Cisco 1760 Dual WAN Routing

Hello Experts

I am trying to setup a cisco 1760 router with an IOS of c1700-sy7-mz.123-5.bin which has the "IP" Feature Set.

The router itself has three interfaces, FastEthernet0/1 , Ethernet0/0 and Ethernet0/1

The aim is to have this router as the default gateway for my internal LAN clients , 192.168.10.0 : 255.255.255.0 hanging off FastEthernet0/0

The clients need to be routed depending on the IP address that the are trying to reach.
I have a list of target ip addresses that need to go down Ethernet0/0 everything else needs to go down Ethernet1/0 to another Cisco 1760

The problem is both interfaces need to be natted, in my current setup the router will only allow traffic down one interface even though i have both interfaces configured.

I have static routes for all possible traffic pointing at the next hop ip address , but again traffic wont traverse down the default interface Ethernet0/1.

Any ideas ?

Here is my code :

service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname defaultrouter
!
boot-start-marker
boot-end-marker
!
no logging buffered

!

clock timezone PCTime 0
clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
!
!
!
ip cef
!
!
!
!
interface Ethernet0/0
 description WAN$ETH-LAN$
 ip address 192.168.40.1 255.255.255.252
 ip nat outside
 full-duplex
!
interface FastEthernet0/0
 description LAN$ETH-LAN$
 ip address 192.168.10.250 255.255.255.0
 ip nat inside
 speed auto
 full-duplex
!
interface Ethernet1/0
 description INET$ETH-LAN$
 ip address 192.168.20.1 255.255.255.252
 ip nat outside
 full-duplex
!
ip nat inside source list 1 interface Ethernet0/0 overload
ip nat inside source list 2 interface Ethernet1/0 overload
no ip classless
ip route 0.0.0.0 0.0.0.0 192.168.20.2 permanent
ip route 10.0.0.0 255.0.0.0 192.168.40.2 permanent
*** various other routes here****

ip http server
ip http authentication local
!
!
no logging trap
access-list 1 remark WAN
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 2 remark INET
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 192.168.10.0 0.0.0.255
!
!
line con 0
line aux 0
line vty 0 4
 privilege level 15
 password *************
 login local
 transport input telnet
!
ntp clock-period 17208134
ntp server 194.35.252.7 prefer
!
end
garyraifeAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

GJHopkinsCommented:
I'd  try to match the traffic on the NAT list by source and destination


ip nat inside source list 102 interface Ethernet0/0 overload
ip nat inside source list 101 interface Ethernet1/0 overload

access-list 101 deny ip 192.168.10.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 101 permit ip 192.168.10.0 0.0.0.255 any

access-list 102 permit ip 192.168.10.0 0.0.0.255 10.0.0.0 0.255.255.255

that way NAT will only match one list and no both

0
garyraifeAuthor Commented:
Tried that no luck !

Do you still need the static routes I take it ?
0
GJHopkinsCommented:
Yes  the routes will still be needed - i assume you removed the lines

ip nat inside source list 1 interface Ethernet0/0 overload
ip nat inside source list 2 interface Ethernet1/0 overload

0
Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

GJHopkinsCommented:
ok try the following

remove the previous ip nat statement and use

ip nat inside source route-map MAP-102 interface Ethernet0/0 overload
ip nat inside source route-map MAP-101 interface Ethernet1/0 overload

route-map MAP-102 permit 10
 match address 102

route-map MAP-101 permit 10
 match address 101

appears the the acl creates simple translation slots whilst the route map creates extended slots once a simple slot is created it will be used for all traffic preventing the second interface from being used

this can be seen with a show ip nat translations

see Cisco notes here

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080093fca.shtml
0
garyraifeAuthor Commented:
i just update the existing rules to what you specified , heres current config:

Building configuration...

Current configuration : 4505 bytes
!
! Last configuration change at 11:28:23 PCTime Tue Apr 27 2010 by admin
! NVRAM config last updated at 11:25:07 PCTime Tue Apr 27 2010 by admin
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname defaultrouter
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret 5 **************************************
enable password *******************************
!
username admin privilege 15 password 0 *******************************
clock timezone PCTime 0
clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
!
!
!
ip cef
!
!
!
!
interface Ethernet0/0
 description N3$ETH-LAN$
 ip address 192.168.40.1 255.255.255.252
 ip nat outside
 full-duplex
!
interface FastEthernet0/0
 description LAN$ETH-LAN$
 ip address 192.168.10.250 255.255.255.0
 ip nat inside
 speed auto
 full-duplex
!
interface Ethernet1/0
 description WAN$ETH-LAN$
 ip address 192.168.20.1 255.255.255.252
 ip nat outside
 full-duplex
!
ip nat inside source list 1 interface Ethernet0/0 overload
ip nat inside source list 2 interface Ethernet1/0 overload
no ip classless
ip route 0.0.0.0 0.0.0.0 192.168.20.2 permanent
ip route 10.0.0.0 255.0.0.0 192.168.40.2 permanent

ip http server
ip http authentication local
!
!
no logging trap
access-list 1 remark N3
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 1 permit 192.168.40.0 0.0.0.252
access-list 1 permit 10.0.0.0 0.255.255.255
access-list 2 remark WAN
access-list 2 remark SDM_ACL Category=2
access-list 2 deny   10.0.0.0 0.255.255.255
access-list 2 deny   192.168.10.0 0.0.0.255
access-list 2 deny   192.168.40.0 0.0.0.252
access-list 2 permit 192.168.10.0 0.0.0.255
access-list 2 permit 192.168.30.0 0.0.0.252
access-list 2 permit 192.168.20.0 0.0.0.252
!
!
line con 0
line aux 0
line vty 0 4
 privilege level 15
 password ****************************
 login local
 transport input telnet
!
ntp clock-period 17208134
ntp server 194.35.252.7 prefer
!
end

0
garyraifeAuthor Commented:
Ill give that a try
0
GJHopkinsCommented:
The changes you will need are

no access-list 1
no access-list 2
no ip nat inside source list 1 interface Ethernet0/0 overload
no ip nat inside source list 2 interface Ethernet1/0 overload

access-list 101 deny ip 192.168.10.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 101 permit ip 192.168.10.0 0.0.0.255 any
access-list 102 permit ip 192.168.10.0 0.0.0.255 10.0.0.0 0.255.255.255
ip nat inside source route-map MAP-102 interface Ethernet0/0 overload
ip nat inside source route-map MAP-101 interface Ethernet1/0 overload

route-map MAP-102 permit 10
 match address 102

route-map MAP-101 permit 10
 match address 101
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
garyraifeAuthor Commented:
tried that and it still puts alll traffic down the wrong link,
This is confimed by the show ip nat translations for address 8.8.8

Goes down the wrong NAT , wierd thing is if you traceroute on the router itself , it gets there fine!
0
GJHopkinsCommented:
can you post the  ip nat translation table from the router - or part of it showing NAT to internet and ANT to network 10.0.0.0 please
0
garyraifeAuthor Commented:
Awesome

Works fine now, funny the details of cisco router programming.

Thanks for all your help!
0
GJHopkinsCommented:
No problems, I learned something on that one which is always good :-)


0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.