Solved

"Load Balance" / Dual ADSL Configuration on Cisco 1841 using same ISP.

Posted on 2007-12-05
19
5,497 Views
Last Modified: 2009-01-27
Folks,

I have noticed several EE posts on this topic (and others outside EE) but I cannot seem to find a definitive answer on the topic of running a "load balanced / split load" setup using two seperate ADSL feeds from the same ISP (or different ISP's for that matter).

I have followed the suggestions of enabling "ip cef" on the box, creating and testing both ADSL links (both work fine as a standalone ADSL setup) and then trying to setup two default routes to the seperate line interfaces as many have discussed - but this is where I get stuck.

Once I enable this dual 0.0.0.0 entry using the same weighting, nothing flows.  I suspect this is down to the NAT'ing which I cannot seem to get to work with both the lines - only one at a time and with one default route.  I've read elsewhere about possibly using route-maps which I'm not 100% conversant with to be honest, or using OER (I think that's correct?) to correct this setup - some suggesting to use the Cisco for the dual part and NAT'ing on another backend box.

Can anyone supply a copy of a working config in this scenario or point me in the direction of other info to look at, as I would prefer to try and keep it all on the same box if at all possible - greedy I know!  :o)

Thanks

0
Comment
Question by:1stopit
  • 8
  • 6
  • 5
19 Comments
 
LVL 32

Accepted Solution

by:
harbor235 earned 500 total points
ID: 20411031
Here you go, have fun.

For example: 10.1.3.3 is the unNAT'd loopback of R0, 1.1.1.1 (R0 S0/0 2.2.2.2 (R0 S1/0)
170.2.5.0 (ISP1 R1 ), 170.3.5.0 (ISP2 R2)

access-list 135 permit icmp host 10.1.3.3 170.2.5.0 0.0.0.255
access-list 136 permit icmp host 10.1.3.3 170.3.5.0 0.0.0.255
!
route-map ISP1 permit 10
 match ip address 135
!
route-map ISP2 permit 10
 match ip address 136
!
ip nat inside source route-map ISP1 interface Serial0/0 overload
ip nat inside source route-map ISP2 interface Serial1/0 overload
!
interface Loopback0
 ip address 10.1.3.3 255.255.255.0
 ip nat inside
!
interface Serial0/0
 ip address 1.1.1.1 255.255.255.0
 ip nat outside
!
interface Serial1/0
 ip address 2.2.2.2 255.255.255.0
 ip nat outside
 
harbor235 ;}
0
 

Author Comment

by:1stopit
ID: 20411100
Ok... think I get the idea.

I assume if my internal LAN address of my cisco is say 192.168.100.254, then this would be inserted instead of the 10.1.3.3 address in your example?

Also - if I wanted to do inbound ports to servers behind the Cisco such as webmail or other web based servers, then I would just add the appropriate "ip nat" commands - or would this not work with this setup... or will I get weird results using this?

0
 
LVL 32

Expert Comment

by:harbor235
ID: 20411353
Yes, substitute your LAn IP range for the 10.1.3.3.

As far as inbound ports to servers, yes, use the IP NAT command, however be careful here.
I would use a seperate IP for outside global address instead of the interface IP used for the overload.

harbor235 ;}
0
 
LVL 32

Expert Comment

by:harbor235
ID: 20411367
You would also need to change the ip nat inside command from the loopback to the correct interface.

harbor235 ;}
0
 

Author Comment

by:1stopit
ID: 20411926
Thanks, but can you elaborate a little more on the last comment re: the loopback to correct interface?

For example, if I had a server on 192.168.100.1 doing SMTP email and I wanted to route inbound mails from an external interface to this, what would I need to include in terms of ip nat command?
0
 
LVL 15

Expert Comment

by:wingatesl
ID: 20415772
I have a how to from the ground up that you can read here
www.inacom-sby.net/shawn
The loopback is not needed just an Inside NAT interface. I walk through how to do dual NAT and the "load balancing" with OER. It is pretty easy to follow and I can help you adjust your current config if you post it here. Please remove any reference to your public IP addresses though.
0
 
LVL 15

Expert Comment

by:wingatesl
ID: 20415840
The NAT can easily run on the same router so don't run out and buy any new hardware yet
0
 
LVL 32

Expert Comment

by:harbor235
ID: 20416072
In my config, which I know works, and has been tested in my lab, I specifiy the internal network as the router's looback interface. In your scenario you will have another interface on the router which is the source of  the traffic you want to NAT. The  interface must have the "ip nat inside" command like I have on the routers loopback ijnterface.

harbor235 ;}
0
 
LVL 15

Expert Comment

by:wingatesl
ID: 20416084
@harbor; I was not saying that it would not work, just that he did not have to use a loopback.
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 32

Expert Comment

by:harbor235
ID: 20416124
wingatesl, gotcha, and I agree with you.

thanx

harbor235 ;}
0
 

Author Comment

by:1stopit
ID: 20421476
OK... just so I get things straight in my head (I don't want to be a simple copy-paster!) I'd like to ask a few questions re: the config you have suggested wingatesl....

Part 2:

Why do we need to assign dual IP's to our servers in this config - is this to help the Cisco do routing between the WAN side and the servers depending on the WAN link used, or to prevent packets being processed in the wrong order if they are split up across the two WAN's during transmission etc?

There is an IP address of 192.168.32.0 listed in the section for "ip forward-protocol nd" section - where does this tie-in/link to/relate to, as none of the other interfaces have a similar subnet configured.  Is this some sort of loopback or other "middleman" in the config for routing purposes - or just a typo?

In the route-map director section - why is one set to permit 9 and the other permit 10?  Again should these not be both set to the same or a typo/other?





Also in the


Overall:

If this box was to be used for VPN termination - what issues or other concerns would there be to take care of/ be aware of?


0
 
LVL 15

Expert Comment

by:wingatesl
ID: 20421741
The  dual IPs on the servers are to keep the NAT on the router sane.
The port forward to a specific IP address means the server will respond with that address. When it makes it to the router, the director route map sets the next-hop to the correct ISP gateway based upon this ip address. (exactly what you were thinking)
The permit 9 and permit 10 are just to hold two different match statements. The order is not important.
 The 192.168.32.0 network was my internal LAN and the route was put there to allow me to telnet to the router only.
The box can terminate VPNs but this can get really messy if they are not static peers
0
 

Author Comment

by:1stopit
ID: 20424091
Excellent!  I'll give this a whirl tomorrow in the office and see how I get on.
Two questions though before I go...  is there a typo in this part of the config?

ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 1.1.1.254 track 1
ip route 0.0.0.0 0.0.0.0 2.2.2.254 10  <---- does this line need a track inserted as line above?
ip route 192.168.32.0 255.255.255.0 192.168.99.254


Also, do I just add the part 3 code to the end of the existing part 2 code, or is there any special order I need to follow?

0
 
LVL 15

Expert Comment

by:wingatesl
ID: 20424677
There is no type in that line I am only tracking the primary ISP. The ip forward-protocol nd is not needed no is the ip route 192.168.32.0 255.255.255.0 192.168.99.254
0
 
LVL 15

Expert Comment

by:wingatesl
ID: 20424682
Do them in order and test the failover by unpluggin one ISP before you move to step 3  and all should be good.
0
 

Author Comment

by:1stopit
ID: 20428476
Guys,

I've looked into the changes suggested, but I think I may need some further assistance in implementing (either) of your solutions.  One of the problems I have is that the WAN cards are ADSL units which are picking up an IP address from our ISP (I do have the static IP address, but our ISP says the subnet should be 255.255.255.255 which the Cisco doesn't like in SDM).  The IP's picked up are the actual static IP's assigned to our accounts but set by the ISP on connection using a dynamic setting - if this makes sense, so some of the routing and next hop statements may be different I suspect from the examples you have both shown.

The other issue is the actual requirement - I think I need to clarify exactly what I'm trying to achieve... ideally I would like the WAN's setup to split the outbound load across both WAN links but only to accept inbound SMTP and SSL ports on the first WAN port, so I assume I would only need to have a single IP address on our internal servers, as we are not trying to do a load split inbound as both WAN's are provided by the same ISP/Exchange so if one line went down, the other would too.  I purely need the outbound load "balanced".


Do you follow?


The current config of our box is as follows (as generated using SDM)...


!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname gatekeeper
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 ---- secret bit withheld -----
!
no aaa new-model
!
resource policy
!
clock timezone PCTime 0
clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
no ip source-route
ip cef
!
!
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name onestopit.com
ip name-server 10.10.10.230
!
!
crypto pki trustpoint TP-self-signed-3659007435
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3659007435
 revocation-check none
 rsakeypair TP-self-signed-3659007435
!
!
crypto pki certificate chain TP-self-signed-3659007435
 certificate self-signed 01
------ certificate details withheld ------
  quit
username admin privilege 15 secret 5 ----- withheld------
!
!
!
!
!
!
interface FastEthernet0/0
 description LAN$FW_INSIDE$$ES_LAN$$ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$
 ip address 10.10.10.254 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 no mop enabled
!
interface FastEthernet0/1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 shutdown
 duplex auto
 speed auto
 no mop enabled
!
interface ATM0/0/0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 no atm ilmi-keepalive
 dsl operating-mode auto
!
interface ATM0/0/0.1 point-to-point
 description WAN1
 no snmp trap link-status
 pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface ATM0/1/0
 no ip address
 no atm ilmi-keepalive
 dsl operating-mode auto
!
interface ATM0/1/0.1 point-to-point
 description WAN2
 no snmp trap link-status
 pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 2
 !
!
interface Dialer0
 ip address negotiated
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname ---- withheld ----
 ppp chap password 7 --- withheld ----
 ppp pap sent-username ----- withheld -----
!
interface Dialer1
 ip address negotiated
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 2
 dialer-group 2
 no cdp enable
 ppp authentication chap pap callin
ppp chap hostname ---- withheld ----
 ppp chap password 7 --- withheld ----
 ppp pap sent-username ----- withheld -----
!
ip route 0.0.0.0 0.0.0.0 Dialer0 permanent
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 2 interface Dialer0 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=FastEthernet0/0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 10.10.10.0 0.0.0.255
dialer-list 1 protocol ip permit
dialer-list 2 protocol ip permit
no cdp run
!
!
!
!
!
!
control-plane
!
!
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 login local
 transport output telnet
line aux 0
 login local
 transport output telnet
line vty 0 4
 privilege level 15
 login local
 transport input telnet
line vty 5 15
 privilege level 15
 login local
 transport input telnet
!
scheduler allocate 20000 1000
end
0
 

Author Comment

by:1stopit
ID: 20428498
I should also add that the current config has both WAN links up and running, but only set to use a single one at present.
0
 

Author Comment

by:1stopit
ID: 20428530
...and no NAT is shown as being configured at present.  Although I have tested this config with both Dialer interfaces in turn with no problems with a single NAT statement for one or other other in turn.

0
 

Author Comment

by:1stopit
ID: 21167101
OK folks, got my 1841 doing load balance/split load outbound and working welll.  Now need to sort out inbound NAT routing for servers behind the firewall for SMTP and SSL webmail etc.

In my current setup, I can only get one WAN connection  at a time to NAT correctly from external IP to internal server IP - while the other external IP connection attempt  timesout.  If I drop/re-establish the non-working WAN NAT connection, then it jumps over to that one and stops workng on the other side.  Do you follow?  (ie: using an outside server, I can telnet back in on port 25 say and get a server response on WAN1 external IP, but doing same on WAN2 external IP is a no go.)

I've followed advice to use two seperate internal IP's on my server box to route the different sides to so it keeps everything clean... and managed to get this working fine on a test setup, but in a live setup it fails to connect on both sides even though the existing working NAT statements have simply been altered to reflect live IP's and ports.

Attached is a copy of the current config... is something amiss or is there a better way to do what I'm trying to do?




Building configuration...

 

Current configuration : 12153 bytes

!

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname cisco

!

boot-start-marker

boot-end-marker

!

security authentication failure rate 3 log

security passwords min-length 6

logging buffered 51200 debugging

logging console critical

enable secret 5 <secret>

!

aaa new-model

!

!

aaa authentication login local_authen local

aaa authorization exec local_author local

!

aaa session-id common

!

resource policy

!

clock timezone PCTime 0

clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00

no ip source-route

ip cef

!

!

!

!

ip tcp synwait-time 10

no ip bootp server

ip domain name onestopit.com

ip name-server 10.10.10.230

ip ssh time-out 60

ip ssh authentication-retries 2

ip ips sdf location flash://128MB.sdf autosave

ip ips notify SDEE

ip ips name sdm_ips_rule

!

!

crypto pki trustpoint TP-self-signed-3659007435

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-3659007435

 revocation-check none

 rsakeypair TP-self-signed-3659007435

!

!

crypto pki certificate chain TP-self-signed-3659007435

 certificate self-signed 01

  30820250 308201B9 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 33363539 30303734 3335301E 170D3037 31323034 31363535

  33355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 36353930

  30373433 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100C780 1CC83C90 9A0210C6 8C77DD2E 9328DFAE 669C23F2 23A401FF F57243DB

  1C6DF8AE A6588072 78DA7988 9045C215 C6B02CA1 61F3D95C 8017699C 6E465ECD

  31A533FE B1B1376D D73D31DA EA41D5D5 922A155F 771D5FD3 FB92758B CC61C470

  58AC1A87 C8CFB5D0 AF934E00 89E3591F 289950C9 399AA73C 0DD63080 69D6DF72

  CAD50203 010001A3 78307630 0F060355 1D130101 FF040530 030101FF 30230603

  551D1104 1C301A82 18676174 656B6565 7065722E 6F6E6573 746F7069 742E636F

  6D301F06 03551D23 04183016 8014D920 AEDDBA20 0F3BCFDF 9120F13E AE8D5040

  28DD301D 0603551D 0E041604 14D920AE DDBA200F 3BCFDF91 20F13EAE 8D504028

  DD300D06 092A8648 86F70D01 01040500 03818100 4F21BE9A 381CB2AC 963D2C18

  D7758488 73D650DB 99DC2AD6 2DEC2C38 017AC4E7 1ADD2395 C6392B86 355054C8

  A66B71CE AF2C14C6 99DF8D32 1FB7BC6E 02A86342 7A44434E 7E082A57 04F0BD1B

  B553F096 E801D18F A4A60672 022265C9 AEA0CF71 CD3ED0D7 7C8720F1 F5019367

  524031B8 108C4571 937CD0A9 FEFDD236 44C6F0AF

  quit

username admin privilege 15 secret 5 <secret>

!

!

track 101 rtr 1 reachability

!

track 102 rtr 2 reachability

!

class-map match-any SDM-Transactional-2

 match protocol citrix

 match protocol finger

 match protocol notes

 match protocol novadigm

 match protocol pcanywhere

 match protocol secure-telnet

 match protocol sqlnet

 match protocol sqlserver

 match protocol ssh

 match protocol telnet

 match protocol xwindows

class-map match-any SDM-Transactional-1

 match protocol citrix

 match protocol finger

 match protocol notes

 match protocol novadigm

 match protocol pcanywhere

 match protocol secure-telnet

 match protocol sqlnet

 match protocol sqlserver

 match protocol ssh

 match protocol telnet

 match protocol xwindows

class-map match-any SDM-Routing-2

 match protocol bgp

 match protocol egp

 match protocol eigrp

 match protocol ospf

 match protocol rip

 match protocol rsvp

class-map match-any SDM-Scavenger-2

 match protocol napster

 match protocol fasttrack

 match protocol gnutella

class-map match-any SDM-Signaling-1

 match protocol h323

 match protocol rtcp

 match protocol sip

class-map match-any SDM-Signaling-2

 match protocol h323

 match protocol rtcp

 match protocol sip

class-map match-any SDM-Scavenger-1

 match protocol napster

 match protocol fasttrack

 match protocol gnutella

class-map match-any SDM-Routing-1

 match protocol bgp

 match protocol egp

 match protocol eigrp

 match protocol ospf

 match protocol rip

 match protocol rsvp

class-map match-any SDM-Voice-1

 match protocol rtp audio

class-map match-any SDM-Voice-2

 match protocol rtp audio

class-map match-any SDM-Streaming-Video-2

 match protocol cuseeme

 match protocol netshow

 match protocol rtsp

 match protocol streamwork

 match protocol vdolive

class-map match-any SDM-Streaming-Video-1

 match protocol cuseeme

 match protocol netshow

 match protocol rtsp

 match protocol streamwork

 match protocol vdolive

class-map match-any SDM-Management-1

 match protocol dhcp

 match protocol dns

 match protocol imap

 match protocol kerberos

 match protocol ldap

 match protocol secure-imap

 match protocol secure-ldap

 match protocol snmp

 match protocol socks

 match protocol syslog

class-map match-any SDM-Management-2

 match protocol dhcp

 match protocol dns

 match protocol imap

 match protocol kerberos

 match protocol ldap

 match protocol secure-imap

 match protocol secure-ldap

 match protocol snmp

 match protocol socks

 match protocol syslog

class-map match-any SDM-Interactive-Video-2

 match protocol rtp video

class-map match-any SDM-Interactive-Video-1

 match protocol rtp video

class-map match-any SDM-BulkData-2

 match protocol exchange

 match protocol ftp

 match protocol irc

 match protocol nntp

 match protocol pop3

 match protocol printer

 match protocol secure-ftp

 match protocol secure-irc

 match protocol secure-nntp

 match protocol secure-pop3

 match protocol smtp

 match protocol tftp

class-map match-any SDM-BulkData-1

 match protocol exchange

 match protocol ftp

 match protocol irc

 match protocol nntp

 match protocol pop3

 match protocol printer

 match protocol secure-ftp

 match protocol secure-irc

 match protocol secure-nntp

 match protocol secure-pop3

 match protocol smtp

 match protocol tftp

!

!

policy-map SDM-QoS-Policy-2

 class SDM-Voice-2

  set dscp ef

  priority percent 33

 class SDM-Signaling-2

  set dscp cs3

  bandwidth percent 5

 class SDM-Routing-2

  set dscp cs6

  bandwidth percent 5

 class SDM-Management-2

  set dscp cs2

  bandwidth percent 5

 class SDM-Transactional-2

  set dscp af21

  bandwidth percent 5

 class class-default

  fair-queue

  random-detect

policy-map SDM-QoS-Policy-1

 class SDM-Voice-1

  set dscp ef

  priority percent 33

 class SDM-Signaling-1

  set dscp cs3

  bandwidth percent 5

 class SDM-Routing-1

  set dscp cs6

  bandwidth percent 5

 class SDM-Management-1

  set dscp cs2

  bandwidth percent 5

 class SDM-Transactional-1

  set dscp af21

  bandwidth percent 5

 class class-default

  fair-queue

  random-detect

!

!

!

!

!

!

interface Null0

 no ip unreachables

!

interface FastEthernet0/0

 description INTERNAL_LAN$ES_LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$$ETH-LAN$$FW_INSIDE$

 ip address 10.10.10.254 255.255.255.0

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip nbar protocol-discovery

 ip flow ingress

 ip flow egress

 ip nat inside

 ip virtual-reassembly

 ip route-cache flow

 duplex auto

 speed auto

 no mop enabled

!

interface FastEthernet0/1

 no ip address

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip route-cache flow

 shutdown

 duplex auto

 speed auto

 no mop enabled

!

interface ATM0/0/0

 no ip address

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip route-cache flow

 no atm ilmi-keepalive

 dsl operating-mode auto

!

interface ATM0/0/0.1 point-to-point

 description PLUSNET1

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 no snmp trap link-status

 pvc 0/38

  encapsulation aal5mux ppp dialer

  dialer pool-member 1

 !

!

interface ATM0/1/0

 no ip address

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip route-cache flow

 no atm ilmi-keepalive

 dsl operating-mode auto

!

interface ATM0/1/0.1 point-to-point

 description PLUSNET2

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 no snmp trap link-status

 pvc 0/38

  encapsulation aal5mux ppp dialer

  dialer pool-member 2

 !

!

interface Dialer0

 description $FW_OUTSIDE$

 ip address 81.1.1.217 255.255.255.248

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip nbar protocol-discovery

 ip flow ingress

 ip flow egress

 ip nat outside

 ip ips sdm_ips_rule in

 ip virtual-reassembly

 encapsulation ppp

 ip route-cache flow

 dialer pool 1

 dialer-group 1

 no cdp enable

 ppp authentication chap pap callin

 ppp chap hostname username1@dsl.net

 ppp chap password 7 111A0C17111B050B557A7B

 ppp pap sent-username username1@dsl.net password 7 <password>

 service-policy output SDM-QoS-Policy-1

!

interface Dialer1

 description $FW_OUTSIDE$

 ip address 81.2.2.81 255.255.255.248

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip nbar protocol-discovery

 ip flow ingress

 ip flow egress

 ip nat outside

 ip ips sdm_ips_rule in

 ip virtual-reassembly

 encapsulation ppp

 ip route-cache flow

 dialer pool 2

 dialer-group 2

 no cdp enable

 ppp authentication chap pap callin

 ppp chap hostname username2@dsl.net

 ppp chap password 7 111A0C17111B050B557A7B

 ppp pap sent-username username2@dsl.net password 7 <password>

 service-policy output SDM-QoS-Policy-2

!

ip route 0.0.0.0 0.0.0.0 Dialer0 track 101

ip route 0.0.0.0 0.0.0.0 Dialer1 track 102

!

!

ip http server

ip http access-class 3

ip http authentication local

ip http secure-server

ip http secure-port 8079

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source route-map PLUSNET1 interface Dialer0 overload

ip nat inside source route-map PLUSNET2 interface Dialer1 overload

ip nat inside source static tcp 10.10.10.230 25 81.1.1.81 25 extendable

ip nat inside source static tcp 10.10.10.230 443 81.1.1.81 443 extendable

ip nat inside source static tcp 10.10.10.230 444 81.1.1.81 444 extendable

ip nat inside source static tcp 10.10.10.230 4125 81.1.1.81 4125 extendable

ip nat inside source static tcp 10.10.10.231 25 81.2.2.217 25 extendable

ip nat inside source static tcp 10.10.10.231 443 81.2.2.217 443 extendable

ip nat inside source static tcp 10.10.10.231 444 81.2.2.217 444 extendable

ip nat inside source static tcp 10.10.10.231 4125 81.2.2.217 4125 extendable

!

ip sla 1

 icmp-echo 81.1.1.217

 threshold 3

 frequency 5

ip sla schedule 1 life forever start-time now

ip sla 2

 icmp-echo 81.2.2.81

 threshold 3

 frequency 5

ip sla schedule 2 life forever start-time now

logging trap debugging

access-list 1 remark INSIDE_IF=FastEthernet0/0

access-list 1 remark SDM_ACL Category=2

access-list 1 permit 10.10.10.0 0.0.0.255

access-list 2 remark SDM_ACL Category=2

access-list 2 permit 10.10.10.0 0.0.0.255

access-list 3 remark HTTP Access-class list

access-list 3 remark SDM_ACL Category=1

access-list 3 permit 10.10.10.0 0.0.0.255

access-list 3 deny   any

access-list 10 permit 10.10.10.0 0.0.0.255

access-list 20 permit 10.10.10.0 0.0.0.255

access-list 101 remark VTY Access-class list

access-list 101 remark SDM_ACL Category=1

access-list 101 permit ip 10.10.10.0 0.0.0.255 any

access-list 101 deny   ip any any

dialer-list 1 protocol ip permit

dialer-list 2 protocol ip permit

no cdp run

!

!

!

route-map PLUSNET1 permit 10

 match ip address 10

 match interface Dialer0

!

route-map PLUSNET2 permit 10

 match ip address 20

 match interface Dialer1

!

!

!

!

control-plane

!

!

banner login ^CCCCAuthorized access only!

 Disconnect IMMEDIATELY if you are not an authorized user!^C

!

line con 0

 login authentication local_authen

 transport output telnet

line aux 0

 login authentication local_authen

 transport output telnet

line vty 0 4

 access-class 101 in

 authorization exec local_author

 login authentication local_authen

 transport input telnet ssh

line vty 5 15

 access-class 101 in

 authorization exec local_author

 login authentication local_authen

 transport input telnet ssh

!

scheduler allocate 20000 1000

end



0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now