July 5, 2008 03:04pm pdt

1. lrmoore 39,970
2. from_exp 20,802
3. donjohnston 18,498
4. ebjers 16,750
5. that1guy15 16,352
6. mikebern... 13,330
7. JFrederi... 12,800
8. kdearing 12,614
9. RobWill 10,950
9. giltjr 10,950
11. naughton 10,175
12. DevilWAH 9,718
13. pseudocyber 9,050
14. donmanrobb 9,015
15. tfowles 8,500

1. lrmoore 101,534
2. donjohnston 41,718
3. from_exp 25,002
4. mikebern... 22,080
5. pseudocyber 21,521
6. RobWill 20,750
7. ebjers 18,750
8. that1guy15 18,102
9. giltjr 17,050
10. JFrederi... 16,600
11. KCTS 13,018
12. kdearing 12,614
13. keith_al... 11,939
14. harbor235 11,590
15. batry_boy 11,500

02.17.2008 at 06:56PM PST, ID: 23170462

	[x] Attachment Details

[x]

The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

The Grade of the Solution
The Zone Rank of the Expert Providing the Solution
The Number of Author and Expert Comments
The Number of Experts Contributing
The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!

6.2

Secondary WAN not pingable

Zones: Network Design & Methodology, Network Routers, Network Management

Tags: NAT, ROUTE-MAPS

Hey Everyone,

I have a CISCO 1811 with 2 WANS going to two different ISPs for redundancy. NAT, IP SLA and route maps have been set up for redundancy and simple fail over. The default route is the primary (FA0) until it fails and seconday (FA1) takes over. All NAT is rerouted via route-map.

The problem is I cannot ping or enter router remotely on secondary interface.

Start your free trial to view this solution

Question Stats

Zone: Networking

Question Asked By: vihunter

Solution Provided By: diepes

Participating Experts: 4

Solution Grade: B

Translate:

Loading Advertisement...

Microsoft

Internet Protocols
Applications

Development
OS

Hardware
Windows Security

Apple

Operating Systems
Hardware

Programming
Networking

Software

Internet

Search Engines
File Sharing
WebTrends / Stats
Spy / Ad Blockers

Web Browsers
New Net Users
Web Development
Chat / IM

Anti Spam
Web Servers
Anti-Virus
Email Clients

Gamers

Tips
Online / MMORPG
Puzzle
Emulators

Action / Adventure
Role Playing
Consoles
Game Programming

Strategy
Sports
Misc
Computer Games

Digital Living

Hardware
New Net Users
New Users

Software
Digital Music
Gaming World

Home Security
Apple
Networking Hardware

Virus & Spyware

Vulnerabilities
IDS
Encryption
Anti-Virus

Operating Systems Security
Software Firewalls
WebApplications
Cell Phones

Operating Systems
Internet
Hardware Firewalls

Hardware

Handhelds / PDAs
Displays / Monitors
Components
Networking Hardware

Peripherals
Laptops/Notebooks
Storage
Servers

Desktops
New Users
Misc
Apple

Software

System Utilities
Industry Specific
Network Management
Photos / Graphics
Page Layout
VMWare
Misc
Web Development

OS
CYGWIN
Voice Recognition
Message Queue
Quality Assurance
Security
Firewalls
MultiMedia Applications

Development
Database
Office / Productivity
Business Management
OS/2 Apps
Server Software
Internet / Email

ITPro

OS
Storage
Encryption
Operating Systems Security
Apple Hardware
Laptops & Notebooks
Servers
Networking Hardware
Peripherals

Devices
Displays / Monitors
WebTrends / Stats
Search Engines
Firewalls
WebApplications
IDS
Vulnerabilities
Email Clients

File Sharing
Spy / Ad Blockers
Web Browsers
Web Servers
Networking
Anti-Virus
Chat / IM
Anti Spam

Developer

Web Servers
Web Browsers
Game Programming
Dev Tools
Industry Specific
Office / Productivity

Database
CYGWIN
Web Development
Search Engines
File Sharing
WebTrends / Stats

Programming
Content Management
Application Servers
Protocols

Storage

Removable Backup Media
Storage Technology
Servers

Grid
Remote Access
Backup / Restore

Misc
Hard Drives

Miscellaneous
Security
Development
Linux
VMWare

MainFrame OS
Unix
Apple
OS / 2
AS / 400

BeOS
Microsoft
VMS / OpenVMS

Database

Oracle
Miscellaneous
MySQL
Software
Sybase
Contact Management
PostgreSQL
Data Manipulation
Clarion
InterSystems Cache

Siebel
MUMPS
OLAP
SQLBase
SAS
GIS & GPS
4GL
Berkeley DB
DB2
Informix

Interbase / Firebird
FoxPro
Reporting
LDAP
Filemaker Pro
MS SQL Server
dBase
MS Access

Security

Misc
Web Browsers
Software Firewalls
Operating Systems Security
File Sharing

Spy / Ad Blockers
Vulnerabilities
WebApplications
IDS
Anti-Virus

Encryption
Anti Spam
Email Clients
VPN
Chat / IM

Programming

Editors IDEs
Installation
Handhelds / PDAs
Multimedia Programming
System / Kernel

Algorithms
Game
Signal Processing
Project Management
Open Source

Database
Misc
Languages
Processor Platforms
Theory

Web Development

Scripting
Blogs
Web Servers
Software
Search Engines
Web Graphics
Images

Internet Marketing
Images and Photos
Components
Document Imaging
Web Languages/Standards
Illustration
WebApplications

Fonts
WebTrends / Stats
Authoring
Digital Camera Software
Miscellaneous

Networking

Protocols
Apple Networking
Network Management
Message Queue
Application Servers
Content Management
File Servers
Email Servers
Misc
Java Editors & IDEs

Wireless
Networking Hardware
Backup / Restore
System Utilities
ISPs & Hosting
Web Servers
Storage Technology
Removable Backup Media
Servers
Broadband

Grid
OS / 2
Novell Netware
Unix Networking
Windows Networking
Security
Telecommunications
Operating Systems
Linux Networking

Other

Community Advisor
Lounge
Community Support
New Net Users

Philosophy / Religion
Math / Science
Miscellaneous
URLs

Expert Lounge
Politics
Puzzles / Riddles

Community Support

Suggestions
New to EE
New Topics
Community Advisor

CleanUp
Announcements
General

Feedback
Input
EE Bugs

02.18.2008 at 11:11AM PST, ID: 20922521

diepes:

Problem is most likely that all replys leave out the firsts interface, when you connect to the 2nd interface, the router still reply through the first interface (default route), and the ISP1 drops the packet because source ip is wrong.

02.18.2008 at 04:56PM PST, ID: 20924837

Rank: Genius

lrmoore:

diepes is correct. With the default route going out the other interface, there is no way that you can remotely access the secondary interface unless and until the route actually fails over.

02.18.2008 at 05:26PM PST, ID: 20924969

vihunter:

Anyway to correct this with route maps?

02.18.2008 at 07:11PM PST, ID: 20925404

Rank: Genius

lrmoore:

You can add a static host route for your remote source IP, added to the route map and sla monitor so if the backup link was down you could still access it from the primary interface

02.18.2008 at 07:12PM PST, ID: 20925408

Rank: Genius

JFrederick29:

If you really wanted to, you could add static routes to the destinations you are managing the router from via the secondary interface (use IP SLA/tracking as well here). Of course, you will only be able to manage the router via the secondary interface from the destinations you specify if you do so....

02.18.2008 at 08:40PM PST, ID: 20925784

vihunter:

Here is the config, i have tinkered with enough already
______________________________________________
interface FastEthernet0
ip address 1.1.1.5 255.255.255.224
ip access-group 102 in
ip nat outside
ip inspect Sec_Low_Test out
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
crypto map x
!
interface FastEthernet1
ip address 2.2.2.5 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed 10
no cdp enable
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
description Internal Lan
ip address 192.168.205.1 255.255.255.0
ip access-group 101 in
ip nat inside
ip virtual-reassembly
!
interface Async1
no ip address
encapsulation slip
!
ip route 0.0.0.0 0.0.0.0 FastEthernet0 1.1.1.1 track 100
ip route 0.0.0.0 0.0.0.0 FastEthernet1 2.2.2.1 10
!
!
ip http server
no ip http secure-server
ip nat inside source route-map isp1-failover interface FastEthernet0 overload
ip nat inside source route-map isp2-failover interface FastEthernet1 overload
!
access-list 100 remark -------------------------------------------------------------------------------
access-list 100 remark VLAN 1 Route Map and Natting
access-list 100 deny ip 192.168.205.0 0.0.0.255 192.168.205.0 0.0.0.255
access-list 100 deny ip 192.168.205.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 100 deny ip 192.168.205.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 100 permit ip 192.168.205.0 0.0.0.255 any
access-list 100 remark -------------------------------------------------------------------------------
access-list 101 remark -------------------------------------------------------------------------------
access-list 101 remark VLAN 1 Firewall
access-list 101 deny ip 1.1.1.0 0.0.0.31 any
access-list 101 deny ip 66.185.42.0 0.0.0.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip any any
access-list 101 remark -------------------------------------------------------------------------------
access-list 102 remark -------------------------------------------------------------------------------
access-list 102 remark FastEthernet0 Firewall
access-list 102 permit udp host 1.1.1.195 eq domain host 1.1.1.5
access-list 102 permit udp host 1.1.1.196 eq domain host 1.1.1.5
access-list 102 remark VPN SECTION START
access-list 102 remark STX LAN Start
access-list 102 permit udp host 1.1.1.99 host 1.1.1.5 eq isakmp
access-list 102 permit esp host 1.1.1.99 host 1.1.1.5
access-list 102 permit ip 192.168.0.0 0.0.0.255 192.168.205.0 0.0.0.255
access-list 102 remark STX LAN End
access-list 102 remark MyLan Start
access-list 102 permit udp host 7.7.7.7 host 1.1.1.5 eq isakmp
access-list 102 permit esp host 7.7.7.7 host 1.1.1.5
access-list 102 permit ip 192.168.100.0 0.0.0.255 192.168.205.0 0.0.0.255
access-list 102 remark MyLan End
access-list 102 remark VPN SECTION END
access-list 102 permit icmp any host 1.1.1.5 echo-reply
access-list 102 permit icmp any host 1.1.1.5 time-exceeded
access-list 102 permit icmp any host 1.1.1.5 unreachable
access-list 102 permit tcp any host 1.1.1.5 eq 22
access-list 102 permit tcp any host 1.1.1.5 eq cmd
access-list 102 deny ip 10.0.0.0 0.255.255.255 any
access-list 102 deny ip 172.16.0.0 0.15.255.255 any
access-list 102 deny ip 192.168.0.0 0.0.255.255 any
access-list 102 deny ip 127.0.0.0 0.255.255.255 any
access-list 102 deny ip host 255.255.255.255 any
access-list 102 deny ip host 0.0.0.0 any
access-list 102 deny tcp any any log
access-list 102 deny udp any any log
access-list 102 deny icmp any any log
access-list 102 deny ip any any log
access-list 102 remark -------------------------------------------------------------------------------
access-list 103 remark -------------------------------------------------------------------------------
access-list 103 remark FastEthernet1 Firewall
access-list 103 permit udp host 2.2.2.2 eq domain host 2.2.2.45
access-list 103 permit udp host 2.2.2.5 eq domain host 2.2.2.45
access-list 103 permit icmp any host 2.2.2.45 echo-reply
access-list 103 permit icmp any host 2.2.2.45 time-exceeded
access-list 103 permit icmp any host 2.2.2.45 unreachable
access-list 103 permit tcp any host 2.2.2.45 eq 22
access-list 103 permit tcp any host 2.2.2.45 eq cmd
access-list 103 deny ip 10.0.0.0 0.255.255.255 any
access-list 103 deny ip 172.16.0.0 0.15.255.255 any
access-list 103 deny ip 192.168.0.0 0.0.255.255 any
access-list 103 deny ip 127.0.0.0 0.255.255.255 any
access-list 103 deny ip host 255.255.255.255 any
access-list 103 deny ip host 0.0.0.0 any
access-list 103 deny tcp any any log
access-list 103 deny udp any any log
access-list 103 deny icmp any any log
access-list 103 deny ip any any log
access-list 103 remark -------------------------------------------------------------------------------
access-list 107 remark -------------------------------------------------------------------------------
access-list 107 remark FastEthernet0 VPN to XLan
access-list 107 permit ip 192.168.205.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 107 remark -------------------------------------------------------------------------------
access-list 108 remark -------------------------------------------------------------------------------
access-list 108 remark FastEthernet0 VPN to MyLan
access-list 108 permit ip 192.168.205.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 108 remark -------------------------------------------------------------------------------
snmp-server community x
snmp-server community x
!
!
!
route-map isp2-failover permit 10
match ip address 100
match interface FastEthernet1
!
route-map isp1-failover permit 10
match ip address 100
match interface FastEthernet0

02.19.2008 at 10:14AM PST, ID: 20930943

diepes:

I have come to the conclusion that default routes is a pain when you have more than one.

The problem is that the router follows the routing table (could be big with BGP on WWW) but then eventually if it still does not know, it uses the default route.

Routing was not really designed to have more than one default route, (or NAT)

Options
1. If you know the IP from which you will need to connect to the 2nd interface, a simple static route out the 2nd interface back to you will do. (This ip will then not be able to connect to int1)

2. Route-map might work, just match on the source of packet leaving and if it is the ip towards isp2 force packet to this gateway. (Router should not change the ip). (Will only work for Eth2 ip.)

off topic: i have done this before with Linux, it can even do this for IP's behind it, the secret is that it has a built in state-full firewall, where flows can be marked and tracked + forced to use a specific routing table.

Accepted Solution

02.19.2008 at 02:15PM PST, ID: 20933182

vihunter:

Will it help if I take off tracking and go with equal cost routing and let CEF do the rest for ingress/egress interface routing?

02.22.2008 at 05:14PM PST, ID: 20963086

Rank: Master

wingatesl:

CEF will really not help in this situation. I have an example where your inbound NAT is going to a secondary ip address on a server and it works for access from both WAN connections at the same time. This will not help with connection directly to the router but will provide dual inbound services to your servers. have a look
http://www.inacom-sby.net/Shawn/post/2007/11/Dual-ISPs-(Part-2).aspx

The router will always try to respond through the lowest cost route. This manages the connection by sending it back to a specific IP address based on the replying IP on the server

Assisted Solution

02.24.2008 at 11:50PM PST, ID: 20973487

vihunter:

Thanks for your post, but I have checked this doc already and it doesn't quit apply. I am not accessing inside servers, I just want to access second WAN interface for management purposes SSH or VPN.

I thought CEF was supposed to distinguish traffic from sources interfaces when equal cost routing is involved or maybe 'NAT extendable'? I will implement NAT extendable to selected services if neccessary ex. VPN.

Any suggestions?

20080236-EE-VQP-29 / EE_QW_2_20070628