Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Cisco 1812 WAN Routing Issue - Simple Fix?

Posted on 2008-11-19
14
Medium Priority
?
1,469 Views
Last Modified: 2012-05-05
Hi All

Heres the issue, I have a Cisco Dual Wan 1812 Router, I am having issues connecting out through one of my ISP's as they require PPPoA and as such have only got Ethernet.

I have a Netgear DG834 ADSL/Modem Router in front of the 1812 and as such will have to double NAT on that connection due the 1812 not having any ATM port.

The Netgears details are as follows.
IP: 10.0.0.1
Subnet 255.0.0.0

DHCP is enabled and when I connect another machine directly to the netgear router they are issued with the following details;
IP 10.0.0.2
Subnet: 255.0.0.0
Gateway: 10.0.0.1
DNS: 10.0.0.1

So everything is fine as far as the netgear config goes, the problem lies when trying to configure the FastEthernet0 port on the 1812 when ever I create a static route of 0.0.0.0 0.0.0.0 10.0.0.1 the internet seems to go down and cannot access the other working PPPoE connection on FastEthernet1

I am able to ping 10.0.0.1 from the source FastEthernet0 but cannot ping any external ips. I can ping 10.0.0.6 (FastEthernet0 IP) From within the network

So looking at my config what do I need to change in order to have the FastEthernet0 be able to access out via the netgear router at 10.0.0.1?

Many Thanks
Steve
Building configuration...
 
Current configuration : 7019 bytes
!
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname EdgeFirewall
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 informational
logging console critical
enable secret 5 ****
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authorization exec local_author local 
!
aaa session-id common
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
no ip source-route
!
!
ip cef
no ip dhcp use vrf connected
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name ****
ip name-server 87.194.0.51
ip name-server 87.194.0.52
ip name-server 62.6.40.162
ip name-server 194.72.9.38
ip ssh time-out 60
ip ssh authentication-retries 2
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
no ip ips deny-action ips-interface
!
!
!
username sdmadmin privilege 15 password 7 ****
!
! 
!
!
!
interface Null0
 no ip unreachables
!
interface FastEthernet0
 description BT Broadband (ADSL)$ETH-WAN$
 ip address 10.0.0.6 255.0.0.0
 ip access-group 101 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
!
interface FastEthernet1
 description O2 Broadband (ADSL 2+)$ETH-WAN$$FW_OUTSIDE$
 ip address 87.194.*.* 255.255.248.0
 ip access-group 102 in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip inspect SDM_LOW out
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
!
interface BRI0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 shutdown
!
interface FastEthernet2
 description ISA Back-End Firewall
!
interface FastEthernet3
 shutdown
!
interface FastEthernet4
 shutdown
!
interface FastEthernet5
 shutdown
!
interface FastEthernet6
 shutdown
!
interface FastEthernet7
 shutdown
!
interface FastEthernet8
 shutdown
!
interface FastEthernet9
 shutdown
!
interface Vlan1
 description $FW_INSIDE$
 ip address 192.168.0.1 255.255.255.0
 ip access-group 100 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
!
ip classless
ip route 0.0.0.0 0.0.0.0 87.194.152.1
ip route 0.0.0.0 0.0.0.0 10.0.0.1  <<<<<<<<<<< Problem occurs when this route is there
!
!
ip http server
ip http access-class 2
ip http authentication local
no ip http secure-server
ip nat inside source route-map ISP1 interface FastEthernet0 overload
ip nat inside source route-map ISP2 interface FastEthernet1 overload
!
logging trap debugging
access-list 2 remark HTTP Access-class list
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 192.168.0.0 0.0.0.255
access-list 2 deny   any
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny   ip 87.194.152.0 0.0.7.255 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp host 10.0.0.1 eq domain any
access-list 101 remark SMTP Server
access-list 101 permit tcp any any eq smtp log
access-list 101 remark CCTV
access-list 101 permit tcp any any eq 6100 log
access-list 101 remark HTTPS
access-list 101 permit tcp any any eq 443 log
access-list 101 remark RWW
access-list 101 permit tcp any any eq 4215 log
access-list 101 remark RDP
access-list 101 permit tcp any any eq 3389 log
access-list 101 remark VNC
access-list 101 deny   tcp any any eq 5900 log
access-list 101 deny   ip 192.168.0.0 0.0.0.255 any
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip any any log
access-list 102 remark auto generated by SDM firewall configuration
access-list 102 remark SDM_ACL Category=1
access-list 102 permit udp host 194.72.9.38 eq domain any
access-list 102 permit udp host 62.6.40.162 eq domain any
access-list 102 permit udp host 87.194.0.52 eq domain any
access-list 102 permit udp host 87.194.0.51 eq domain any
access-list 102 remark SMTP
access-list 102 deny   tcp any any eq smtp log
access-list 102 permit udp host 194.72.9.38 eq domain host 87.194.*.*
access-list 102 permit udp host 62.6.40.162 eq domain host 87.194.*.*
access-list 102 permit udp host 87.194.0.52 eq domain host 87.194.*.*
access-list 102 permit udp host 87.194.0.51 eq domain host 87.194.*.*
access-list 102 deny   ip 192.168.0.0 0.0.0.255 any
access-list 102 permit icmp any host 87.194.*.* echo-reply
access-list 102 permit icmp any host 87.194.*.* time-exceeded
access-list 102 permit icmp any host 87.194.*.* unreachable
access-list 102 deny   ip 10.0.0.0 0.255.255.255 any
access-list 102 deny   ip 172.16.0.0 0.15.255.255 any
access-list 102 deny   ip 192.168.0.0 0.0.255.255 any
access-list 102 deny   ip 127.0.0.0 0.255.255.255 any
access-list 102 deny   ip host 255.255.255.255 any
access-list 102 deny   ip host 0.0.0.0 any
access-list 102 deny   ip any any log
access-list 103 remark VTY Access-class list
access-list 103 remark SDM_ACL Category=1
access-list 103 permit ip 192.168.0.0 0.0.0.255 any
access-list 103 deny   ip any any
no cdp run
!
route-map ISP1 permit 20
 match ip address 2
 match interface FastEthernet0
!
route-map ISP2 permit 10
 match ip address 2
 match interface FastEthernet1
!
!
!
!
control-plane
!
banner login ^CAuthorised User Login^C
!
line con 0
 login authentication local_authen
 transport output telnet
line aux 0
 login authentication local_authen
 transport output telnet
line vty 0 4
 access-class 103 in
 authorization exec local_author
 login authentication local_authen
 transport input telnet ssh
!
scheduler allocate 4000 1000
scheduler interval 500
end

Open in new window

0
Comment
Question by:Stephen Manderson
  • 7
  • 4
  • 2
  • +1
14 Comments
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 1000 total points
ID: 22996410
Your access-list is blocking the return traffic.  Enable the IOS Firewall on the FastEthernet0 interface:

conf t
int fa0
ip inspect SDM_LOW out
0
 
LVL 19

Author Comment

by:Stephen Manderson
ID: 22996855
Thanks for the speedy reply once again :-)

Thats it sort of up and running over the 2 lines
I seem to be having issus however connecting to sites and performing pings
If I do

ping google.com source fa0

Sometimes it will time out but the times it does respond the same ping from fa1 it will time out. Similarly when fa1 gets a response fa0 will timeout.

Any Ideas?

Many Thanks, Steve
0
 
LVL 19

Author Comment

by:Stephen Manderson
ID: 22996901
Hmm now neither will ping, both just time out, I know for a fact that fa0 has got a connection however as I have a stable connection on another client.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 43

Expert Comment

by:JFrederick29
ID: 22996939
This is the nature of pinging from the router with the two equal cost default routes.  The ping from the fa0 interface may be routed out the ISP connected to fa1 which will most likely be dropped by that ISP and vice versa for the pings from the fa1 interface.  If you ping from a PC behind the router, you shouldn't be getting drops...
0
 
LVL 19

Author Comment

by:Stephen Manderson
ID: 22997049
Thanks for clearing that up. Im still getting dropped packets from a client behind the 1812 router, also when looking at the interface status thee doesnt appear to be any traffic going out via fa1 where as fa0 has.
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 22997179
Turn off the reverse path verification on the fa1 interface as I've seen it break things before:

interface FastEthernet1
no ip verify unicast reverse-path

A client if pinging the same destination will stick to the same circuit.  Does, web browsing work?  If you go to "www.whatismyip.com" does it have the netgear external IP?
0
 
LVL 19

Author Comment

by:Stephen Manderson
ID: 22997355
Yes it has the netgear External IP, I changed both of the route-maps to permit 10 as per your suggestion in my previous question. Web pages seem to take forever to load and most just time out. Except for google that seems to load searches without any issues...
0
 
LVL 19

Author Comment

by:Stephen Manderson
ID: 22997489
Pinging google from a beind the router always times out on the first reply and takes a while to respond.
C:\Users\Jnr>ping google.com
 
Pinging google.com [209.85.171.99] with 32 bytes of data:
Request timed out.
Reply from 209.85.171.99: bytes=32 time=180ms TTL=238
Reply from 209.85.171.99: bytes=32 time=178ms TTL=238
Reply from 209.85.171.99: bytes=32 time=179ms TTL=238
 
Ping statistics for 209.85.171.99:
    Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),
Approximate round trip times in milli-seconds:
    Minimum = 178ms, Maximum = 180ms, Average = 179ms
 
C:\Users\Jnr>ping google.com
 
Pinging google.com [209.85.171.99] with 32 bytes of data:
Request timed out.
Reply from 209.85.171.99: bytes=32 time=177ms TTL=238
Reply from 209.85.171.99: bytes=32 time=177ms TTL=238
Reply from 209.85.171.99: bytes=32 time=176ms TTL=238
 
Ping statistics for 209.85.171.99:
    Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),
Approximate round trip times in milli-seconds:
    Minimum = 176ms, Maximum = 177ms, Average = 176ms
 
C:\Users\Jnr>ping google.com
 
Pinging google.com [209.85.171.99] with 32 bytes of data:
Request timed out.
Reply from 209.85.171.99: bytes=32 time=176ms TTL=239
Reply from 209.85.171.99: bytes=32 time=177ms TTL=239
Reply from 209.85.171.99: bytes=32 time=180ms TTL=239
 
Ping statistics for 209.85.171.99:
    Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),
Approximate round trip times in milli-seconds:
    Minimum = 176ms, Maximum = 180ms, Average = 177ms

Open in new window

0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 22997551
Strange.  So, if you only work with one route at a time, does it work perfectly?

conf t
no ip route 0.0.0.0 0.0.0.0 10.0.0.1

All traffic should only be routed out the Fa1 ISP.  Is it successful?

Next, swap routes:

conf t
ip route 0.0.0.0 0.0.0.0 10.0.0.1
no ip route 0.0.0.0 0.0.0.0 87.194.152.1

All traffic should now only be routed out the Fa0 ISP.  Is it successful?
0
 
LVL 19

Author Comment

by:Stephen Manderson
ID: 22997688
I gotta head out for the night, i'll have to test the above tomorrow, Thanks :-)
0
 
LVL 5

Expert Comment

by:devangshroff
ID: 23001813
this wont work , go for an UTM . or Cisc ASA 5505 with 7.2 ver
0
 
LVL 15

Assisted Solution

by:wingatesl
wingatesl earned 1000 total points
ID: 23010658
This will work fine. You have three options to get this working
1<easiest> Configure the second route with a higher metric . The downside is no automatic failover
2<More difficult> Configure Tracking with SLAs. This will perform automatic failover. (This is what the ASA does)
      http://www.inacom-sby.net/Shawn/post/2007/11/Cisco-IP-SLA-for-failover.aspx
3<Most difficult> Configure OER. This will set up load sharing for the connections.
     http://www.inacom-sby.net/shawn/

The OER is well worth it, if you spend the time. You are over halfway there actually. The ASA route will not provide any more functionality than my second example. My link for the Third option includes all of my posts in the series and will also allow you to configure inbound access to your servers over both ISPs at the same time. There is no way to do that with the ASA
Shawn
0
 
LVL 19

Author Comment

by:Stephen Manderson
ID: 23036271
Thanks for the different ideas, I have attached my current config.

Currently I am able to get web access out via my o2 ISP however downloads are very slow and fluxuate 50-500 kbps instead of 1.5 mbps.

And am still having issues with NLB and failover, is there anything in my config that stands out as an issue?

Many Thanks
Steve

!This is the running config of the router: 192.168.0.1
!----------------------------------------------------------------------------
!version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Edge
!
boot-start-marker
boot system flash:c181x-adventerprisek9-mz.124-22.T.bin
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging message-counter syslog
logging buffered 51200
logging console critical
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authorization exec local_author local 
!
!
aaa session-id common
!
!
dot11 syslog
no ip source-route
!
!
!
!
ip cef
no ip bootp server
ip domain name *.*.com
ip name-server 192.168.1.1
ip name-server 87.194.0.51
ip name-server 87.194.0.52
ip inspect log drop-pkt
ip inspect name SDM_HIGH appfw SDM_HIGH
ip inspect name SDM_HIGH icmp
ip inspect name SDM_HIGH dns
ip inspect name SDM_HIGH esmtp
ip inspect name SDM_HIGH https
ip inspect name SDM_HIGH imap reset
ip inspect name SDM_HIGH pop3 reset
ip inspect name SDM_HIGH tcp
ip inspect name SDM_HIGH udp
no ipv6 cef
!
appfw policy-name SDM_HIGH
  application im aol
    service default action reset alarm
    service text-chat action reset alarm
    server deny name login.oscar.aol.com
    server deny name toc.oscar.aol.com
    server deny name oam-d09a.blue.aol.com
    audit-trail on
  application im msn
    service default action reset alarm
    service text-chat action reset alarm
    server deny name messenger.hotmail.com
    server deny name gateway.messenger.hotmail.com
    server deny name webmessenger.msn.com
    audit-trail on
  application http
    strict-http action reset alarm
    port-misuse im action reset alarm
    port-misuse p2p action reset alarm
    port-misuse tunneling action reset alarm
  application im yahoo
    service default action reset alarm
    service text-chat action reset alarm
    server deny name scs.msg.yahoo.com
    server deny name scsa.msg.yahoo.com
    server deny name scsb.msg.yahoo.com
    server deny name scsc.msg.yahoo.com
    server deny name scsd.msg.yahoo.com
    server deny name cs16.msg.dcn.yahoo.com
    server deny name cs19.msg.dcn.yahoo.com
    server deny name cs42.msg.dcn.yahoo.com
    server deny name cs53.msg.dcn.yahoo.com
    server deny name cs54.msg.dcn.yahoo.com
    server deny name ads1.vip.scd.yahoo.com
    server deny name radio1.launch.vip.dal.yahoo.com
    server deny name in1.msg.vip.re2.yahoo.com
    server deny name data1.my.vip.sc5.yahoo.com
    server deny name address1.pim.vip.mud.yahoo.com
    server deny name edit.messenger.yahoo.com
    server deny name messenger.yahoo.com
    server deny name http.pager.yahoo.com
    server deny name privacy.yahoo.com
    server deny name csa.yahoo.com
    server deny name csb.yahoo.com
    server deny name csc.yahoo.com
    audit-trail on
!
multilink bundle-name authenticated
!
!
!
username sdmadmin privilege 15 password 7 ****
! 
!
!
archive
 log config
  hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
track 1 ip sla 1 reachability
!
class-map match-any sdm_p2p_kazaa
 match protocol fasttrack
 match protocol kazaa2
class-map match-any sdm_p2p_edonkey
 match protocol edonkey
class-map match-any sdm_p2p_gnutella
 match protocol gnutella
class-map match-any sdm_p2p_bittorrent
 match protocol bittorrent
!
!
policy-map sdmappfwp2p_SDM_HIGH
 class sdm_p2p_edonkey
   drop
 class sdm_p2p_gnutella
   drop
 class sdm_p2p_kazaa
   drop
 class sdm_p2p_bittorrent
   drop
!
!
!
!
interface Null0
 no ip unreachables
!
interface FastEthernet0
 description BT Broadband (ADSL)$ETH-WAN$$FW_OUTSIDE$
 ip address 192.168.1.2 255.255.255.0
 ip access-group 101 in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat outside
 ip inspect SDM_HIGH out
 ip virtual-reassembly
 duplex auto
 speed auto
 snmp trap ip verify drop-rate
 service-policy input sdmappfwp2p_SDM_HIGH
 service-policy output sdmappfwp2p_SDM_HIGH
!
interface FastEthernet1
 description O2 Broadband (ADSL 2+)$ETH-WAN$$FW_OUTSIDE$
 ip address 87.194.*.* 255.255.248.0
 ip access-group 102 in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat outside
 ip inspect SDM_HIGH out
 ip virtual-reassembly
 duplex auto
 speed auto
 snmp trap ip verify drop-rate
 service-policy input sdmappfwp2p_SDM_HIGH
 service-policy output sdmappfwp2p_SDM_HIGH
!
interface BRI0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 encapsulation hdlc
 shutdown
!
interface FastEthernet2
 description ISA Back-End Firewall
!
interface FastEthernet3
 shutdown
!
interface FastEthernet4
 shutdown
!
interface FastEthernet5
 shutdown
!
interface FastEthernet6
 shutdown
!
interface FastEthernet7
 shutdown
!
interface FastEthernet8
 shutdown
!
interface FastEthernet9
 shutdown
!
interface Vlan1
 description $FW_INSIDE$
 ip address 192.168.0.1 255.255.255.0
 ip access-group 100 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1412
 ip policy route-map director
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 87.194.152.1 track 1
ip route 0.0.0.0 0.0.0.0 192.168.1.1
ip http server
ip http access-class 3
ip http authentication local
no ip http secure-server
!
!
ip nat translation dns-timeout 30
ip nat translation icmp-timeout 30
ip nat inside source route-map BT interface FastEthernet0 overload
ip nat inside source route-map O2 interface FastEthernet1 overload
!
ip sla 1
 icmp-echo 209.85.171.99
 timeout 500
 frequency 3
ip sla schedule 1 life forever start-time now
logging trap debugging
logging 192.168.0.2
access-list 1 remark HTTP Access-class list
access-list 1 remark SDM_ACL Category=1
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 1 deny   any
access-list 2 remark HTTP Access-class list
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 192.168.0.0 0.0.0.255
access-list 2 deny   any
access-list 3 remark HTTP Access-class list
access-list 3 remark SDM_ACL Category=1
access-list 3 permit 192.168.0.0 0.0.0.255
access-list 3 deny   any
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny   ip 192.168.1.0 0.0.0.255 any
access-list 100 deny   ip 87.194.*.* 0.0.7.255 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp host 192.168.1.1 eq domain host 192.168.1.2
access-list 101 deny   ip 192.168.0.0 0.0.0.255 any
access-list 101 deny   ip 87.194.*.* 0.0.7.255 any
access-list 101 permit icmp any host 192.168.1.2 echo-reply
access-list 101 permit icmp any host 192.168.1.2 time-exceeded
access-list 101 permit icmp any host 192.168.1.2 unreachable
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip any any log
access-list 102 remark auto generated by SDM firewall configuration
access-list 102 remark SDM_ACL Category=1
access-list 102 permit udp host 87.194.0.52 eq domain host 87.194.*.*
access-list 102 permit udp host 87.194.0.51 eq domain host 87.194.*.*
access-list 102 deny   ip 192.168.1.0 0.0.0.255 any
access-list 102 deny   ip 192.168.0.0 0.0.0.255 any
access-list 102 permit icmp any host 87.194.159.21 echo-reply
access-list 102 permit icmp any host 87.194.159.21 time-exceeded
access-list 102 permit icmp any host 87.194.159.21 unreachable
access-list 102 deny   ip 10.0.0.0 0.255.255.255 any
access-list 102 deny   ip 172.16.0.0 0.15.255.255 any
access-list 102 deny   ip 192.168.0.0 0.0.255.255 any
access-list 102 deny   ip 127.0.0.0 0.255.255.255 any
access-list 102 deny   ip host 255.255.255.255 any
access-list 102 deny   ip host 0.0.0.0 any
access-list 102 deny   ip any any log
access-list 103 remark VTY Access-class list
access-list 103 remark SDM_ACL Category=1
access-list 103 permit ip 192.168.0.0 0.0.0.255 any
access-list 103 deny   ip any any
no cdp run
 
!
!
!
!
route-map director permit 9
 match ip address O2
 set ip next-hop 87.194.152.1
!
route-map director permit 10
 match ip address BT
 set ip next-hop 217.47.56.73
!
route-map BT permit 10
 match ip address 1
 match interface FastEthernet0
!
route-map O2 permit 10
 match ip address 1
 match interface FastEthernet1
!
!
!
!
control-plane
!
banner login ^CAuthorised User Login^C
!
line con 0
 login authentication local_authen
 transport output telnet
line aux 0
 login authentication local_authen
 transport output telnet
line vty 0 4
 access-class 103 in
 authorization exec local_author
 login authentication local_authen
 transport input telnet ssh
!
scheduler interval 500
end

Open in new window

0
 
LVL 5

Expert Comment

by:devangshroff
ID: 23067865
you do what ever , but this is not a proper solution to do failover in cisco , go for UTM . Managing will be very difficult
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
This article will show how Aten was able to supply easy management and control for Artear's video walls and wide range display configurations of their newsroom.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question