denver218
asked on
Configuring Redundant Internet Circuits on a Cisco 2801 router
I have a cisco 2801 router that is currently configured for a T1. I am adding a comcast cable modem for redundancy. Below in my current interface information:
interface FastEthernet0/0
description LAN
ip address 172.16.0.1 255.255.0.0
ip helper-address 172.18.10.1
ip inspect DEFAULT101 in
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip policy route-map nonat-static
speed auto
full-duplex
no cdp enable
no mop enabled
!
interface FastEthernet0/1
no ip address
ip route-cache flow
shutdown
duplex auto
speed auto
no cdp enable
no mop enabled
!
interface Serial0/2/0
description T1
bandwidth 1536
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly
encapsulation frame-relay IETF
no fair-queue
frame-relay lmi-type ansi
crypto ipsec df-bit clear
!
interface Serial0/2/0.1 point-to-point
ip address x.x.x.33 255.255.255.224
ip access-group 104 in
ip nat outside
ip virtual-reassembly
no cdp enable
frame-relay interface-dlci 500 IETF
crypto map SDM_CMAP_1
I want to add the comcast modem to int fa0/1. I do have a static address. What I want to do is push all port 80 and port 443 traffic out the cable modem, but if the T1 fails all traffic all traffic will go out the cable modem and vise versa. I'm hoping someone can look at the way my interfaces are currently configured and then let me know what I have to do to make this happen. thanks.
interface FastEthernet0/0
description LAN
ip address 172.16.0.1 255.255.0.0
ip helper-address 172.18.10.1
ip inspect DEFAULT101 in
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip policy route-map nonat-static
speed auto
full-duplex
no cdp enable
no mop enabled
!
interface FastEthernet0/1
no ip address
ip route-cache flow
shutdown
duplex auto
speed auto
no cdp enable
no mop enabled
!
interface Serial0/2/0
description T1
bandwidth 1536
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly
encapsulation frame-relay IETF
no fair-queue
frame-relay lmi-type ansi
crypto ipsec df-bit clear
!
interface Serial0/2/0.1 point-to-point
ip address x.x.x.33 255.255.255.224
ip access-group 104 in
ip nat outside
ip virtual-reassembly
no cdp enable
frame-relay interface-dlci 500 IETF
crypto map SDM_CMAP_1
I want to add the comcast modem to int fa0/1. I do have a static address. What I want to do is push all port 80 and port 443 traffic out the cable modem, but if the T1 fails all traffic all traffic will go out the cable modem and vise versa. I'm hoping someone can look at the way my interfaces are currently configured and then let me know what I have to do to make this happen. thanks.
Hi,
you need this
http://www.ciscoblog.com/archives/2008/08/dynamic_failove.html
please show the whole config
you need this
http://www.ciscoblog.com/archives/2008/08/dynamic_failove.html
please show the whole config
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks. Here is the entire configuration:
Router1#show run
Building configuration...
Current configuration : 17074 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Router1
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
no logging console
logging monitor warnings
enable secret 5
!
clock timezone est -5
clock summer-time EDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
aaa new-model
!
!
aaa session-id common
ip subnet-zero
no ip source-route
ip cef
!
!
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 smtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT101 cuseeme
ip inspect name DEFAULT101 ftp
ip inspect name DEFAULT101 h323
ip inspect name DEFAULT101 icmp
ip inspect name DEFAULT101 netshow
ip inspect name DEFAULT101 rcmd
ip inspect name DEFAULT101 realaudio
ip inspect name DEFAULT101 rtsp
ip inspect name DEFAULT101 sqlnet
ip inspect name DEFAULT101 streamworks
ip inspect name DEFAULT101 tftp
ip inspect name DEFAULT101 tcp
ip inspect name DEFAULT101 udp
ip inspect name DEFAULT101 vdolive
ip tcp synwait-time 10
!
!
ip ips po max-events 100
no ip bootp server
no ip domain lookup
ip host Central2801 172.16.0.1
ip name-server x.x.x.x
ip name-server x.x.x.x
no ftp-server write-enable
!
!
crypto pki trustpoint test_trustpoint_config_cre ated_for_s dm
subject-name e=sdmtest@sdmtest.com
revocation-check crl
!
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key xxx address x.x.x.x
crypto isakmp key xxx address x.x.x.x
crypto isakmp key xxx address x.x.x.x 255.255.255.224 no-xauth
crypto isakmp key xxx address x.x.x.x 0.0.0.0
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set myset1 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
crypto ipsec transform-set to_cti esp-3des esp-md5-hmac
!
crypto dynamic-map VPN3
description VPN1
set transform-set ESP-3DES-SHA1
!
crypto dynamic-map VPN2
description VPN2
set transform-set ESP-3DES-SHA
!
crypto dynamic-map VPN1
description VPN3
set transform-set ESP-3DES-SHA1
!
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel
set peer x.x.116.97
set transform-set ESP-3DES-SHA1
match address 102
crypto map SDM_CMAP_1 2 ipsec-isakmp
description Tunnel tox.x.86.122
set peer x.x.12.1
set transform-set ESP-3DES-SHA2
match address 103
crypto map SDM_CMAP_1 3 ipsec-isakmp
description Tunnel
set peer x.x.52.135
set transform-set to_cti
match address 110
crypto map SDM_CMAP_1 4 ipsec-isakmp dynamic VPN1
!
!
!
interface Loopback10
ip address 192.168.254.1 255.255.255.0
!
interface FastEthernet0/0
description INSIDE LAN
ip address 172.16.0.1 255.255.0.0
ip helper-address 172.18.10.1
ip inspect DEFAULT101 in
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip policy route-map nonat-static
speed auto
full-duplex
no cdp enable
no mop enabled
!
interface FastEthernet0/1
no ip address
ip route-cache flow
shutdown
duplex auto
speed auto
no cdp enable
no mop enabled
!
interface Serial0/2/0
description Verizon T1
bandwidth 1536
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly
encapsulation frame-relay IETF
no fair-queue
frame-relay lmi-type ansi
crypto ipsec df-bit clear
!
interface Serial0/2/0.1 point-to-point
ip address x.x.x.33 255.255.255.224
ip access-group 104 in
ip nat outside
ip virtual-reassembly
no cdp enable
frame-relay interface-dlci 500 IETF
crypto map SDM_CMAP_1
!
router eigrp 300
network 172.16.0.0
network 172.17.0.0
network 172.18.0.0
network 192.168.0.0
no auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/2/0.1
ip route 172.17.0.0 255.255.0.0 67.134.86.141
ip http server
ip http access-class 1
ip http authentication local
ip http secure-server
ip nat inside source route-map nonat-Pat interface Serial0/2/0.1 overload
ip nat inside source static 172.16.10.1 x.x.12.40
ip nat inside source static 172.16.10.2 x.x.12.41
ip nat inside source static 172.16.10.11 x.x.12.42
ip nat inside source static 172.16.0.3 x.x.12.43
ip nat inside source static 172.16.0.4 x.x.12.44
ip nat inside source static 172.16.10.5 x.x.12.45
ip nat inside source static 172.16.10.10 x.x.12.46
ip nat inside source static 172.16.10.20 x.x.12.47
ip nat inside source static 172.17.5.26 x.x.12.48
ip nat inside source static 172.16.10.6 x.x.12.49
ip nat inside source static 172.16.10.12 x.x.12.50
ip nat inside source static 172.16.10.3 x.x.12.51
ip nat inside source static 172.16.1.30 x.x.12.52
!
!
access-list 101 remark SDM_ACL Category=4
access-list 101 remark IPSec Rule
access-list 101 permit ip 172.16.0.0 0.0.255.255 172.18.0.0 0.0.255.255
access-list 102 permit ip 172.17.0.0 0.0.255.255 172.18.0.0 0.0.255.255
access-list 103 remark SDM_ACL Category=4
access-list 103 remark IPSec Rule
access-list 103 permit ip 172.16.0.0 0.0.255.255 172.17.0.0 0.0.255.255
access-list 103 permit ip 172.18.0.0 0.0.255.255 172.17.0.0 0.0.255.255
access-list 104 permit tcp any any eq 22
access-list 104 permit icmp any any
access-list 104 permit udp any host x.x.12.33 eq isakmp
access-list 104 permit esp any host x.x.12.33
access-list 104 permit esp host x.x.12.1 host x.x.12.33
access-list 104 permit ahp host x.x.12.1 host x.x.12.33
access-list 104 permit udp host x.x.12.1 host x.x.12.33 eq isakmp
access-list 104 permit udp host x.x.12.1 host x.x.12.33 eq non500-isakmp
access-list 104 permit ahp host 141.151.127.82 host x.x.12.33
access-list 104 permit esp host 141.151.127.82 host x.x.12.33
access-list 104 permit udp host 141.151.127.82 host x.x.12.33 eq isakmp
access-list 104 permit udp host 141.151.127.82 host x.x.12.33 eq non500-isakmp
access-list 104 permit esp host x.x.52.135 host x.x.12.33
access-list 104 permit ahp host x.x.52.135 host x.x.12.33
access-list 104 permit udp host x.x.52.135 host x.x.12.33 eq isakmp
access-list 104 permit udp host x.x.52.135 host x.x.12.33 eq non500-isakmp
access-list 104 permit icmp x.x.52.128 0.0.0.63 any
access-list 104 permit tcp x.x.52.128 0.0.0.63 host x.x.12.33 eq telnet
access-list 104 permit tcp x.x.52.128 0.0.0.63 x.x.12.32 0.0.0.31 eq 5631
access-list 104 permit udp x.x.52.128 0.0.0.63 x.x.12.32 0.0.0.31 eq 5632
access-list 104 permit tcp x.x.52.128 0.0.0.63 any eq 22
access-list 104 permit icmp any x.x.12.32 0.0.0.31 echo-reply
access-list 104 permit icmp any x.x.12.32 0.0.0.31 time-exceeded
access-list 104 permit icmp any x.x.12.32 0.0.0.31 unreachable
access-list 104 deny ip 10.0.0.0 0.255.255.255 any
access-list 104 deny ip 172.16.0.0 0.15.255.255 any
access-list 104 deny ip 192.168.0.0 0.0.255.255 any
access-list 104 deny ip 127.0.0.0 0.255.255.255 any
access-list 104 deny ip host 255.255.255.255 any
access-list 104 deny ip host 0.0.0.0 any
access-list 104 permit tcp any host x.x.12.46 eq 1494
access-list 104 permit tcp any host x.x.12.42 eq 1494
access-list 104 permit tcp any host x.x.12.50 eq 1494
access-list 104 permit tcp any host x.x.12.40 eq pop3
access-list 104 permit udp any host x.x.12.40 eq domain
access-list 104 permit tcp any host x.x.12.43 eq domain
access-list 104 permit tcp any host x.x.12.44 eq domain
access-list 104 permit tcp any host x.x.12.52 eq domain
access-list 104 permit tcp any host x.x.12.43 eq smtp
access-list 104 permit tcp any host x.x.12.43 eq pop3
access-list 104 permit tcp any host x.x.12.40 eq smtp
access-list 104 permit tcp any host x.x.12.40 eq www
access-list 104 permit tcp any host x.x.12.51 eq www
access-list 104 permit tcp any host x.x.12.52 eq smtp
access-list 104 permit tcp any host x.x.12.45 eq 8990
access-list 104 permit gre host x.x.173.12 host x.x.12.48
access-list 104 permit tcp host x.x.173.12 host x.x.12.48 eq 1723
access-list 104 permit icmp host x.x.173.12 host x.x.12.48
access-list 104 permit udp host x.x.173.12 host x.x.12.48 eq isakmp
access-list 104 permit esp host x.x.173.12 host x.x.12.48
access-list 104 permit ahp host x.x.173.12 host x.x.12.48
access-list 104 permit tcp any host x.x.12.45 eq 9990
access-list 104 permit tcp host x.x.174.234 host x.x.12.47 eq 5631
access-list 104 permit udp host x.x.174.234 host x.x.12.47 eq 5632
access-list 104 permit tcp host x.x.101.202 host x.x.12.47 eq 5631
access-list 104 permit udp host x.x.101.202 host x.x.12.47 eq 5632
access-list 104 permit tcp host 8.2.182.176 host x.x.12.45 eq 5632
access-list 104 deny ip any any log-input
access-list 108 permit ip 172.0.0.0 0.255.255.255 any
access-list 108 permit ip 10.0.0.0 0.255.255.255 any
access-list 108 permit ip x.x.52.128 0.0.0.63 any
access-list 110 permit ip 172.16.0.0 0.0.255.255 10.0.0.0 0.0.255.255
access-list 110 permit ip 172.16.0.0 0.0.255.255 0.0.0.0 255.255.252.0
access-list 110 permit ip 172.16.0.0 0.0.255.255 172.31.252.0 0.0.3.255
access-list 111 permit ip 172.16.0.0 0.0.255.255 192.168.1.0 0.0.0.255
access-list 140 permit ip 172.16.0.0 0.0.255.255 192.168.1.0 0.0.0.255
access-list 140 permit ip 172.16.0.0 0.0.255.255 192.168.2.0 0.0.0.255
access-list 140 permit ip 172.16.0.0 0.0.255.255 192.168.3.0 0.0.0.255
access-list 140 permit ip 172.16.0.0 0.0.255.255 192.168.4.0 0.0.0.255
access-list 140 permit ip 172.16.0.0 0.0.255.255 192.168.7.0 0.0.0.255
access-list 140 permit ip 172.16.0.0 0.0.255.255 192.168.8.0 0.0.0.255
access-list 140 permit ip 172.16.0.0 0.0.255.255 172.18.0.0 0.0.255.255
access-list 140 permit ip 172.16.0.0 0.0.255.255 172.17.0.0 0.0.255.255
access-list 140 permit ip 172.16.0.0 0.0.255.255 10.0.0.0 0.0.255.255
access-list 140 permit ip 172.16.0.0 0.0.255.255 172.31.252.0 0.0.3.255
access-list 140 deny ip 172.16.0.0 0.0.255.255 any
access-list 150 remark SDM_ACL Category=16
access-list 150 permit ip 172.16.0.0 0.0.0.255 172.18.0.0 0.0.0.255
access-list 151 remark SDM_ACL Category=18
access-list 151 remark IPSec Rule
access-list 151 deny ip 172.16.0.0 0.0.255.255 172.18.0.0 0.0.255.255
access-list 151 remark IPSec Rule
access-list 151 deny ip 172.16.0.0 0.0.255.255 172.17.0.0 0.0.255.255
access-list 151 deny ip 172.18.0.0 0.0.255.255 172.17.0.0 0.0.255.255
access-list 151 deny ip 172.16.0.0 0.0.255.255 10.0.0.0 0.0.255.255
access-list 151 deny ip 172.16.0.0 0.0.255.255 192.168.1.0 0.0.0.255
access-list 151 deny ip 172.16.0.0 0.0.255.255 192.168.2.0 0.0.0.255
access-list 151 deny ip 172.16.0.0 0.0.255.255 192.168.3.0 0.0.0.255
access-list 151 remark Trexler
access-list 151 deny ip 172.16.0.0 0.0.255.255 192.168.4.0 0.0.0.255
access-list 151 deny ip 172.16.0.0 0.0.255.255 192.168.7.0 0.0.0.255
access-list 151 deny ip 172.16.0.0 0.0.255.255 192.168.8.0 0.0.0.255
access-list 151 deny ip 172.16.0.0 0.0.255.255 172.31.252.0 0.0.3.255
access-list 151 remark IPSec Rule
access-list 151 permit ip 172.16.0.0 0.0.255.255 any
access-list 151 permit ip 172.18.0.0 0.0.255.255 any
snmp-server community kindern RO
snmp-server enable traps tty
no cdp run
route-map nonat-Pat permit 10
match ip address 151
!
route-map nonat-static permit 10
match ip address 140
set ip next-hop 192.168.254.2
!
!
!
control-plane
!
banner login ^CCC Unauthorized Access is Prohibited! ^C
!
line con 0
password 7
line aux 0
line vty 0 4
access-class 108 in
exec-timeout 0 0
privilege level 15
password 7
transport input telnet ssh
line vty 5 15
access-class 108 in
privilege level 15
password 7
transport input telnet ssh
!
ntp clock-period 17180080
ntp server 192.5.41.41
ntp server 192.5.41.209
end
Router1#show run
Building configuration...
Current configuration : 17074 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Router1
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
no logging console
logging monitor warnings
enable secret 5
!
clock timezone est -5
clock summer-time EDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
aaa new-model
!
!
aaa session-id common
ip subnet-zero
no ip source-route
ip cef
!
!
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 smtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT101 cuseeme
ip inspect name DEFAULT101 ftp
ip inspect name DEFAULT101 h323
ip inspect name DEFAULT101 icmp
ip inspect name DEFAULT101 netshow
ip inspect name DEFAULT101 rcmd
ip inspect name DEFAULT101 realaudio
ip inspect name DEFAULT101 rtsp
ip inspect name DEFAULT101 sqlnet
ip inspect name DEFAULT101 streamworks
ip inspect name DEFAULT101 tftp
ip inspect name DEFAULT101 tcp
ip inspect name DEFAULT101 udp
ip inspect name DEFAULT101 vdolive
ip tcp synwait-time 10
!
!
ip ips po max-events 100
no ip bootp server
no ip domain lookup
ip host Central2801 172.16.0.1
ip name-server x.x.x.x
ip name-server x.x.x.x
no ftp-server write-enable
!
!
crypto pki trustpoint test_trustpoint_config_cre
subject-name e=sdmtest@sdmtest.com
revocation-check crl
!
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key xxx address x.x.x.x
crypto isakmp key xxx address x.x.x.x
crypto isakmp key xxx address x.x.x.x 255.255.255.224 no-xauth
crypto isakmp key xxx address x.x.x.x 0.0.0.0
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set myset1 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
crypto ipsec transform-set to_cti esp-3des esp-md5-hmac
!
crypto dynamic-map VPN3
description VPN1
set transform-set ESP-3DES-SHA1
!
crypto dynamic-map VPN2
description VPN2
set transform-set ESP-3DES-SHA
!
crypto dynamic-map VPN1
description VPN3
set transform-set ESP-3DES-SHA1
!
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel
set peer x.x.116.97
set transform-set ESP-3DES-SHA1
match address 102
crypto map SDM_CMAP_1 2 ipsec-isakmp
description Tunnel tox.x.86.122
set peer x.x.12.1
set transform-set ESP-3DES-SHA2
match address 103
crypto map SDM_CMAP_1 3 ipsec-isakmp
description Tunnel
set peer x.x.52.135
set transform-set to_cti
match address 110
crypto map SDM_CMAP_1 4 ipsec-isakmp dynamic VPN1
!
!
!
interface Loopback10
ip address 192.168.254.1 255.255.255.0
!
interface FastEthernet0/0
description INSIDE LAN
ip address 172.16.0.1 255.255.0.0
ip helper-address 172.18.10.1
ip inspect DEFAULT101 in
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip policy route-map nonat-static
speed auto
full-duplex
no cdp enable
no mop enabled
!
interface FastEthernet0/1
no ip address
ip route-cache flow
shutdown
duplex auto
speed auto
no cdp enable
no mop enabled
!
interface Serial0/2/0
description Verizon T1
bandwidth 1536
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly
encapsulation frame-relay IETF
no fair-queue
frame-relay lmi-type ansi
crypto ipsec df-bit clear
!
interface Serial0/2/0.1 point-to-point
ip address x.x.x.33 255.255.255.224
ip access-group 104 in
ip nat outside
ip virtual-reassembly
no cdp enable
frame-relay interface-dlci 500 IETF
crypto map SDM_CMAP_1
!
router eigrp 300
network 172.16.0.0
network 172.17.0.0
network 172.18.0.0
network 192.168.0.0
no auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/2/0.1
ip route 172.17.0.0 255.255.0.0 67.134.86.141
ip http server
ip http access-class 1
ip http authentication local
ip http secure-server
ip nat inside source route-map nonat-Pat interface Serial0/2/0.1 overload
ip nat inside source static 172.16.10.1 x.x.12.40
ip nat inside source static 172.16.10.2 x.x.12.41
ip nat inside source static 172.16.10.11 x.x.12.42
ip nat inside source static 172.16.0.3 x.x.12.43
ip nat inside source static 172.16.0.4 x.x.12.44
ip nat inside source static 172.16.10.5 x.x.12.45
ip nat inside source static 172.16.10.10 x.x.12.46
ip nat inside source static 172.16.10.20 x.x.12.47
ip nat inside source static 172.17.5.26 x.x.12.48
ip nat inside source static 172.16.10.6 x.x.12.49
ip nat inside source static 172.16.10.12 x.x.12.50
ip nat inside source static 172.16.10.3 x.x.12.51
ip nat inside source static 172.16.1.30 x.x.12.52
!
!
access-list 101 remark SDM_ACL Category=4
access-list 101 remark IPSec Rule
access-list 101 permit ip 172.16.0.0 0.0.255.255 172.18.0.0 0.0.255.255
access-list 102 permit ip 172.17.0.0 0.0.255.255 172.18.0.0 0.0.255.255
access-list 103 remark SDM_ACL Category=4
access-list 103 remark IPSec Rule
access-list 103 permit ip 172.16.0.0 0.0.255.255 172.17.0.0 0.0.255.255
access-list 103 permit ip 172.18.0.0 0.0.255.255 172.17.0.0 0.0.255.255
access-list 104 permit tcp any any eq 22
access-list 104 permit icmp any any
access-list 104 permit udp any host x.x.12.33 eq isakmp
access-list 104 permit esp any host x.x.12.33
access-list 104 permit esp host x.x.12.1 host x.x.12.33
access-list 104 permit ahp host x.x.12.1 host x.x.12.33
access-list 104 permit udp host x.x.12.1 host x.x.12.33 eq isakmp
access-list 104 permit udp host x.x.12.1 host x.x.12.33 eq non500-isakmp
access-list 104 permit ahp host 141.151.127.82 host x.x.12.33
access-list 104 permit esp host 141.151.127.82 host x.x.12.33
access-list 104 permit udp host 141.151.127.82 host x.x.12.33 eq isakmp
access-list 104 permit udp host 141.151.127.82 host x.x.12.33 eq non500-isakmp
access-list 104 permit esp host x.x.52.135 host x.x.12.33
access-list 104 permit ahp host x.x.52.135 host x.x.12.33
access-list 104 permit udp host x.x.52.135 host x.x.12.33 eq isakmp
access-list 104 permit udp host x.x.52.135 host x.x.12.33 eq non500-isakmp
access-list 104 permit icmp x.x.52.128 0.0.0.63 any
access-list 104 permit tcp x.x.52.128 0.0.0.63 host x.x.12.33 eq telnet
access-list 104 permit tcp x.x.52.128 0.0.0.63 x.x.12.32 0.0.0.31 eq 5631
access-list 104 permit udp x.x.52.128 0.0.0.63 x.x.12.32 0.0.0.31 eq 5632
access-list 104 permit tcp x.x.52.128 0.0.0.63 any eq 22
access-list 104 permit icmp any x.x.12.32 0.0.0.31 echo-reply
access-list 104 permit icmp any x.x.12.32 0.0.0.31 time-exceeded
access-list 104 permit icmp any x.x.12.32 0.0.0.31 unreachable
access-list 104 deny ip 10.0.0.0 0.255.255.255 any
access-list 104 deny ip 172.16.0.0 0.15.255.255 any
access-list 104 deny ip 192.168.0.0 0.0.255.255 any
access-list 104 deny ip 127.0.0.0 0.255.255.255 any
access-list 104 deny ip host 255.255.255.255 any
access-list 104 deny ip host 0.0.0.0 any
access-list 104 permit tcp any host x.x.12.46 eq 1494
access-list 104 permit tcp any host x.x.12.42 eq 1494
access-list 104 permit tcp any host x.x.12.50 eq 1494
access-list 104 permit tcp any host x.x.12.40 eq pop3
access-list 104 permit udp any host x.x.12.40 eq domain
access-list 104 permit tcp any host x.x.12.43 eq domain
access-list 104 permit tcp any host x.x.12.44 eq domain
access-list 104 permit tcp any host x.x.12.52 eq domain
access-list 104 permit tcp any host x.x.12.43 eq smtp
access-list 104 permit tcp any host x.x.12.43 eq pop3
access-list 104 permit tcp any host x.x.12.40 eq smtp
access-list 104 permit tcp any host x.x.12.40 eq www
access-list 104 permit tcp any host x.x.12.51 eq www
access-list 104 permit tcp any host x.x.12.52 eq smtp
access-list 104 permit tcp any host x.x.12.45 eq 8990
access-list 104 permit gre host x.x.173.12 host x.x.12.48
access-list 104 permit tcp host x.x.173.12 host x.x.12.48 eq 1723
access-list 104 permit icmp host x.x.173.12 host x.x.12.48
access-list 104 permit udp host x.x.173.12 host x.x.12.48 eq isakmp
access-list 104 permit esp host x.x.173.12 host x.x.12.48
access-list 104 permit ahp host x.x.173.12 host x.x.12.48
access-list 104 permit tcp any host x.x.12.45 eq 9990
access-list 104 permit tcp host x.x.174.234 host x.x.12.47 eq 5631
access-list 104 permit udp host x.x.174.234 host x.x.12.47 eq 5632
access-list 104 permit tcp host x.x.101.202 host x.x.12.47 eq 5631
access-list 104 permit udp host x.x.101.202 host x.x.12.47 eq 5632
access-list 104 permit tcp host 8.2.182.176 host x.x.12.45 eq 5632
access-list 104 deny ip any any log-input
access-list 108 permit ip 172.0.0.0 0.255.255.255 any
access-list 108 permit ip 10.0.0.0 0.255.255.255 any
access-list 108 permit ip x.x.52.128 0.0.0.63 any
access-list 110 permit ip 172.16.0.0 0.0.255.255 10.0.0.0 0.0.255.255
access-list 110 permit ip 172.16.0.0 0.0.255.255 0.0.0.0 255.255.252.0
access-list 110 permit ip 172.16.0.0 0.0.255.255 172.31.252.0 0.0.3.255
access-list 111 permit ip 172.16.0.0 0.0.255.255 192.168.1.0 0.0.0.255
access-list 140 permit ip 172.16.0.0 0.0.255.255 192.168.1.0 0.0.0.255
access-list 140 permit ip 172.16.0.0 0.0.255.255 192.168.2.0 0.0.0.255
access-list 140 permit ip 172.16.0.0 0.0.255.255 192.168.3.0 0.0.0.255
access-list 140 permit ip 172.16.0.0 0.0.255.255 192.168.4.0 0.0.0.255
access-list 140 permit ip 172.16.0.0 0.0.255.255 192.168.7.0 0.0.0.255
access-list 140 permit ip 172.16.0.0 0.0.255.255 192.168.8.0 0.0.0.255
access-list 140 permit ip 172.16.0.0 0.0.255.255 172.18.0.0 0.0.255.255
access-list 140 permit ip 172.16.0.0 0.0.255.255 172.17.0.0 0.0.255.255
access-list 140 permit ip 172.16.0.0 0.0.255.255 10.0.0.0 0.0.255.255
access-list 140 permit ip 172.16.0.0 0.0.255.255 172.31.252.0 0.0.3.255
access-list 140 deny ip 172.16.0.0 0.0.255.255 any
access-list 150 remark SDM_ACL Category=16
access-list 150 permit ip 172.16.0.0 0.0.0.255 172.18.0.0 0.0.0.255
access-list 151 remark SDM_ACL Category=18
access-list 151 remark IPSec Rule
access-list 151 deny ip 172.16.0.0 0.0.255.255 172.18.0.0 0.0.255.255
access-list 151 remark IPSec Rule
access-list 151 deny ip 172.16.0.0 0.0.255.255 172.17.0.0 0.0.255.255
access-list 151 deny ip 172.18.0.0 0.0.255.255 172.17.0.0 0.0.255.255
access-list 151 deny ip 172.16.0.0 0.0.255.255 10.0.0.0 0.0.255.255
access-list 151 deny ip 172.16.0.0 0.0.255.255 192.168.1.0 0.0.0.255
access-list 151 deny ip 172.16.0.0 0.0.255.255 192.168.2.0 0.0.0.255
access-list 151 deny ip 172.16.0.0 0.0.255.255 192.168.3.0 0.0.0.255
access-list 151 remark Trexler
access-list 151 deny ip 172.16.0.0 0.0.255.255 192.168.4.0 0.0.0.255
access-list 151 deny ip 172.16.0.0 0.0.255.255 192.168.7.0 0.0.0.255
access-list 151 deny ip 172.16.0.0 0.0.255.255 192.168.8.0 0.0.0.255
access-list 151 deny ip 172.16.0.0 0.0.255.255 172.31.252.0 0.0.3.255
access-list 151 remark IPSec Rule
access-list 151 permit ip 172.16.0.0 0.0.255.255 any
access-list 151 permit ip 172.18.0.0 0.0.255.255 any
snmp-server community kindern RO
snmp-server enable traps tty
no cdp run
route-map nonat-Pat permit 10
match ip address 151
!
route-map nonat-static permit 10
match ip address 140
set ip next-hop 192.168.254.2
!
!
!
control-plane
!
banner login ^CCC Unauthorized Access is Prohibited! ^C
!
line con 0
password 7
line aux 0
line vty 0 4
access-class 108 in
exec-timeout 0 0
privilege level 15
password 7
transport input telnet ssh
line vty 5 15
access-class 108 in
privilege level 15
password 7
transport input telnet ssh
!
ntp clock-period 17180080
ntp server 192.5.41.41
ntp server 192.5.41.209
end
did u try my comment
ASKER
Hi anoopkmr, I am reading over this article right now. I do have some questions about the IP SLA Configurations:
Lets say my T1 internface ip address is 10.100.50.1 255.255.255.248
Let say my Cable Modem ip address is 192..168.50.1 255.255.255.248
For the icmp-echo relpy will I have to have another public address for this. See below:
ip sla 1
icmp-echo 10.100.50.2
timeout 500
frequency 1
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo 192.168.50.2
timeout 500
frequency 1
ip sla schedule 2 life forever start-time now
Lets say my T1 internface ip address is 10.100.50.1 255.255.255.248
Let say my Cable Modem ip address is 192..168.50.1 255.255.255.248
For the icmp-echo relpy will I have to have another public address for this. See below:
ip sla 1
icmp-echo 10.100.50.2
timeout 500
frequency 1
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo 192.168.50.2
timeout 500
frequency 1
ip sla schedule 2 life forever start-time now
ok no problem , only need to take care those IP has to be trusted ( I mean always alive and has to reply to icmp)
but remember to set route like below
ip route 10.100.50.2 255.255.255.255 <T1 gateway IP>
ip route 192.168.50.2 255.255.255.255 <Cable gateway ip>
but remember to set route like below
ip route 10.100.50.2 255.255.255.255 <T1 gateway IP>
ip route 192.168.50.2 255.255.255.255 <Cable gateway ip>
ASKER
Thanks, but I'm still a little confused. So I do need a another public address for ip sla? Or can I accomplish my goal without it?
no its not necessary , try ur ISPs DNS servers are responding to ICMP
or you can add ur Gateway IP in SLA.
ip sla 1
icmp-echo <ISP1 gw>
timeout 500
frequency 1
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo <ISP2 gw>
timeout 500
frequency 1
ip sla schedule 2 life forever start-time now
or you can add ur Gateway IP in SLA.
ip sla 1
icmp-echo <ISP1 gw>
timeout 500
frequency 1
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo <ISP2 gw>
timeout 500
frequency 1
ip sla schedule 2 life forever start-time now
ASKER
I do have extra Public IP addresses for each circuit, so I can use one for IP SLA. I won't be on site until later this week to configure this. I am getting my configurations ready now. I will post the configs when I'm done, and maybe you can see if they look right. thanks.
i think still u confused, dont put IP address given by ISP for ur use in IP SLA.
I think u know the function of SLA.
IP mentioned int IP SLA has to reachable via ICMP that it. u configure ur GW IP address. ( I mean the default route IP)
also dont forgot to put
ip route 10.100.50.2 255.255.255.255 <T1 gateway IP>
ip route 192.168.50.2 255.255.255.255 <Cable gateway ip>
I think u know the function of SLA.
IP mentioned int IP SLA has to reachable via ICMP that it. u configure ur GW IP address. ( I mean the default route IP)
also dont forgot to put
ip route 10.100.50.2 255.255.255.255 <T1 gateway IP>
ip route 192.168.50.2 255.255.255.255 <Cable gateway ip>
ASKER
Ok. Last thing and I think I got it.
I'm looking at this part in the example:
route-map ISP2 permit 10
match ip address 10
match interface FastEthernet2/0
!
route-map ISP1 permit 10
match ip address 10
match interface FastEthernet1/1
ip nat inside source route-map ISP1 interface FastEthernet1/1 overload
ip nat inside source route-map ISP2 interface FastEthernet2/0 overload
I have 3 LAN-to-LAN VPNs configured on on this router using the verizon circuit IP's. I'm not looking for VPN failover or anything, As you see below, all my nonat staments for VPN are associated with this route-map that I already have configured on this router. See below:
ip nat inside source route-map nonat-Pat interface Serial0/2/0.1 overload
route-map nonat-Pat permit 10
match ip address 151
access-list 151 remark SDM_ACL Category=18
access-list 151 remark IPSec Rule
access-list 151 deny ip 172.16.0.0 0.0.255.255 172.18.0.0 0.0.255.255
access-list 151 remark IPSec Rule
access-list 151 deny ip 172.16.0.0 0.0.255.255 172.17.0.0 0.0.255.255
access-list 151 deny ip 172.18.0.0 0.0.255.255 172.17.0.0 0.0.255.255
access-list 151 deny ip 172.16.0.0 0.0.255.255 10.0.0.0 0.0.255.255
access-list 151 deny ip 172.16.0.0 0.0.255.255 192.168.1.0 0.0.0.255
access-list 151 deny ip 172.16.0.0 0.0.255.255 192.168.2.0 0.0.0.255
access-list 151 deny ip 172.16.0.0 0.0.255.255 192.168.3.0 0.0.0.255
access-list 151 remark Trexler
access-list 151 deny ip 172.16.0.0 0.0.255.255 192.168.4.0 0.0.0.255
access-list 151 deny ip 172.16.0.0 0.0.255.255 192.168.7.0 0.0.0.255
access-list 151 deny ip 172.16.0.0 0.0.255.255 192.168.8.0 0.0.0.255
access-list 151 deny ip 172.16.0.0 0.0.255.255 172.31.252.0 0.0.3.255
access-list 151 remark IPSec Rule
access-list 151 permit ip 172.16.0.0 0.0.255.255 any
access-list 151 permit ip 172.18.0.0 0.0.255.255 any
Woudl I add "permit 10.100.50.0 0.0.0.7" to access-list 151? Would this effect VPN traffic in any way?
I'm looking at this part in the example:
route-map ISP2 permit 10
match ip address 10
match interface FastEthernet2/0
!
route-map ISP1 permit 10
match ip address 10
match interface FastEthernet1/1
ip nat inside source route-map ISP1 interface FastEthernet1/1 overload
ip nat inside source route-map ISP2 interface FastEthernet2/0 overload
I have 3 LAN-to-LAN VPNs configured on on this router using the verizon circuit IP's. I'm not looking for VPN failover or anything, As you see below, all my nonat staments for VPN are associated with this route-map that I already have configured on this router. See below:
ip nat inside source route-map nonat-Pat interface Serial0/2/0.1 overload
route-map nonat-Pat permit 10
match ip address 151
access-list 151 remark SDM_ACL Category=18
access-list 151 remark IPSec Rule
access-list 151 deny ip 172.16.0.0 0.0.255.255 172.18.0.0 0.0.255.255
access-list 151 remark IPSec Rule
access-list 151 deny ip 172.16.0.0 0.0.255.255 172.17.0.0 0.0.255.255
access-list 151 deny ip 172.18.0.0 0.0.255.255 172.17.0.0 0.0.255.255
access-list 151 deny ip 172.16.0.0 0.0.255.255 10.0.0.0 0.0.255.255
access-list 151 deny ip 172.16.0.0 0.0.255.255 192.168.1.0 0.0.0.255
access-list 151 deny ip 172.16.0.0 0.0.255.255 192.168.2.0 0.0.0.255
access-list 151 deny ip 172.16.0.0 0.0.255.255 192.168.3.0 0.0.0.255
access-list 151 remark Trexler
access-list 151 deny ip 172.16.0.0 0.0.255.255 192.168.4.0 0.0.0.255
access-list 151 deny ip 172.16.0.0 0.0.255.255 192.168.7.0 0.0.0.255
access-list 151 deny ip 172.16.0.0 0.0.255.255 192.168.8.0 0.0.0.255
access-list 151 deny ip 172.16.0.0 0.0.255.255 172.31.252.0 0.0.3.255
access-list 151 remark IPSec Rule
access-list 151 permit ip 172.16.0.0 0.0.255.255 any
access-list 151 permit ip 172.18.0.0 0.0.255.255 any
Woudl I add "permit 10.100.50.0 0.0.0.7" to access-list 151? Would this effect VPN traffic in any way?
what is 10.100.50.0
if it is the IP going to metioned in the IP SLA, then dont add it in 151
if it is the IP going to metioned in the IP SLA, then dont add it in 151
ASKER
I'm sorry wrong addresses, My LAN network is 172.16.0.0 255.255.0.0. In the example I see the following:
access-list 10 permit 10.1.1.0 0.0.0.255
route-map ISP1 permit 10
match ip address 10
match int fa1/1
ip nat inside source route-map ISP1 interface FastEthernet1/1 overload
Since I already have a route-map for my "ip nat overload" statement can I just add my local LAN to access-list 151? See below. I hope I'm not confusing you to much
This is what mine looks like:
ip nat inside source route-map nonat-Pat interface Serial0/2/0.1 overload
route-map nonat-Pat permit 10
match ip address 151
access-list 151 remark SDM_ACL Category=18
access-list 151 remark IPSec Rule
access-list 151 deny ip 172.16.0.0 0.0.255.255 172.18.0.0 0.0.255.255
access-list 151 remark IPSec Rule
access-list 151 deny ip 172.16.0.0 0.0.255.255 172.17.0.0 0.0.255.255
access-list 151 deny ip 172.18.0.0 0.0.255.255 172.17.0.0 0.0.255.255
access-list 151 deny ip 172.16.0.0 0.0.255.255 10.0.0.0 0.0.255.255
access-list 151 deny ip 172.16.0.0 0.0.255.255 192.168.1.0 0.0.0.255
access-list 151 deny ip 172.16.0.0 0.0.255.255 192.168.2.0 0.0.0.255
access-list 151 deny ip 172.16.0.0 0.0.255.255 192.168.3.0 0.0.0.255
access-list 151 remark Trexler
access-list 151 deny ip 172.16.0.0 0.0.255.255 192.168.4.0 0.0.0.255
access-list 151 deny ip 172.16.0.0 0.0.255.255 192.168.7.0 0.0.0.255
access-list 151 deny ip 172.16.0.0 0.0.255.255 192.168.8.0 0.0.0.255
access-list 151 deny ip 172.16.0.0 0.0.255.255 172.31.252.0 0.0.3.255
access-list 151 remark IPSec Rule
access-list 151 permit ip 172.16.0.0 0.0.255.255 any
access-list 151 permit ip 172.18.0.0 0.0.255.255 any
access-list 10 permit 10.1.1.0 0.0.0.255
route-map ISP1 permit 10
match ip address 10
match int fa1/1
ip nat inside source route-map ISP1 interface FastEthernet1/1 overload
Since I already have a route-map for my "ip nat overload" statement can I just add my local LAN to access-list 151? See below. I hope I'm not confusing you to much
This is what mine looks like:
ip nat inside source route-map nonat-Pat interface Serial0/2/0.1 overload
route-map nonat-Pat permit 10
match ip address 151
access-list 151 remark SDM_ACL Category=18
access-list 151 remark IPSec Rule
access-list 151 deny ip 172.16.0.0 0.0.255.255 172.18.0.0 0.0.255.255
access-list 151 remark IPSec Rule
access-list 151 deny ip 172.16.0.0 0.0.255.255 172.17.0.0 0.0.255.255
access-list 151 deny ip 172.18.0.0 0.0.255.255 172.17.0.0 0.0.255.255
access-list 151 deny ip 172.16.0.0 0.0.255.255 10.0.0.0 0.0.255.255
access-list 151 deny ip 172.16.0.0 0.0.255.255 192.168.1.0 0.0.0.255
access-list 151 deny ip 172.16.0.0 0.0.255.255 192.168.2.0 0.0.0.255
access-list 151 deny ip 172.16.0.0 0.0.255.255 192.168.3.0 0.0.0.255
access-list 151 remark Trexler
access-list 151 deny ip 172.16.0.0 0.0.255.255 192.168.4.0 0.0.0.255
access-list 151 deny ip 172.16.0.0 0.0.255.255 192.168.7.0 0.0.0.255
access-list 151 deny ip 172.16.0.0 0.0.255.255 192.168.8.0 0.0.0.255
access-list 151 deny ip 172.16.0.0 0.0.255.255 172.31.252.0 0.0.3.255
access-list 151 remark IPSec Rule
access-list 151 permit ip 172.16.0.0 0.0.255.255 any
access-list 151 permit ip 172.18.0.0 0.0.255.255 any
above no-nat is for those traffic that doesn't required natting . if u want to get internet u need to do nat
so dont add
so dont add
ASKER
Thanks. The document was very useful
For all T1 traffic to converge to the cable modem, you would need to setup Link Backup.