?
Solved

I am setting up a Cisco 3845 ISR and we have 3 internet connections, need the best way to configure the router to automatically switch routing to next best/available connection.

Posted on 2010-01-12
16
Medium Priority
?
419 Views
Last Modified: 2012-05-08
I am setting up a Cisco 3845 (security bundle) and we have 3 internet connections (for redundancy if one of them fails)  a 10 meg Ethernet, a T1 and a 1 Meg Ethernet (via satellite).

Im trying to find the best way to configure it so that it automatically routes traffic thru the next
best/available connection.  


We currently have 2 public subnets
164.50.24.81             255.255.255.240       14 addresses
164.50.24.198            255.255.255.248        6 addresses


ISP1            ISP2               ISP3
 10 meg        T1          1 meg satellite
       \             |              /
        \            |             /
         \           |            /
          \          |           /
           \         |          /
         ----------------------
         |   CR1  -  3845     |
         ----------------------
                     |
                     |
                     |
            Private network
0
Comment
Question by:CpTnCuRt
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 7
16 Comments
 
LVL 50

Expert Comment

by:Don Johnston
ID: 26299424
Creating static default routes with different administrative distances for each route.

ip route 0.0.0.0 0.0.0.0 <next hop address of the 10mbps link> 5
ip route 0.0.0.0 0.0.0.0 <next hop address of the T1 link> 10
 ip route 0.0.0.0 0.0.0.0 <next hop address of the 1mbps link> 15
 
To make it failover if the link failure is not detected, use object tracking.

http://www.cisco.com/en/US/docs/ios/12_3/12_3x/12_3xe/feature/guide/dbackupx.html

0
 
LVL 9

Expert Comment

by:Vito_Corleone
ID: 26299472
You will likely also want load balanced NAT, which you can find here:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a00808d2b72.shtml
0
 
LVL 1

Author Comment

by:CpTnCuRt
ID: 26324931
I can now ping from the router to the outside world, but can't ping from my computer on the private side of the router.  I can ping the routers private address, but nothing public

An after thought I have is that we have some public IP addresses.  Is there a way to automatically have them available when the primary circuit goes down?
0
Supports up to 4K resolution!

The VS192 2-Port 4K DisplayPort Splitter is perfect for anyone who needs to send one source of DisplayPort high definition video to two or four DisplayPort displays. The VS192 can split and also expand DisplayPort audio/video signal on two or four DisplayPort monitors.

 
LVL 9

Expert Comment

by:Vito_Corleone
ID: 26325171
Post your current config.
0
 
LVL 1

Author Comment

by:CpTnCuRt
ID: 26326130
IP addresses and names have been changed for privacy


sh run


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Current configuration : 13329 bytes
!
! Last configuration change at 14:04:03 PCTime Wed Jan 6 2010 by admin
! NVRAM config last updated at 15:43:17 PCTime Thu Dec 31 2009 by admin
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname CR1
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret 5 ***********************
!
no aaa new-model
clock timezone PCTime -8
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-*******
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-*******
 revocation-check none
 rsakeypair TP-self-signed-*******
!
!
crypto pki certificate chain TP-self-signed-*******
 certificate self-signed 01
  ******** ******** ******** ******** ******** ******** ******** ********
  ******** ******** ******** ******** ******** ******** ******** ********
  ******** ******** ******** ******** ******** ******** ******** ********
  ******** ******** ******** ******** ******** ******** ******** ********
  ******** ******** ******** ******** ******** ******** ******** ********
  ******** ******** ******** ******** ******** ******** ******** ********
  ******** ******** ******** ******** ******** ******** ******** ********
  ******** ******** ******** ******** ******** ******** ******** ********
  ******** ******** ******** ******** ******** ******** ******** ********
  ******** ******** ******** ******** ******** ******** ******** ********
  ******** ******** ******** ******** ******** ******** ******** ********
  ******** ******** ******** ******** ******** ******** ******** ********
  ******** ******** ******** ******** ******** ******** ******** ********
  ******** ******** ******** ******** ******** ******** ******** ********
  ******** ******** ******** ******** ******** ******** ******** ********
  ******** ******** ******** ******** ******** ******** ******** ********
  ******** ******** ******** ******** ******** ******** ******** ********
  ******** ******** ******** ******** ******** ******** ******** ********
  ******** ******** ***
        quit
dot11 syslog
no ip source-route
no ip dhcp use vrf connected
ip dhcp excluded-address 172.90.1.1 172.90.1.99
ip dhcp excluded-address 172.90.1.120 172.90.1.254
!
ip dhcp pool sdm-pool1
   import all
   network 172.90.1.0 255.255.255.0
   dns-server 164.105.1.129 164.105.1.130
   default-router 172.90.1.254
!
!
ip cef
!
!
no ip bootp server
ip domain name somedomain.com
ip name-server 164.50.1.129
ip name-server 164.50.1.130
!
multilink bundle-name authenticated
!
parameter-map type protocol-info msn-servers
 server name messenger.hotmail.com
 server name gateway.messenger.hotmail.com
 server name webmessenger.msn.com

parameter-map type protocol-info aol-servers
 server name login.oscar.aol.com
 server name toc.oscar.aol.com
 server name oam-d09a.blue.aol.com

parameter-map type protocol-info yahoo-servers
 server name scs.msg.yahoo.com
 server name scsa.msg.yahoo.com
 server name scsb.msg.yahoo.com
 server name scsc.msg.yahoo.com
 server name scsd.msg.yahoo.com
 server name cs16.msg.dcn.yahoo.com
 server name cs19.msg.dcn.yahoo.com
 server name cs42.msg.dcn.yahoo.com
 server name cs53.msg.dcn.yahoo.com
 server name cs54.msg.dcn.yahoo.com
 server name ads1.vip.scd.yahoo.com
 server name radio1.launch.vip.dal.yahoo.com
 server name in1.msg.vip.re2.yahoo.com
 server name data1.my.vip.sc5.yahoo.com
 server name address1.pim.vip.mud.yahoo.com
 server name edit.messenger.yahoo.com
 server name messenger.yahoo.com
 server name http.pager.yahoo.com
 server name privacy.yahoo.com
 server name csa.yahoo.com
 server name csb.yahoo.com
 server name csc.yahoo.com

voice-card 0
 no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username admin privilege 15 secret 5 ***********************

archive
 log config
  hidekeys
!
!
!
class-map type inspect imap match-any sdm-app-imap
 match  invalid-command
class-map type inspect match-any BootPS192
 match protocol udp
 match protocol bootpc
 match protocol bootps
class-map type inspect match-any sdm-cls-protocol-p2p
 match protocol edonkey signature
 match protocol gnutella signature
 match protocol kazaa2 signature
 match protocol fasttrack signature
 match protocol bittorrent signature
class-map type inspect match-any sdm-cls-insp-traffic
 match protocol cuseeme
 match protocol dns
 match protocol ftp
 match protocol h323
 match protocol https
 match protocol icmp
 match protocol imap
 match protocol pop3
 match protocol netshow
 match protocol shell
 match protocol realmedia
 match protocol rtsp
 match protocol smtp extended
 match protocol sql-net
 match protocol streamworks
 match protocol tftp
 match protocol vdolive
 match protocol tcp
 match protocol udp
class-map type inspect match-all sdm-insp-traffic
 match class-map sdm-cls-insp-traffic
class-map type inspect gnutella match-any sdm-app-gnutella
 match  file-transfer
class-map type inspect msnmsgr match-any sdm-app-msn-otherservices
 match  service any
class-map type inspect ymsgr match-any sdm-app-yahoo-otherservices
 match  service any
class-map type inspect match-all sdm-protocol-pop3
 match protocol pop3
class-map type inspect match-any sdm-cls-icmp-access
 match protocol icmp
 match protocol tcp
 match protocol udp
class-map type inspect match-any sdm-cls-protocol-im
 match protocol ymsgr yahoo-servers
 match protocol msnmsgr msn-servers
 match protocol aol aol-servers
class-map type inspect aol match-any sdm-app-aol-otherservices
 match  service any
class-map type inspect pop3 match-any sdm-app-pop3
 match  invalid-command
class-map type inspect kazaa2 match-any sdm-app-kazaa2
 match  file-transfer
class-map type inspect match-all sdm-cls-sdm-permit-1
 match class-map BootPS192
 match access-group name BootPS192
class-map type inspect match-all sdm-protocol-p2p
 match class-map sdm-cls-protocol-p2p
class-map type inspect http match-any sdm-http-blockparam
 match  request port-misuse im
 match  request port-misuse p2p
 match  req-resp protocol-violation
class-map type inspect match-all sdm-protocol-im
 match class-map sdm-cls-protocol-im
class-map type inspect match-all sdm-invalid-src
 match access-group 100
class-map type inspect match-all sdm-icmp-access
 match class-map sdm-cls-icmp-access
class-map type inspect ymsgr match-any sdm-app-yahoo
 match  service text-chat
class-map type inspect msnmsgr match-any sdm-app-msn
 match  service text-chat
class-map type inspect edonkey match-any sdm-app-edonkey
 match  file-transfer
 match  text-chat
 match  search-file-name
class-map type inspect http match-any sdm-app-httpmethods
 match  request method bcopy
 match  request method bdelete
 match  request method bmove
 match  request method bpropfind
 match  request method bproppatch
 match  request method connect
 match  request method copy
 match  request method delete
 match  request method edit
 match  request method getattribute
 match  request method getattributenames
 match  request method getproperties
 match  request method index
 match  request method lock
 match  request method mkcol
 match  request method mkdir
 match  request method move
 match  request method notify
 match  request method options
 match  request method poll
 match  request method propfind
 match  request method proppatch
 match  request method put
 match  request method revadd
 match  request method revlabel
 match  request method revlog
 match  request method revnum
 match  request method save
 match  request method search
 match  request method setattribute
 match  request method startrev
 match  request method stoprev
 match  request method subscribe
 match  request method trace
 match  request method unedit
 match  request method unlock
 match  request method unsubscribe
class-map type inspect edonkey match-any sdm-app-edonkeychat
 match  search-file-name
 match  text-chat
class-map type inspect match-all sdm-protocol-http
 match protocol http
class-map type inspect fasttrack match-any sdm-app-fasttrack
 match  file-transfer
class-map type inspect http match-any sdm-http-allowparam
 match  request port-misuse tunneling
class-map type inspect edonkey match-any sdm-app-edonkeydownload
 match  file-transfer
class-map type inspect match-all sdm-protocol-imap
 match protocol imap
class-map type inspect aol match-any sdm-app-aol
 match  service text-chat
!
!
policy-map type inspect sdm-permit-icmpreply
 class type inspect sdm-icmp-access
  inspect
 class class-default
  pass
policy-map type inspect p2p sdm-action-app-p2p
 class type inspect edonkey sdm-app-edonkeychat
  log
  allow
 class type inspect edonkey sdm-app-edonkeydownload
  log
  allow
 class type inspect fasttrack sdm-app-fasttrack
  log
  allow
 class type inspect gnutella sdm-app-gnutella
  log
  allow
 class type inspect kazaa2 sdm-app-kazaa2
  log
  allow
 class class-default
policy-map type inspect http sdm-action-app-http
 class type inspect http sdm-http-blockparam
  log
  reset
 class type inspect http sdm-app-httpmethods
  log
  reset
 class type inspect http sdm-http-allowparam
  log
  allow
 class class-default
policy-map type inspect imap sdm-action-imap
 class type inspect imap sdm-app-imap
  log
 class class-default
policy-map type inspect pop3 sdm-action-pop3
 class type inspect pop3 sdm-app-pop3
  log
 class class-default
policy-map type inspect im sdm-action-app-im
 class type inspect aol sdm-app-aol
  log
  allow
 class type inspect msnmsgr sdm-app-msn
  log
  allow
 class type inspect ymsgr sdm-app-yahoo
  log
  allow
 class type inspect aol sdm-app-aol-otherservices
  log
  reset
 class type inspect msnmsgr sdm-app-msn-otherservices
  log
  reset
 class type inspect ymsgr sdm-app-yahoo-otherservices
  log
  reset
 class class-default
policy-map type inspect sdm-inspect
 class type inspect sdm-invalid-src
  drop log
 class type inspect sdm-protocol-http
  inspect
  service-policy http sdm-action-app-http
 class type inspect sdm-protocol-imap
  inspect
  service-policy imap sdm-action-imap
 class type inspect sdm-protocol-pop3
  inspect
  service-policy pop3 sdm-action-pop3
 class type inspect sdm-protocol-p2p
  inspect
  service-policy p2p sdm-action-app-p2p
 class type inspect sdm-protocol-im
  inspect
  service-policy im sdm-action-app-im
 class type inspect sdm-insp-traffic
  inspect
 class class-default
policy-map type inspect sdm-permit
 class class-default
  drop
!
zone security out-zone
zone security in-zone
zone-pair security sdm-zp-self-out source self destination out-zone
 service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-out-self source out-zone destination self
 service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
 service-policy type inspect sdm-inspect
!
!
!
!
interface GigabitEthernet0/0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$$ES_LAN$$FW_INSIDE$
 ip address 172.90.1.254 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 zone-member security in-zone
 ip route-cache flow
 duplex auto
 speed auto
 media-type rj45
 no mop enabled
!
interface GigabitEthernet0/1
 description $ES_WAN$$ETH-WAN$$FW_OUTSIDE$
 ip address 67.109.39.71 255.255.255.192
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 zone-member security out-zone
 ip route-cache flow
 duplex auto
 speed auto
 media-type rj45
 no mop enabled
!
interface FastEthernet0/0/0
description Sat_backup
 ip address 109.35.82.65 255.255.255.0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 zone-member security out-zone
 ip route-cache flow
 duplex auto
 speed auto
!
interface FastEthernet0/0/1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 shutdown
 duplex auto
 speed auto
!
interface Serial0/1/0
 description PTP T-1 to ****  CID#123412341234$FW_OUTSIDE$
 ip address 164.50.20.5 255.255.255.252
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 zone-member security out-zone
 ip route-cache flow
 shutdown
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 67.109.39.65 5
ip route 0.0.0.0 0.0.0.0 164.50.20.6 10
ip route 0.0.0.0 0.0.0.0 109.35.82.1 15
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip access-list extended BootPS192
 remark SDM_ACL Category=128
 permit ip host 192.168.11.6 any
!
logging trap debugging
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 67.109.39.64 0.0.0.63 any
access-list 100 permit ip 164.50.20.4 0.0.0.3 any
access-list 100 permit ip 109.35.82.65 0.0.0.255 any
access-list 100 permit ip 172.90.0.0 0.0.255.255 any
no cdp run
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 login local
 transport output telnet
line aux 0
 login local
 transport output telnet
line vty 0 4
 login local
 transport input telnet ssh
line vty 5 15
 login local
 transport input telnet ssh
!
scheduler allocate 20000 1000
!
end


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
0
 
LVL 9

Expert Comment

by:Vito_Corleone
ID: 26326150
I don't see any NAT statements.
0
 
LVL 1

Author Comment

by:CpTnCuRt
ID: 26326455
I added
ip nat inside
to the inside interface and I still can't see the outside world.

sh run


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Current configuration : 13329 bytes
!
! Last configuration change at 11:25:14 PCTime Wed Jan 15 2010 by admin
! NVRAM config last updated at 11:26:51 PCTime Wed Jan 15 2010 by admin
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname CR1
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret 5 ***********************
!
no aaa new-model
clock timezone PCTime -8
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-*******
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-*******
 revocation-check none
 rsakeypair TP-self-signed-*******
!
!
crypto pki certificate chain TP-self-signed-*******
 certificate self-signed 01
  ******** ******** ******** ******** ******** ******** ******** ********
  ******** ******** ******** ******** ******** ******** ******** ********
  ******** ******** ******** ******** ******** ******** ******** ********
  ******** ******** ******** ******** ******** ******** ******** ********
  ******** ******** ******** ******** ******** ******** ******** ********
  ******** ******** ******** ******** ******** ******** ******** ********
  ******** ******** ******** ******** ******** ******** ******** ********
  ******** ******** ******** ******** ******** ******** ******** ********
  ******** ******** ******** ******** ******** ******** ******** ********
  ******** ******** ******** ******** ******** ******** ******** ********
  ******** ******** ******** ******** ******** ******** ******** ********
  ******** ******** ******** ******** ******** ******** ******** ********
  ******** ******** ******** ******** ******** ******** ******** ********
  ******** ******** ******** ******** ******** ******** ******** ********
  ******** ******** ******** ******** ******** ******** ******** ********
  ******** ******** ******** ******** ******** ******** ******** ********
  ******** ******** ******** ******** ******** ******** ******** ********
  ******** ******** ******** ******** ******** ******** ******** ********
  ******** ******** ***
        quit
dot11 syslog
no ip source-route
no ip dhcp use vrf connected
ip dhcp excluded-address 172.90.1.1 172.90.1.99
ip dhcp excluded-address 172.90.1.120 172.90.1.254
!
ip dhcp pool sdm-pool1
   import all
   network 172.90.1.0 255.255.255.0
   dns-server 164.105.1.129 164.105.1.130
   default-router 172.90.1.254
!
!
ip cef
!
!
no ip bootp server
ip domain name somedomain.com
ip name-server 164.50.1.129
ip name-server 164.50.1.130
!
multilink bundle-name authenticated
!
parameter-map type protocol-info msn-servers
 server name messenger.hotmail.com
 server name gateway.messenger.hotmail.com
 server name webmessenger.msn.com

parameter-map type protocol-info aol-servers
 server name login.oscar.aol.com
 server name toc.oscar.aol.com
 server name oam-d09a.blue.aol.com

parameter-map type protocol-info yahoo-servers
 server name scs.msg.yahoo.com
 server name scsa.msg.yahoo.com
 server name scsb.msg.yahoo.com
 server name scsc.msg.yahoo.com
 server name scsd.msg.yahoo.com
 server name cs16.msg.dcn.yahoo.com
 server name cs19.msg.dcn.yahoo.com
 server name cs42.msg.dcn.yahoo.com
 server name cs53.msg.dcn.yahoo.com
 server name cs54.msg.dcn.yahoo.com
 server name ads1.vip.scd.yahoo.com
 server name radio1.launch.vip.dal.yahoo.com
 server name in1.msg.vip.re2.yahoo.com
 server name data1.my.vip.sc5.yahoo.com
 server name address1.pim.vip.mud.yahoo.com
 server name edit.messenger.yahoo.com
 server name messenger.yahoo.com
 server name http.pager.yahoo.com
 server name privacy.yahoo.com
 server name csa.yahoo.com
 server name csb.yahoo.com
 server name csc.yahoo.com

voice-card 0
 no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username admin privilege 15 secret 5 ***********************

archive
 log config
  hidekeys
!
!
!
class-map type inspect imap match-any sdm-app-imap
 match  invalid-command
class-map type inspect match-any BootPS192
 match protocol udp
 match protocol bootpc
 match protocol bootps
class-map type inspect match-any sdm-cls-protocol-p2p
 match protocol edonkey signature
 match protocol gnutella signature
 match protocol kazaa2 signature
 match protocol fasttrack signature
 match protocol bittorrent signature
class-map type inspect match-any sdm-cls-insp-traffic
 match protocol cuseeme
 match protocol dns
 match protocol ftp
 match protocol h323
 match protocol https
 match protocol icmp
 match protocol imap
 match protocol pop3
 match protocol netshow
 match protocol shell
 match protocol realmedia
 match protocol rtsp
 match protocol smtp extended
 match protocol sql-net
 match protocol streamworks
 match protocol tftp
 match protocol vdolive
 match protocol tcp
 match protocol udp
class-map type inspect match-all sdm-insp-traffic
 match class-map sdm-cls-insp-traffic
class-map type inspect gnutella match-any sdm-app-gnutella
 match  file-transfer
class-map type inspect msnmsgr match-any sdm-app-msn-otherservices
 match  service any
class-map type inspect ymsgr match-any sdm-app-yahoo-otherservices
 match  service any
class-map type inspect match-all sdm-protocol-pop3
 match protocol pop3
class-map type inspect match-any sdm-cls-icmp-access
 match protocol icmp
 match protocol tcp
 match protocol udp
class-map type inspect match-any sdm-cls-protocol-im
 match protocol ymsgr yahoo-servers
 match protocol msnmsgr msn-servers
 match protocol aol aol-servers
class-map type inspect aol match-any sdm-app-aol-otherservices
 match  service any
class-map type inspect pop3 match-any sdm-app-pop3
 match  invalid-command
class-map type inspect kazaa2 match-any sdm-app-kazaa2
 match  file-transfer
class-map type inspect match-all sdm-cls-sdm-permit-1
 match class-map BootPS192
 match access-group name BootPS192
class-map type inspect match-all sdm-protocol-p2p
 match class-map sdm-cls-protocol-p2p
class-map type inspect http match-any sdm-http-blockparam
 match  request port-misuse im
 match  request port-misuse p2p
 match  req-resp protocol-violation
class-map type inspect match-all sdm-protocol-im
 match class-map sdm-cls-protocol-im
class-map type inspect match-all sdm-invalid-src
 match access-group 100
class-map type inspect match-all sdm-icmp-access
 match class-map sdm-cls-icmp-access
class-map type inspect ymsgr match-any sdm-app-yahoo
 match  service text-chat
class-map type inspect msnmsgr match-any sdm-app-msn
 match  service text-chat
class-map type inspect edonkey match-any sdm-app-edonkey
 match  file-transfer
 match  text-chat
 match  search-file-name
class-map type inspect http match-any sdm-app-httpmethods
 match  request method bcopy
 match  request method bdelete
 match  request method bmove
 match  request method bpropfind
 match  request method bproppatch
 match  request method connect
 match  request method copy
 match  request method delete
 match  request method edit
 match  request method getattribute
 match  request method getattributenames
 match  request method getproperties
 match  request method index
 match  request method lock
 match  request method mkcol
 match  request method mkdir
 match  request method move
 match  request method notify
 match  request method options
 match  request method poll
 match  request method propfind
 match  request method proppatch
 match  request method put
 match  request method revadd
 match  request method revlabel
 match  request method revlog
 match  request method revnum
 match  request method save
 match  request method search
 match  request method setattribute
 match  request method startrev
 match  request method stoprev
 match  request method subscribe
 match  request method trace
 match  request method unedit
 match  request method unlock
 match  request method unsubscribe
class-map type inspect edonkey match-any sdm-app-edonkeychat
 match  search-file-name
 match  text-chat
class-map type inspect match-all sdm-protocol-http
 match protocol http
class-map type inspect fasttrack match-any sdm-app-fasttrack
 match  file-transfer
class-map type inspect http match-any sdm-http-allowparam
 match  request port-misuse tunneling
class-map type inspect edonkey match-any sdm-app-edonkeydownload
 match  file-transfer
class-map type inspect match-all sdm-protocol-imap
 match protocol imap
class-map type inspect aol match-any sdm-app-aol
 match  service text-chat
!
!
policy-map type inspect sdm-permit-icmpreply
 class type inspect sdm-icmp-access
  inspect
 class class-default
  pass
policy-map type inspect p2p sdm-action-app-p2p
 class type inspect edonkey sdm-app-edonkeychat
  log
  allow
 class type inspect edonkey sdm-app-edonkeydownload
  log
  allow
 class type inspect fasttrack sdm-app-fasttrack
  log
  allow
 class type inspect gnutella sdm-app-gnutella
  log
  allow
 class type inspect kazaa2 sdm-app-kazaa2
  log
  allow
 class class-default
policy-map type inspect http sdm-action-app-http
 class type inspect http sdm-http-blockparam
  log
  reset
 class type inspect http sdm-app-httpmethods
  log
  reset
 class type inspect http sdm-http-allowparam
  log
  allow
 class class-default
policy-map type inspect imap sdm-action-imap
 class type inspect imap sdm-app-imap
  log
 class class-default
policy-map type inspect pop3 sdm-action-pop3
 class type inspect pop3 sdm-app-pop3
  log
 class class-default
policy-map type inspect im sdm-action-app-im
 class type inspect aol sdm-app-aol
  log
  allow
 class type inspect msnmsgr sdm-app-msn
  log
  allow
 class type inspect ymsgr sdm-app-yahoo
  log
  allow
 class type inspect aol sdm-app-aol-otherservices
  log
  reset
 class type inspect msnmsgr sdm-app-msn-otherservices
  log
  reset
 class type inspect ymsgr sdm-app-yahoo-otherservices
  log
  reset
 class class-default
policy-map type inspect sdm-inspect
 class type inspect sdm-invalid-src
  drop log
 class type inspect sdm-protocol-http
  inspect
  service-policy http sdm-action-app-http
 class type inspect sdm-protocol-imap
  inspect
  service-policy imap sdm-action-imap
 class type inspect sdm-protocol-pop3
  inspect
  service-policy pop3 sdm-action-pop3
 class type inspect sdm-protocol-p2p
  inspect
  service-policy p2p sdm-action-app-p2p
 class type inspect sdm-protocol-im
  inspect
  service-policy im sdm-action-app-im
 class type inspect sdm-insp-traffic
  inspect
 class class-default
policy-map type inspect sdm-permit
 class class-default
  drop
!
zone security out-zone
zone security in-zone
zone-pair security sdm-zp-self-out source self destination out-zone
 service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-out-self source out-zone destination self
 service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
 service-policy type inspect sdm-inspect
!
!
!
!
interface GigabitEthernet0/0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$$ES_LAN$$FW_INSIDE$
 ip address 172.90.1.254 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 zone-member security in-zone
 ip route-cache flow
 duplex auto
 speed auto
 media-type rj45
 no mop enabled
!
interface GigabitEthernet0/1
 description $ES_WAN$$ETH-WAN$$FW_OUTSIDE$
 ip address 67.109.39.71 255.255.255.192
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 zone-member security out-zone
 ip route-cache flow
 duplex auto
 speed auto
 media-type rj45
 no mop enabled
!
interface FastEthernet0/0/0
description Sat_backup
 ip address 109.35.82.65 255.255.255.0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
zone-member security out-zone
 ip route-cache flow
 duplex auto
 speed auto
!
interface FastEthernet0/0/1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 shutdown
 duplex auto
 speed auto
!
interface Serial0/1/0
 description PTP T-1 to ****  CID#123412341234$FW_OUTSIDE$
 ip address 164.50.20.5 255.255.255.252
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 zone-member security out-zone
 ip route-cache flow
 shutdown
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 67.109.39.65 5
ip route 0.0.0.0 0.0.0.0 164.50.20.6 10
ip route 0.0.0.0 0.0.0.0 109.35.82.1 15
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip access-list extended BootPS192
 remark SDM_ACL Category=128
 permit ip host 192.168.11.6 any
!
logging trap debugging
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 67.109.39.64 0.0.0.63 any
access-list 100 permit ip 164.50.20.4 0.0.0.3 any
access-list 100 permit ip 109.35.82.65 0.0.0.255 any
access-list 100 permit ip 172.90.0.0 0.0.255.255 any
no cdp run
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 login local
 transport output telnet
line aux 0
 login local
 transport output telnet
line vty 0 4
 login local
 transport input telnet ssh
line vty 5 15
 login local
 transport input telnet ssh
!
scheduler allocate 20000 1000
!
end


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
0
 
LVL 9

Accepted Solution

by:
Vito_Corleone earned 2000 total points
ID: 26326491
That's only one of the commands you need. Please follow this guide:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a00808d2b72.shtml

or this for basic NAT:

http://blog.alwaysthenetwork.com/?p=12
0
 
LVL 1

Author Comment

by:CpTnCuRt
ID: 26328831
This is my first shot at this tracking thing, so let me know if I have anything wrong.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Here I'm assuming that you have to have a seperate track for each outside interface.
Does rtr 1 need to be that acutal route


track 123 rtr 1 reachability
 delay down 15 up 10


track 234 rtr 2 reachability
 delay down 15 up 10


track 345 rtr 3 reachability
 delay down 15 up 10


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1 track 123
ip route 0.0.0.0 0.0.0.0 Serial0/1/0 track 234
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0/0 track 345



ip nat inside source route-map Primary-nat interface GigabitEthernet0/1 0/0 overload
ip nat inside source route-map T1-secondary-nat interface Serial0/1/0 overload
ip nat inside source route-map Satillite-secondary-nat interface FastEthernet0/0/0 overload



ip sla schedule 1 life forever start-time now
ip sla schedule 2 life forever start-time now
ip sla schedule 3 life forever start-time now




ip sla 1
 icmp-echo 106.192.226.165 source-interface GigabitEthernet0/1
 timeout 1000
 threshold 40
 frequency 3




ip sla 2
 icmp-echo 165.122.250.199 source-interface Serial0/1/0
 timeout 1000
 threshold 40
 frequency 3



ip sla 3
 icmp-echo 109.35.82.1 source-interface FastEthernet0/0/0
 timeout 1000
 threshold 40
 frequency 3



access-list 100 permit ip 172.90.1.0 0.0.0.255 any




route-map Primary-nat permit 10
 match ip address 100
 match interface GigabitEthernet0/1




route-map T1-secondary-nat permit 10
 match ip address 100
 match interface Serial0/1/0



route-map Satillite-secondary-nat permit 10
 match ip address 110
 match interface FastEthernet0/0/0
0
 
LVL 9

Expert Comment

by:Vito_Corleone
ID: 26328844
Looks good to me at a glance. Try it out and let us know!
0
 
LVL 1

Author Comment

by:CpTnCuRt
ID: 26353569
Well I had to change GigabitEthernet0/1 to the ip address of the next hop for the routes.
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1 track 123

And also change the ip  for the icpm-echo to the next hop for the route.
ip sla 1
 icmp-echo 106.192.226.165 source-interface GigabitEthernet0/1
 timeout 1000
 threshold 40
 frequency 3


I can now ping from the router to the real work, but I'm still not being able to ping from the private address.  How do I tell if its a NAT problem or a firewall problem?
0
 
LVL 9

Expert Comment

by:Vito_Corleone
ID: 26353579
sh ip nat trans

and give us a current "sh run"
0
 
LVL 1

Author Comment

by:CpTnCuRt
ID: 26354901
CR1#sh ip nat trans
Pro Inside global      Inside local       Outside local      Outside global
icmp 67.109.39.71:2   164.50.20.5:2         65.122.250.117:2   65.122.250.117:2
icmp 67.109.39.71:1   67.109.39.71:1    67.109.39.65:1    67.109.39.65:1
icmp 67.109.39.71:3   67.109.39.71:3    109.35.82.1:3      109.35.82.1:3
udp 67.109.39.71:49227 67.109.39.71:49227 209.40.64.1:53   209.40.64.1:53
udp 67.109.39.71:49551 67.109.39.71:49551 209.40.64.1:53   209.40.64.1:53
udp 67.109.39.71:49701 67.109.39.71:49701 209.40.64.1:53   209.40.64.1:53
udp 67.109.39.71:50050 67.109.39.71:50050 209.40.64.1:53   209.40.64.1:53
udp 67.109.39.71:50835 67.109.39.71:50835 209.40.64.1:53   209.40.64.1:53
udp 67.109.39.71:51309 67.109.39.71:51309 209.40.64.1:53   209.40.64.1:53
udp 67.109.39.71:51514 67.109.39.71:51514 209.40.64.1:53   209.40.64.1:53
udp 67.109.39.71:52741 67.109.39.71:52741 209.40.64.1:53   209.40.64.1:53
udp 67.109.39.71:53024 67.109.39.71:53024 209.40.64.1:53   209.40.64.1:53
udp 67.109.39.71:53865 67.109.39.71:53865 209.40.64.1:53   209.40.64.1:53
udp 67.109.39.71:55017 67.109.39.71:55017 209.40.64.1:53   209.40.64.1:53
udp 67.109.39.71:56057 67.109.39.71:56057 209.40.64.1:53   209.40.64.1:53
udp 67.109.39.71:56106 67.109.39.71:56106 209.40.64.1:53   209.40.64.1:53
udp 67.109.39.71:56130 67.109.39.71:56130 209.40.64.1:53   209.40.64.1:53
udp 67.109.39.71:57838 67.109.39.71:57838 209.40.64.1:53   209.40.64.1:53
udp 67.109.39.71:59892 67.109.39.71:59892 209.40.64.1:53   209.40.64.1:53
udp 67.109.39.71:61656 67.109.39.71:61656 209.40.64.1:53   209.40.64.1:53
udp 67.109.39.71:61778 67.109.39.71:61778 209.40.64.1:53   209.40.64.1:53
udp 67.109.39.71:61887 67.109.39.71:61887 209.40.64.1:53   209.40.64.1:53
udp 67.109.39.71:62056 67.109.39.71:62056 209.40.64.1:53   209.40.64.1:53
udp 67.109.39.71:62147 67.109.39.71:62147 209.40.64.1:53   209.40.64.1:53
udp 67.109.39.71:62978 67.109.39.71:62978 209.40.64.1:53   209.40.64.1:53
udp 67.109.39.71:63717 67.109.39.71:63717 209.40.64.1:53   209.40.64.1:53
udp 67.109.39.71:63758 67.109.39.71:63758 209.40.64.1:53   209.40.64.1:53
udp 67.109.39.71:65035 67.109.39.71:65035 209.40.64.1:53   209.40.64.1:53
icmp 67.109.39.71:768  172.90.1.51:768     8.8.8.8:768      8.8.8.8:768







Building configuration...


Current configuration : 14583 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname CR1
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret 5 **********************
!
no aaa new-model
clock timezone PCTime -8
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-*******
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-*******
 revocation-check none
 rsakeypair TP-self-signed-*******
!
!
crypto pki certificate chain TP-self-signed-*******
 certificate self-signed 01
  ******** ******** ******** ******** ******** ******** ******** ********
  ******** ******** ******** ******** ******** ******** ******** ********
  ******** ******** ******** ******** ******** ******** ******** ********
  ******** ******** ******** ******** ******** ******** ******** ********
  ******** ******** ******** ******** ******** ******** ******** ********
  ******** ******** ******** ******** ******** ******** ******** ********
  ******** ******** ******** ******** ******** ******** ******** ********
  ******** ******** ******** ******** ******** ******** ******** ********
  ******** ******** ******** ******** ******** ******** ******** ********
  ******** ******** ******** ******** ******** ******** ******** ********
  ******** ******** ******** ******** ******** ******** ******** ********
  ******** ******** ******** ******** ******** ******** ******** ********
  ******** ******** ******** ******** ******** ******** ******** ********
  ******** ******** ******** ******** ******** ******** ******** ********
  ******** ******** ******** ******** ******** ******** ******** ********
  ******** ******** ******** ******** ******** ******** ******** ********
  ******** ******** ******** ******** ******** ******** ******** ********
  ******** ******** ******** ******** ******** ******** ******** ********
  ******** ******** ***
        quit
dot11 syslog
no ip source-route
no ip dhcp use vrf connected
ip dhcp excluded-address 172.90.1.1 172.90.1.99
ip dhcp excluded-address 172.90.1.120 172.90.1.254
!
ip dhcp pool sdm-pool1
   import all
   network 172.90.1.0 255.255.255.0
   dns-server 164.50.1.129 164.50.1.130
   default-router 172.90.1.254
!
!
ip cef
!
!
no ip bootp server
ip domain name somedomain.com
ip name-server 209.40.64.1
ip name-server 208.77.177.3
!
multilink bundle-name authenticated
!
parameter-map type protocol-info msn-servers
 server name messenger.hotmail.com
 server name gateway.messenger.hotmail.com
 server name webmessenger.msn.com

parameter-map type protocol-info aol-servers
 server name login.oscar.aol.com
 server name toc.oscar.aol.com
 server name oam-d09a.blue.aol.com

parameter-map type protocol-info yahoo-servers
 server name scs.msg.yahoo.com
 server name scsa.msg.yahoo.com
 server name scsb.msg.yahoo.com
 server name scsc.msg.yahoo.com
 server name scsd.msg.yahoo.com
 server name cs16.msg.dcn.yahoo.com
 server name cs19.msg.dcn.yahoo.com
 server name cs42.msg.dcn.yahoo.com
 server name cs53.msg.dcn.yahoo.com
 server name cs54.msg.dcn.yahoo.com
 server name ads1.vip.scd.yahoo.com
 server name radio1.launch.vip.dal.yahoo.com
 server name in1.msg.vip.re2.yahoo.com
 server name data1.my.vip.sc5.yahoo.com
 server name address1.pim.vip.mud.yahoo.com
 server name edit.messenger.yahoo.com
 server name messenger.yahoo.com
 server name http.pager.yahoo.com
 server name privacy.yahoo.com
 server name csa.yahoo.com
 server name csb.yahoo.com
 server name csc.yahoo.com

voice-card 0
 no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username root privilege 15 secret 5 *********************************
!
!
archive
 log config
  hidekeys
!
!
!
track 123 rtr 1 reachability
 delay down 15 up 10
!
track 234 rtr 2 reachability
 delay down 15 up 10
!
track 345 rtr 3 reachability
 delay down 15 up 10
!
class-map type inspect imap match-any sdm-app-imap
 match  invalid-command
class-map type inspect match-any BootPS192
 match protocol udp
 match protocol bootpc
 match protocol bootps
class-map type inspect match-any sdm-cls-protocol-p2p
 match protocol edonkey signature
 match protocol gnutella signature
 match protocol kazaa2 signature
 match protocol fasttrack signature
 match protocol bittorrent signature
class-map type inspect match-any sdm-cls-insp-traffic
 match protocol cuseeme
 match protocol dns
 match protocol ftp
 match protocol h323
 match protocol https
 match protocol icmp
 match protocol imap
 match protocol pop3
 match protocol netshow
 match protocol shell
 match protocol realmedia
 match protocol rtsp
 match protocol smtp extended
 match protocol sql-net
 match protocol streamworks
 match protocol tftp
 match protocol vdolive
 match protocol tcp
 match protocol udp
class-map type inspect match-all sdm-insp-traffic
 match class-map sdm-cls-insp-traffic
class-map type inspect gnutella match-any sdm-app-gnutella
 match  file-transfer
class-map type inspect msnmsgr match-any sdm-app-msn-otherservices
 match  service any
class-map type inspect ymsgr match-any sdm-app-yahoo-otherservices
 match  service any
class-map type inspect match-all sdm-protocol-pop3
 match protocol pop3
class-map type inspect match-any sdm-cls-icmp-access
 match protocol icmp
 match protocol tcp
 match protocol udp
class-map type inspect match-any sdm-cls-protocol-im
 match protocol ymsgr yahoo-servers
 match protocol msnmsgr msn-servers
 match protocol aol aol-servers
class-map type inspect aol match-any sdm-app-aol-otherservices
 match  service any
class-map type inspect pop3 match-any sdm-app-pop3
 match  invalid-command
class-map type inspect kazaa2 match-any sdm-app-kazaa2
 match  file-transfer
class-map type inspect match-all sdm-cls-sdm-permit-1
 match class-map BootPS192
 match access-group name BootPS192
class-map type inspect match-all sdm-protocol-p2p
 match class-map sdm-cls-protocol-p2p
class-map type inspect http match-any sdm-http-blockparam
 match  request port-misuse im
 match  request port-misuse p2p
 match  req-resp protocol-violation
class-map type inspect match-all sdm-protocol-im
 match class-map sdm-cls-protocol-im
class-map type inspect match-all sdm-invalid-src
 match access-group 100
class-map type inspect match-all sdm-icmp-access
 match class-map sdm-cls-icmp-access
class-map type inspect ymsgr match-any sdm-app-yahoo
 match  service text-chat
class-map type inspect msnmsgr match-any sdm-app-msn
 match  service text-chat
class-map type inspect edonkey match-any sdm-app-edonkey
 match  file-transfer
 match  text-chat
 match  search-file-name
class-map type inspect http match-any sdm-app-httpmethods
 match  request method bcopy
 match  request method bdelete
 match  request method bmove
 match  request method bpropfind
 match  request method bproppatch
 match  request method connect
 match  request method copy
 match  request method delete
 match  request method edit
 match  request method getattribute
 match  request method getattributenames
 match  request method getproperties
 match  request method index
 match  request method lock
 match  request method mkcol
 match  request method mkdir
 match  request method move
 match  request method notify
 match  request method options
 match  request method poll
 match  request method propfind
 match  request method proppatch
 match  request method put
 match  request method revadd
 match  request method revlabel
 match  request method revlog
 match  request method revnum
 match  request method save
 match  request method search
 match  request method setattribute
 match  request method startrev
 match  request method stoprev
 match  request method subscribe
 match  request method trace
 match  request method unedit
 match  request method unlock
 match  request method unsubscribe
class-map type inspect edonkey match-any sdm-app-edonkeychat
 match  search-file-name
 match  text-chat
class-map type inspect match-all sdm-protocol-http
 match protocol http
class-map type inspect fasttrack match-any sdm-app-fasttrack
 match  file-transfer
class-map type inspect http match-any sdm-http-allowparam
 match  request port-misuse tunneling
class-map type inspect edonkey match-any sdm-app-edonkeydownload
 match  file-transfer
class-map type inspect match-all sdm-protocol-imap
 match protocol imap
class-map type inspect aol match-any sdm-app-aol
 match  service text-chat
!
!
policy-map type inspect sdm-permit-icmpreply
 class type inspect sdm-icmp-access
  inspect
 class class-default
  pass
policy-map type inspect p2p sdm-action-app-p2p
 class type inspect edonkey sdm-app-edonkeychat
  log
  allow
 class type inspect edonkey sdm-app-edonkeydownload
  log
  allow
 class type inspect fasttrack sdm-app-fasttrack
  log
  allow
 class type inspect gnutella sdm-app-gnutella
  log
  allow
 class type inspect kazaa2 sdm-app-kazaa2
  log
  allow
 class class-default
policy-map type inspect http sdm-action-app-http
 class type inspect http sdm-http-blockparam
  log
  reset
 class type inspect http sdm-app-httpmethods
  log
  reset
 class type inspect http sdm-http-allowparam
  log
  allow
 class class-default
policy-map type inspect imap sdm-action-imap
 class type inspect imap sdm-app-imap
  log
 class class-default
policy-map type inspect pop3 sdm-action-pop3
 class type inspect pop3 sdm-app-pop3
  log
 class class-default
policy-map type inspect im sdm-action-app-im
 class type inspect aol sdm-app-aol
  log
  allow
 class type inspect msnmsgr sdm-app-msn
  log
  allow
 class type inspect ymsgr sdm-app-yahoo
  log
  allow
 class type inspect aol sdm-app-aol-otherservices
  log
  reset
 class type inspect msnmsgr sdm-app-msn-otherservices
  log
  reset
 class type inspect ymsgr sdm-app-yahoo-otherservices
  log
  reset
 class class-default
policy-map type inspect sdm-inspect
 class type inspect sdm-invalid-src
  drop log
 class type inspect sdm-protocol-http
  inspect
  service-policy http sdm-action-app-http
 class type inspect sdm-protocol-imap
  inspect
  service-policy imap sdm-action-imap
 class type inspect sdm-protocol-pop3
  inspect
  service-policy pop3 sdm-action-pop3
 class type inspect sdm-protocol-p2p
  inspect
  service-policy p2p sdm-action-app-p2p
 class type inspect sdm-protocol-im
  inspect
  service-policy im sdm-action-app-im
 class type inspect sdm-insp-traffic
  inspect
 class class-default
policy-map type inspect sdm-permit
 class class-default
  drop
!
zone security out-zone
zone security in-zone
zone-pair security sdm-zp-self-out source self destination out-zone
 service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-out-self source out-zone destination self
 service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
 service-policy type inspect sdm-inspect
!
!
!
!
interface GigabitEthernet0/0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$$ES_LAN$$FW_INSIDE$
 ip address 172.90.1.254 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 zone-member security in-zone
 ip route-cache flow
 duplex auto
 speed auto
 media-type rj45
 no mop enabled
!
interface GigabitEthernet0/1
 description $ES_WAN$$ETH-WAN$$FW_OUTSIDE$
 ip address 67.109.39.71 255.255.255.192
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 zone-member security out-zone
 ip route-cache flow
 duplex auto
 speed auto
 media-type rj45
 no mop enabled
!
interface FastEthernet0/0/0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 zone-member security out-zone
 ip route-cache flow
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet0/0/1
 ip address 109.35.82.65 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip route-cache flow
 shutdown
 duplex auto
 speed auto
!
interface Serial0/1/0
 description PTP T-1 to **** CID#123412341234$FW_OUTSIDE$
 ip address 164.50.20.5 255.255.255.252
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 zone-member security out-zone
 ip route-cache flow
 shutdown
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 67.109.39.65 track 123
ip route 0.0.0.0 0.0.0.0 164.50.20.4 10 track 234
ip route 0.0.0.0 0.0.0.0 109.35.82.2 20 track 345
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map Primary-nat interface GigabitEthernet0/1 overload
ip nat inside source route-map Satillite-secondary-nat interface FastEthernet0/0/0 overload
ip nat inside source route-map T1-secondary-nat interface Serial0/1/0 overload
!
ip access-list extended BootPS192
 remark SDM_ACL Category=128
 permit ip host 192.168.11.6 any
!
ip sla 1
 icmp-echo 67.219.239.65 source-interface GigabitEthernet0/1
 timeout 1000
 threshold 40
 frequency 3
ip sla schedule 1 life forever start-time now
ip sla 2
 icmp-echo 164.50.20.4 source-interface Serial0/1/0
 timeout 1000
 threshold 40
 frequency 3
ip sla schedule 2 life forever start-time now
ip sla 3
 icmp-echo 109.35.82.1 source-interface FastEthernet0/0/0
 timeout 1000
 threshold 40
 frequency 3
ip sla schedule 3 life forever start-time now
logging trap debugging
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 67.109.39.0 0.0.0.63 any
access-list 100 permit ip 164.50.20.4 0.0.0.3 any
access-list 100 permit ip 172.90.0.0 0.0.255.255 any
access-list 100 permit ip 172.90.1.0 0.0.0.255 any
no cdp run
!
!
!
route-map Primary-nat permit 10
 match ip address 100
 match interface GigabitEthernet0/1
!
route-map Satillite-secondary-nat permit 10
 match ip address 100
 match interface FastEthernet0/0/0
!
route-map T1-secondary-nat permit 10
 match ip address 100
 match interface Serial0/1/0
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 login local
 transport output telnet
line aux 0
 login local
 transport output telnet
line vty 0 4
 login local
 transport input telnet ssh
line vty 5 15
 login local
 transport input telnet ssh
!
scheduler allocate 20000 1000
!
end

0
 
LVL 9

Expert Comment

by:Vito_Corleone
ID: 26355127
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 67.109.39.0 0.0.0.63 any
access-list 100 permit ip 164.50.20.4 0.0.0.3 any
access-list 100 permit ip 172.90.0.0 0.0.255.255 any
access-list 100 permit ip 172.90.1.0 0.0.0.255 any

Cut that ACL down to just:

access-list 100 permit ip 172.90.0.0 0.0.255.255 any

You're NATing all over the place right now. That one line will cover your LAN.
0
 
LVL 1

Author Comment

by:CpTnCuRt
ID: 26381897
Thanks for the help
0
 
LVL 1

Author Comment

by:CpTnCuRt
ID: 26487177
Now for the next problem.

http://www.experts-exchange.com/Hardware/Networking_Hardware/Routers/Q_25108850.html

Adding static NAT translation and overload at the same time.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question