0/0, I would likely need NAT.
Any comments are welcome. I am not expecting instant answers. And if you can't tell I am no higher than a CCDA, and five years ago at that. Don't do alot of programming these days.
1) the above config is what is working, allowing the router and firewall to communicate and internet traffic to flow in and out. Whenever I try to change this config to NAT, even modifying the firewall's WAN address, it fails to allow packets to and from the firewall. The router seems to be handling the flow OK.
What I am looking for is a config. I have tried those printed at the above link to no avail.
Here is a basic diagram:
192.168.0.1 - LAN (Firewall) WAN - 10.10.178.162 (this can be modified to a non-nat firewall, aka 192.168.0.2 WAN)
10.10.178.161 - FE0/0 >LAN (ROUTER) WAN< SER1 - 10.10.24.30 - FE0/1 DHCP
The ISP has provided the IP addresses for SER1 (t1-csu-wic) and FE0/0
DHCP is required for FE0/0 from the local Cable monopoly provider. The address range is typically 24.30.x.x
Currently, data from S1 flows across to FE0/1 without issues. It is not properly configured to failover or perform NAT. I would like ti to be able to be able to failover. But without NAT the firewall will fail to communicate with the DHCP FE0/0 INT due to IP range. Unless someone can figure outa clever way to get the Firewall to talk to FE0/0, I would likely need NAT.
Any comments are welcome. I am not expecting instant answers. And if you can't tell I am no higher than a CCDA, and five years ago at that. Don't do alot of programming these days.
ASKER
Correction to the above statement:
Currently, data from S1 flows across to FE0/0 LAN without issues. It is not properly configured to failover or perform NAT. I would like it to be able to be able to failover. But without NAT the firewall will fail to communicate with the DHCP FE0/1 WAN due to IP range. Unless someone can figure out a clever way to get the Firewall/FE0/0 LAN to talk to FE0/1, I would likely need NAT.
Currently, data from S1 flows across to FE0/0 LAN without issues. It is not properly configured to failover or perform NAT. I would like it to be able to be able to failover. But without NAT the firewall will fail to communicate with the DHCP FE0/1 WAN due to IP range. Unless someone can figure out a clever way to get the Firewall/FE0/0 LAN to talk to FE0/1, I would likely need NAT.
Are these actual IP's from your ISP for F0/0 and S0/0? Or have you changed them to protect the innocent? It's a bit confusing as they are not public IP's...
And are you then currently NATing your internal network behind the Sonicwalls Ethernet address (10.10.178.162)?
I see there is no route on the router telling it how to communicate with your internal network. That may have been your problem when you moved NAT to the router.
And are you then currently NATing your internal network behind the Sonicwalls Ethernet address (10.10.178.162)?
I see there is no route on the router telling it how to communicate with your internal network. That may have been your problem when you moved NAT to the router.
ASKER
Yes they are public IPs and have been changed. The last two octets are real.
Th Sonicwall currently provides the NAT. I tried switching to nat inside/outside statements on the router and setting F0/0 to 192.168.0.3 and the Sonicwall to 192.168.0.2 (WAN port) but this did not work, probably because of the ISPs requirements for IP addresses. Which means I don't know how to translate it either. It's a bit over my head.
Th Sonicwall currently provides the NAT. I tried switching to nat inside/outside statements on the router and setting F0/0 to 192.168.0.3 and the Sonicwall to 192.168.0.2 (WAN port) but this did not work, probably because of the ISPs requirements for IP addresses. Which means I don't know how to translate it either. It's a bit over my head.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Worked great, nice solution. The only issue I'm noticing is that after a successful failure of S0 and bringing it back up, packets continue to be routed out the F0/1 rather than returning to S0 by default, even though the state has changed back to UP. Is there a way to make F0/1 always look to be the last route? I had to shutdown F0/1 to get S0 back to default route status.
Hmm...
Did you verify the routing with a show ip route? The route to S0/0 would be the preferred route based on admin distance. NAT wouldn't interfere with that.
I'm guessing what you saw was due to the NAT translation table on the router.
Were you testing with the same connection each time (ie - http from PC A to Site B)?
I bet it would have started working properly if you issued a clear ip nat translations * on the router.
Or when the nat translation timed out in 24 hours...
Try it again when you get a chance and let me know if that's indeed the case. If that's the problem, worst case you can lower the nat timeouts, but there should be some other workarounds.
Can you post a show ver so I can see flash/ram, IOS ver, feature set...
Did you verify the routing with a show ip route? The route to S0/0 would be the preferred route based on admin distance. NAT wouldn't interfere with that.
I'm guessing what you saw was due to the NAT translation table on the router.
Were you testing with the same connection each time (ie - http from PC A to Site B)?
I bet it would have started working properly if you issued a clear ip nat translations * on the router.
Or when the nat translation timed out in 24 hours...
Try it again when you get a chance and let me know if that's indeed the case. If that's the problem, worst case you can lower the nat timeouts, but there should be some other workarounds.
Can you post a show ver so I can see flash/ram, IOS ver, feature set...
ASKER
I'm on vacation in about 3 hours (woo) and I'm not onsite at the moment.. FYI it's running 12.3 and has the IOS IP Plus set (but not installed) with proper memory to run the higher feature set (bought everything new and worked with Ingram support to verify all of this). For the interim I'll post points and we can pick up next month.
thanks for the help.
thanks for the help.
Enjoy your vacation.