Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Cisco Dual NAT for Failover links

Posted on 2009-12-18
18
Medium Priority
?
1,161 Views
Last Modified: 2012-05-08
It seems simple enough. I have a really complicated (sarcasm) T1 with 5 static IP addresses. I've had this T1 for years, so i know my configuration is correct... or it was until now. I recently was offered a DSL backup.... NOT for the servers, but for the desktop users. The boss thinks that the servers can stand to be inaccessible for short periods of time but all our desktops must have 100% uptime..... he's an idiot, but whatever.

Anyway, he won't let me get a WIC for the Cisco 1841 router we have to run the DSL, thus I am stuck putting the AT&T DSL before the FastEthernet0/1 interface. In orther wods, it looks something like this:
                                 ---------------------------------------------------------(Serial/0/0/0 - T1)
                               /
INTERNET ---------<
                               \
                                 ------------(2Wire AT&T DSL Modem) -------------(Fa0/1)

Serial IPs: X.X.X.78, X.X.X.81, X.X.X.82, X.X.X.83, X.X.X.84
DSL IP: static 192.168.1.1 ( because the DSL Modem is 192.168.2.254)

Anyway, I can easily setup an sla and track the old default route out the Serial interface to see if it is up. BUT, right now we have 4 static NATs for our 4 servers on the LAN. PLUS a main static ip for all the desktops to use. If the failover hits, I can't figure out how to get the NAT to move over so we can use the DSL.

To make sure this is clear so I can help you to help me, the X.X.X.78 is the "pooled" NAT address... it's the NAT IP used for a translation when the Serial interface is used. However, the FastEthernet0/1 interface going to the DSL router is on the 192.168.1.0/24 subnet, and so I want to use a pool from 192.168.1.5-192.168.1.245 as a really unnecessarily large nat pool for the Fa0/1 interface.

Now, if that wasn't enough..., I really just want to make ALL non-server or VPN traffic go out the DSL anyway to keep as much bandwidth as possible in the T1 for our webserver and the like.

Below is what I have so far.
0
Comment
Question by:JAMason1182
  • 13
  • 2
16 Comments
 

Author Comment

by:JAMason1182
ID: 26085635
Here's what I have so far: (minus the unnecessary info like hostname, etc.)

ip sla monitor 1
 type echo protocol ipIcmpEcho X.X.X.77 source-interface Serial0/0/0
 timeout 1000
 threshold 250
ip sla monitor schedule 1 life forever start-time now
ip sla monitor 2
 type echo protocol ipIcmpEcho X.X.X.77 source-interface Serial0/0/0
 timeout 1000
 threshold 250
ip sla monitor schedule 2 life forever start-time after 00:00:30
!
!
!
!
!
!!
!
track 1 rtr 1 reachability
!
track 2 rtr 2 reachability
!
track 10 list boolean or
 object 1
 object 2
!
interface FastEthernet0/1
 description External - DSL Backup
 ip address 192.168.1.1 255.255.255.0
 ip access-group 109 in
 ip verify unicast reverse-path
 ip nat outside
 ip inspect wall4 in
 ip virtual-reassembly
 duplex auto
 speed auto
 no mop enabled
!
interface Serial0/0/0
 description External - T1$FW_OUTSIDE$$ES_WAN$
 ip address X.X.X.78 255.255.255.248
 ip access-group 100 in
 ip verify unicast reverse-path
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 crypto map CMAP
!
ip local pool vpn1 192.168.3.1 192.168.3.254
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0/0 10 track 10
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1 20
ip route X.X.X.77 255.255.255.255 Serial0/0/0
!
!
no ip http server
no ip http secure-server
ip nat pool NATPOOL X.X.X.78 X.X.X.78 prefix-length 24
ip nat pool DSLNATPOOL 192.168.1.5 192.168.1.245 prefix-length 24
ip nat inside source list 106 pool NATPOOL overload
ip nat inside source list 110 pool DSLNATPOOL overload
ip nat inside source static 10.20.21.48 X.X.X..81
ip nat inside source static 10.20.21.49 X.X.X.82
ip nat inside source static 10.20.21.51 X.X.X.83
ip nat inside source static 10.20.21.50 X.X.X.84
!
access-list 100 remark ########### SERIAL0/0/0 ingress ACL #############
access-list 101 remark ########### SERIAL0/0/0 egress ACL #############
access-list 102 remark ########### VLAN 21 ingress ACL #############
access-list 103 remark ########### VLAN 21 egress ACL #############
access-list 104 remark ########### VLAN 1 ingress ACL #############
access-list 105 remark ########### VLAN 1 egress ACL #############
access-list 106 remark ########### Serial0/0/0 NAT ACL ###########
access-list 107 remark ########### VLAN 22 ingress ACL #############
access-list 108 remark ########### VLAN 22 egress ACL #############
access-list 110 remark ############# FastEthernet 0/1 NAT ACL ###############
no cdp run
!
route-map ATTDSL permit 10
 match ip address 140
 match interface FastEthernet0/1
!
route-map T3VOICENET permit 10
 match ip address 130
 match interface Serial0/0/0
!
0
 

Author Comment

by:JAMason1182
ID: 26085643
And lastly, yes, I did have the

ip nat inside route-map T3VOICENET pool NATPOOL overload
ip nat inside route-map ATTDSL pool DSLNATPOOL overload

up there instead of the source lists, but it didn't work, so i removed it so I could post to experts exchange.
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 26086019
did you reloaded the router after?

could you show is the 'sh ip nat trans' command output?
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 

Author Comment

by:JAMason1182
ID: 26089820
See I don't understand the whole route-map idea versus just using access-lists.... and so I don't know which one I need. PLUS, on top of all that, I have VPN access required through the Serial device.

How do I tell it when to allow a translation from one to another.... AND ALSO, when a fail happens and it tries to use the DSL, how do I get it to move over the mappings so that connections aren't lost?
0
 

Author Comment

by:JAMason1182
ID: 26093169
OK, I have an update. I got it to work on one side only. The bad news is my laptop crapped out and now has no bootable hard drive, so I'm going to test using a Fedora live cd tomorrow to see if  I can get a connection directly from the DSL router.

But meanwhile, I got my VPN, NAT, etc. working through the default connection again using this:

!
hostname midnr001
!
no ip bootp server
ip name-server 10.20.20.55
ip name-server 10.20.20.54
ip name-server x.x.x.x
ip name-server x.x.x.x
ip ssh time-out 60
ip ssh authentication-retries 2
ip inspect max-incomplete high 800
ip inspect one-minute high 800
ip inspect udp idle-time 60
ip inspect dns-timeout 10
ip inspect name wall1 cuseeme timeout 3600
ip inspect name wall1 ftp timeout 3600
ip inspect name wall1 udp timeout 15
ip inspect name wall1 tcp timeout 3600
ip inspect name wall1 icmp timeout 15
ip inspect name wall1 isakmp
ip inspect name wall1 http java-list 3 timeout 3600
ip inspect name wall2 cuseeme timeout 3600
ip inspect name wall2 ftp timeout 3600
ip inspect name wall2 udp timeout 15
ip inspect name wall2 tcp timeout 3600
ip inspect name wall2 icmp timeout 15
ip inspect name wall2 http timeout 3600
ip inspect name wall3 cuseeme timeout 3600
ip inspect name wall3 udp timeout 15
ip inspect name wall3 tcp timeout 3600
ip inspect name wall3 icmp timeout 15
ip inspect name wall4 cuseeme timeout 3600
ip inspect name wall4 ftp timeout 3600
ip inspect name wall4 udp timeout 15
ip inspect name wall4 tcp timeout 3600
ip inspect name wall4 http java-list 3 timeout 3600
ip sla monitor 1
 type echo protocol ipIcmpEcho x.x.x.x source-interface Serial0/0/0
 timeout 1000
 threshold 250
ip sla monitor schedule 1 life forever start-time now
ip sla monitor 2
 type echo protocol ipIcmpEcho x.x.x.x source-interface Serial0/0/0
 timeout 1000
 threshold 250
ip sla monitor schedule 2 life forever start-time after 00:00:30
ip sla monitor 3
 type echo protocol ipIcmpEcho x.x.x.x source-interface FastEthernet0/1
 timeout 1000
 threshold 250
ip sla monitor schedule 3 life forever start-time now
ip sla monitor 4
 type echo protocol ipIcmpEcho x.x.x.x source-interface FastEthernet0/1
 timeout 1000
 threshold 250
ip sla monitor schedule 4 life forever start-time now
!
!
!
track 1 rtr 1 reachability
!
track 2 rtr 2 reachability
!
track 3 rtr 3 reachability
!
track 4 rtr 4 reachability
!
track 10 list boolean or
 object 1
 object 2
!
track 20 list boolean or
 object 3
 object 4
!
!
!
interface Null0
 no ip unreachables
!
interface FastEthernet0/0
 description Primary Internal Interface - VLAN Divided
 no ip address
 duplex auto
 speed auto
 no mop enabled
!
interface FastEthernet0/0.1
 encapsulation dot1Q 1 native
 ip address 10.20.20.1 255.255.255.0
 ip access-group 104 in
 ip access-group 105 out
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip inspect wall1 in
 ip virtual-reassembly
 no snmp trap link-status
 no cdp enable
!
interface FastEthernet0/0.21
 encapsulation dot1Q 21
 ip address 10.20.21.1 255.255.255.0
 ip access-group 102 in
 ip access-group 103 out
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip inspect wall2 in
 ip virtual-reassembly
 no snmp trap link-status
 no cdp enable
!
interface FastEthernet0/0.22
 encapsulation dot1Q 22
 ip address 10.20.22.1 255.255.255.0
 ip access-group 107 in
 ip access-group 108 out
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip inspect wall3 in
 ip virtual-reassembly
 no snmp trap link-status
 no cdp enable
!
interface FastEthernet0/1
 description External - DSL Backup
 ip address 192.168.1.1 255.255.255.0
 ip access-group 109 in
 ip access-group 110 out
 ip verify unicast reverse-path
 ip nat outside
 ip inspect wall4 in
 ip virtual-reassembly
 duplex auto
 speed auto
 no mop enabled
!
interface Serial0/0/0
 description External - T1$FW_OUTSIDE$$ES_WAN$
 ip address x.x.x.x 255.255.255.248
 ip access-group 100 in
 ip access-group 101 out
 ip verify unicast reverse-path
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 crypto map CMAP
!
ip local pool vpn1 192.168.3.1 192.168.3.254
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0/0 10 track 10
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1 20 track 20
ip route x.x.x.x 255.255.255.255 FastEthernet0/1
ip route 192.168.1.254 255.255.255.255 FastEthernet0/1
ip route x.x.x.x 255.255.255.255 Serial0/0/0
!
!
no ip http server
no ip http secure-server
ip nat inside source route-map DSLFa interface FastEthernet0/1 overload
ip nat inside source route-map T1Serial interface Serial0/0/0 overload
ip nat inside source static 10.20.21.48 x.x.x.x
ip nat inside source static 10.20.21.49 x.x.x.x
ip nat inside source static 10.20.21.51 x.x.x.x
ip nat inside source static 10.20.21.50 x.x.x.x
!
no logging trap
access-list 100 remark ########### SERIAL0/0/0 ingress ACL #############
access-list 101 remark ########### SERIAL0/0/0 egress ACL #############
access-list 102 remark ########### VLAN 21 ingress ACL #############
access-list 103 remark ########### VLAN 21 egress ACL #############
access-list 104 remark ########### VLAN 1 ingress ACL #############
access-list 105 remark ########### VLAN 1 egress ACL #############
access-list 107 remark ########### VLAN 22 ingress ACL #############
access-list 108 remark ########### VLAN 22 egress ACL #############
access-list 109 remark ########### FastEthernet0/1 ingress ACL #############
access-list 109 remark ########### FastEthernet0/1 egress ACL #############
access-list 130 remark ########### NAT ACL ###########
access-list 130 deny   ip 192.168.3.0 0.0.0.255 any
access-list 130 deny   ip 10.20.20.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 130 deny   ip 10.20.20.0 0.0.0.255 10.20.20.0 0.0.0.255
access-list 130 deny   ip 10.20.20.0 0.0.0.255 10.20.21.0 0.0.0.255
access-list 130 deny   ip 10.20.20.0 0.0.0.255 10.20.22.0 0.0.0.255
access-list 130 deny   ip 10.20.21.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 130 deny   ip 10.20.21.0 0.0.0.255 10.20.20.0 0.0.0.255
access-list 130 deny   ip 10.20.21.0 0.0.0.255 10.20.21.0 0.0.0.255
access-list 130 deny   ip 10.20.21.0 0.0.0.255 10.20.22.0 0.0.0.255
access-list 130 deny   ip 10.20.22.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 130 deny   ip 10.20.22.0 0.0.0.255 10.20.20.0 0.0.0.255
access-list 130 deny   ip 10.20.22.0 0.0.0.255 10.20.21.0 0.0.0.255
access-list 130 deny   ip 10.20.22.0 0.0.0.255 10.20.22.0 0.0.0.255
access-list 130 permit ip 10.20.20.0 0.0.0.255 any
access-list 130 permit ip 10.20.21.0 0.0.0.255 any
access-list 130 permit ip 10.20.22.0 0.0.0.255 any
access-list 130 deny   ip any any
access-list 150 remark ########### VPN Response ACL ###########
access-list 150 permit ip 10.20.20.0 0.0.0.255 any
!
route-map T1Serial permit 10
 match ip address 130
 match interface Serial0/0/0
!
route-map DSLFa permit 10
 match ip address 130
 match interface FastEthernet0/1
!
!
!
!
control-plane


Is there anything wrong with what you see here? (My other ACLS are trivial and seem to work well).

I still can't get the DSL connection to work at all though, but the tracking says that route is down anyway, which is why I'm going to next test the DSL modem (router? all in one?) directly with my laptop tomorrow.
0
 

Author Comment

by:JAMason1182
ID: 26095572
Nope, the DSL backup works for my laptop plugged directly into the back of the DSL modem/router. But the Cisco router still can't connect through it. Even a simple ping doesn't work

What am i doing wrong?.
0
 
LVL 32

Expert Comment

by:harbor235
ID: 26099909

You almost had it right, only problem is/was that you have multiple matches in your policy with no actions, should have been the following;

route-map T1Serial permit 10
match ip address 130
set interface Serial0/0/0
!
route-map DSLFa permit 10
match ip address 130
set interface FastEthernet0/1

Also, I assume your servers and desktops are in unique address space, this should be reflected in your ACLs for your NAT, so you should have unique ACL #'s for server and non-server. I jsut did a 2 minute look and did not read all your input, let me know if that fixes your problem, multi-homed NAT works and I have used it many times so le me know how this goes.
 

give it a try again,

harbor235 ;}
0
 

Author Comment

by:JAMason1182
ID: 26101294
Well I'm glad to have your help.... but it didn't work and I wonder if I have an ACL issue....

First off, let's make sure I was clear about what I'm looking for. I can't have anyone using the DSL except for a backup (too many users, we'll all use the T1 under normal conditions). But, the T1 goes down about twice a year for a few days when a big rainshower hits west texas.

SO, I want to use the DSL as a backup to all traffic. BUT, I can't since we get a non-static IP for the DSL (the boss is cheap) and we need 5 static IPs for our VPN, DNS, mail server, and web server. So I have my static NATs established for the static IPs and I'm OK with those servers not having any connectivity during those rare occasions. (Well, not OK, but I have no choice)

So anyway, WHEN the T1 is down, I just want the router to switch the usual dynamic NATs to the DSL connection.

The T1 (as posted earlier when I mistakenly forgot to filter my IPs... oh well) is the following IP info:
        Serial0/0/0 - x.x.x.x, gateway x.x.x.x, with 4 other IPs static NATted to the LAN.

The DSL is a simple FastEthernet0/1 - 192.168.1.0/24 with the gateway being 192.168.1.254 since the darn cheap DSL router is an all-in-one type 2wire att modem/router.

So, if I have 3 VLANs, 10.20.20.0/24, 10.20.21.0/24, 10.20.22.0/24, and actually a new one 10.20.23.0/24, as well as a VPN subnet from the above listed pool (192.168.3.0/24), what ACL's would I have? Right now I just restrict from NATting any LAN to LAN or VPN to LAN or LAN to VPN traffic. But I've never known if I needed to add any other restrictions or opens to it.... and since this is a long post, I'll go ahead and ask about what I thought about.

1) in the route-maps, should I do a "set next hop x.x.x.x" and "set next hop 192.168.1.254" in the respective route-maps? Would that allow me to add a separate ACL that would specifically allow traffic to the gateway from LAN addresses?

2) or should I just  separate the ACLs for each route-map and add the gateway addresses for each interface in the ACLs

3) or should I use these ACLs as a restrict only type ACL, meaning I put my deny statements in to block only the LAN to LAN, LAN to VPN, or VPN to LAN traffic, but then permit all others?
0
 

Author Comment

by:JAMason1182
ID: 26101303
Oh, I'm sorry, I forgot to explicitly say, I did try the set commands, and neither route-map worked. Thus, I think I have an issue with the ACLS, hence the discussion that insued in the last post.
0
 
LVL 32

Assisted Solution

by:harbor235
harbor235 earned 2000 total points
ID: 26105267


1) set interface defines the outgoing interface , so it's the same thing
2) Seperate ACLs are important to logically seperate the internal IP address groups, will aslo aide in troubleshooting
3) The ACLs should classify the traffic flow from source to destination,

questions,

1) Are the servers and user IP address spaces unique, i.e different subnets?  
20 There is no problem performing NAT out two seperate interfaces, although traffic source should be unique.

If all you want to do is use the DSL as backup when the T1 goes down why not configure multiple defaults routes with a higher metric on the least preferred route?

harbor235 ;}
0
 

Author Comment

by:JAMason1182
ID: 26109646
First to answer your question:
1) Yes, the DMZ servers are on VLAN 21, so thus they have their own subnet. The desktops and the production file servers, etc. are all on VLAN 20, so they again are on their own subnet. And VLAN 23 is our voice over IP, so it doesn't need to go out at all (remote phones VPN into the network and then are placed on the VLAN23) and VLAN 22 is kind of our black-box type vlan, meaning it is for those units that don't need access to anything but the internet (wireless access points, as well as  a few black-box devices that are from third party vendors). All that to say that yes, we use different subnets for each purpose of machine.

2) I did try to have just a simple high-metric alternate default route that would be used when the T1 goes down, but it didn't work. And that's why I'm taking a look at the NAT situation because the DSL is a completely different subnet altogether (different ISP, etc.). So it was trying to NAT out the Serial device and then to NAT out using the same NAT configuration through the DSL and thus, it didn't work.


A question for you: when i do my ACLs, how do I set the destination IP if i don't know it? Meaning if I use the following (see the bold):

access-list 130 remark ########### T1 NAT ACL ###########
access-list 130 deny   ip 192.168.3.0 0.0.0.255 any
access-list 130 deny   ip 10.20.20.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 130 deny   ip 10.20.20.0 0.0.0.255 10.20.20.0 0.0.0.255
access-list 130 deny   ip 10.20.20.0 0.0.0.255 10.20.21.0 0.0.0.255
access-list 130 deny   ip 10.20.20.0 0.0.0.255 10.20.22.0 0.0.0.255
access-list 130 deny   ip 10.20.21.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 130 deny   ip 10.20.21.0 0.0.0.255 10.20.20.0 0.0.0.255
access-list 130 deny   ip 10.20.21.0 0.0.0.255 10.20.21.0 0.0.0.255
access-list 130 deny   ip 10.20.21.0 0.0.0.255 10.20.22.0 0.0.0.255
access-list 130 deny   ip 10.20.22.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 130 deny   ip 10.20.22.0 0.0.0.255 10.20.20.0 0.0.0.255
access-list 130 deny   ip 10.20.22.0 0.0.0.255 10.20.21.0 0.0.0.255
access-list 130 deny   ip 10.20.22.0 0.0.0.255 10.20.22.0 0.0.0.255
access-list 130 permit ip 10.20.20.0 0.0.0.255 x.x.x.x 0.0.0.7access-list 130 permit ip 10.20.21.0 0.0.0.255 x.x.x.x 0.0.0.7access-list 130 permit ip 10.20.22.0 0.0.0.255 x.x.x.x 0.0.0.7
access-list 130 deny   ip any any
access-list 131 remark ########### DSL NAT ACL ###########
access-list 131 deny   ip 192.168.3.0 0.0.0.255 any
access-list 131 deny   ip 10.20.20.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 131 deny   ip 10.20.20.0 0.0.0.255 10.20.20.0 0.0.0.255
access-list 131 deny   ip 10.20.20.0 0.0.0.255 10.20.21.0 0.0.0.255
access-list 131 deny   ip 10.20.20.0 0.0.0.255 10.20.22.0 0.0.0.255
access-list 131 deny   ip 10.20.21.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 131 deny   ip 10.20.21.0 0.0.0.255 10.20.20.0 0.0.0.255
access-list 131 deny   ip 10.20.21.0 0.0.0.255 10.20.21.0 0.0.0.255
access-list 131 deny   ip 10.20.21.0 0.0.0.255 10.20.22.0 0.0.0.255
access-list 131 deny   ip 10.20.22.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 131 deny   ip 10.20.22.0 0.0.0.255 10.20.20.0 0.0.0.255
access-list 131 deny   ip 10.20.22.0 0.0.0.255 10.20.21.0 0.0.0.255
access-list 131 deny   ip 10.20.22.0 0.0.0.255 10.20.22.0 0.0.0.255
access-list 131 permit ip 10.20.20.0 0.0.0.255 192.168.1.254 0.0.0.255access-list 131 permit ip 10.20.21.0 0.0.0.255 192.168.1.254 0.0.0.255access-list 131 permit ip 10.20.22.0 0.0.0.255 192.168.1.254 0.0.0.255
access-list 131 deny   ip any any


Will this work since the default gateway for each interface is used to check each permit statement? I don't think it will because if I want to access google, (74.125.47.147) the packets will be going from a local subnet address to 74.125.47.147... not to the gateway address.... does that make sense?
0
 

Author Comment

by:JAMason1182
ID: 26109903
OK, I had a second that I could play with it for a bit. First off, I simplified my ACLs using some different subnets so that the local LAN addresses don't take up 50 lines........

But then I did this with my ACLS:
access-list 130 remark ########### T1 NAT ACL ###########
access-list 130 deny   ip 192.168.3.0 0.0.0.255 any
access-list 130 deny   ip any 192.168.3.0 0.0.0.255
access-list 130 deny   ip 10.20.0.0 0.0.255.255 10.20.0.0 0.0.255.255
access-list 130 permit ip any 10.20.0.0 0.0.255.255 log
access-list 130 permit ip 10.20.0.0 0.0.255.255 any log
access-list 130 deny   ip any any log
access-list 131 remark ########### DSL NAT ACL ###########
access-list 131 deny   ip 192.168.3.0 0.0.0.255 any
access-list 131 deny   ip any 192.168.3.0 0.0.0.255
access-list 131 deny   ip 10.20.0.0 0.0.255.255 10.20.0.0 0.0.0.255
access-list 131 deny   ip 10.20.0.0 0.0.255.255 any
access-list 131 deny   ip any 10.20.0.0 0.0.255.255
access-list 131 permit ip 10.20.0.0 0.0.255.255 any log
access-list 131 permit ip any 10.20.0.0 0.0.255.255 log
access-list 131 deny   ip any any log

And then I took a look at this cisco page and that's where I got the double match statements I had used before (and I'm now trying them again)
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a0080950834.shtml

route-map T1Serial permit 10
 match ip address 130
 match interface Serial0/0/0
!
route-map DSLFa permit 10
 match ip address 131
 match interface FastEthernet0/1


And according to that cisco page, this works because it says that if we are USING such and such interface, then use this route-map. Now here's my question.... when i am looking at the logs (I have debug ip nat running) I can see all the NAT translations, static and dynamic in the logs. Also, since I have some logging in my acls, they show up in the logs as well. The ACLs 130 and 131 ARE working. They are showing the correct ACL for using the right interface, and they are also showing that local traffic is not natted (from one VLAN to another, etc.) and so it all should be working. BUT, no go.

I CAN ping from the router to the DSL modem, but I can' tget past the DSL modem and the DSL modem says that it is connected and no errors on the DSL side. Another note, I cannot get the modem from the local LAN anymore without plugging into the modem directly. (it won't show the web configuration pages for the modem, so I'm assuming it isn't doing any NAT at all on the FastEthernet 0/1 interface, and this is backed up by the logs, despite the ACLs showing up correctly.)
0
 

Author Comment

by:JAMason1182
ID: 26116878
Christmas is a bad time to have an issue I guess.... well I'll keep piddling because i have to have this before the new year.
0
 

Accepted Solution

by:
JAMason1182 earned 0 total points
ID: 26117042
Wow, I got it working! Or at least... as much as I can get working without getting AT&T to admit they are screwed up... anyway:

I changed my route from being the interface to being the DSL route IP address like this:
ip route 0.0.0.0 0.0.0.0 Serial0/0/0 10 track 10
ip route 0.0.0.0 0.0.0.0 192.168.1.254 20 track 20
ip route x.x.x.x 255.255.255.255 192.168.1.254
ip routex.x.x.x 255.255.255.255 Serial0/0/0

Then I did have two matches in my route-map,
route-map FastEthernet permit 10
 match ip address 131
 match interface FastEthernet0/1
!
route-map Serial permit 10
 match ip address 130
 match interface Serial0/0/0

because the first match is the access-list matches (almost the same, but keeps the static IPs in the DMZ from trying to move to the backup) and the second matches the interface that the ROUTE has chosen.

This is the key, the routes are being tracked, so the failover part will decide the interface based on the interface IP. The static routes for the two sla monitor IPs are set to go out a particular interface which is why they are there. But regardless of which default route is set, the packets being routed will trigger the route-map based on the interface match. So really, I don't think I need the access-list since the routing via interface IP should take care of it anyway!

Thanks for your help.

0
 

Author Comment

by:JAMason1182
ID: 26117070
I will reward you some points after the moderator has helped clean up my public ips listed above... I can't believe I didn't remember to filter before I pasted!
0
 

Author Comment

by:JAMason1182
ID: 26131166
Thanks WhackAMod, and thanks harbor235 as well. Points being awarded.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Make the most of your online learning experience.
This program is used to assist in finding and resolving common problems with wireless connections.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …

581 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question