troubleshooting Question

IP SLA tracking not working possible NAT issue?

Avatar of myriadsupply
myriadsupply asked on
Routers
6 Comments1 Solution1721 ViewsLast Modified:
Traffic does not flow via F0/0/0 when G0/0 is down. Does anyone see an issue with this config:


ip source-route
!
!
ip cef
!
!
!
ip inspect name inspect-list ftp timeout 3600
ip inspect name inspect-list http timeout 3600
ip inspect name inspect-list icabrowser timeout 3600
ip inspect name inspect-list pop3 timeout 3600
ip inspect name inspect-list realaudio timeout 3600
ip inspect name inspect-list smtp timeout 3600
ip inspect name inspect-list sqlnet timeout 3600
ip inspect name inspect-list tcp timeout 3600
ip inspect name inspect-list tftp timeout 30
ip inspect name inspect-list udp timeout 15
ip inspect name inspect-list icmp
no ip domain lookup
ip domain name ighl.local
!
multilink bundle-name authenticated
!
vpdn enable
!
!
!
key chain ighleigrp
 key 1
  key-string 7 1210021F1E0E0503383B
  accept-lifetime local 00:00:00 Jul 20 2010 infinite
  send-lifetime local 00:00:00 Jul 20 2010 infinite
crypto pki token default removal timeout 0
!
!
!
!
!
redundancy
!
!
ip tftp source-interface GigabitEthernet0/1
!
track 1 ip sla 1 reachability
 delay down 20 up 120
!
interface GigabitEthernet0/0
 ip address 64.61.25.2 255.255.255.224
 ip access-group outside-in in
 ip nat outside
 ip virtual-reassembly in
 duplex full
 speed 10
 no cdp enable
 crypto map vpn-peers
!
interface GigabitEthernet0/1
 ip address 10.1.0.2 255.255.0.0
 ip access-group inside-out in
 ip authentication mode eigrp 100 md5
 ip authentication key-chain eigrp 100 ighleigrp
 ip inspect inspect-list in
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface FastEthernet0/0/0
 ip address 75.99.67.70 255.255.255.248
 ip access-group outside-in2 in
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
 no cdp enable
 crypto map vpn-peers2
!
!
router eigrp 100
 network 10.0.0.0
 eigrp router-id 10.1.0.2
!
ip forward-protocol nd
ip http server
no ip http secure-server
!
!
ip nat inside source list 101 interface GigabitEthernet0/0 overload
ip nat inside source list 111 interface FastEthernet0/0/0 overload
ip nat inside source static 10.1.0.20 64.61.25.4 extendable
ip nat inside source static 10.1.0.96 64.61.25.6 extendable
ip nat inside source static 10.1.0.91 64.61.25.7 extendable
ip nat inside source static 10.2.0.15 64.61.25.8 extendable
ip nat inside source static 10.1.0.12 64.61.25.9 extendable
ip nat inside source static 10.1.0.21 64.61.25.16 extendable
ip nat inside source static 10.3.0.25 64.61.25.25 extendable
ip nat inside source static 10.1.0.19 64.61.25.29 extendable
ip nat inside source static 10.1.0.18 64.61.25.30 extendable
ip route 0.0.0.0 0.0.0.0 64.61.25.1 track 1
ip route 0.0.0.0 0.0.0.0 75.99.67.65 100
ip route 4.2.2.1 255.255.255.255 75.99.67.65
ip route 10.2.0.0 255.255.0.0 10.1.0.1
ip route 10.4.0.0 255.255.0.0 10.1.0.1
ip route 10.9.0.0 255.255.0.0 10.1.0.1
ip route 69.43.160.149 255.255.255.255 64.61.25.1 permanent
!
ip access-list extended inside-out
 permit eigrp any any
 permit ip 10.0.0.0 0.255.255.255 any
ip access-list extended outside-in
 remark ANTI-SPOOFING LINES
 deny   ip any 10.0.0.0 0.255.255.255 log
 deny   ip any 172.16.0.0 0.15.255.255 log
 deny   ip any 192.168.0.0 0.0.255.255 log
 remark Site to Site VPN
 permit udp any any eq isakmp
 permit ahp any any
 permit esp any any
 remark Client Services
 permit tcp any any established
 permit udp any any eq ntp
 permit udp any any eq domain
 remark Server Services
 permit tcp any host 64.61.25.7 eq 1494
 permit tcp any host 64.61.25.16 eq www
 permit tcp any host 64.61.25.16 eq 443
 permit tcp any host 64.61.25.25 eq www
 permit tcp any host 64.61.25.25 eq 3389
 permit tcp 64.18.0.0 0.0.15.255 host 64.61.25.4 eq smtp
 permit gre any host 64.61.25.9
 permit tcp any host 64.61.25.9 eq 1723
 permit tcp any host 64.61.25.29 eq 3389
 permit tcp any host 64.61.25.30 eq 3389
 permit tcp any host 64.61.25.6 eq 3389
 permit tcp any host 64.61.25.8 eq 3389
 remark Management
 permit icmp any host 64.61.25.2
 permit tcp any host 64.61.25.2 eq 22
 remark IMPLICIT DENY WITH LOG NEXT
 deny   ip any any log
ip access-list extended outside-in2
 remark ANTI-SPOOFING LINES
 deny   ip any 10.0.0.0 0.255.255.255 log
 deny   ip any 172.16.0.0 0.15.255.255 log
 deny   ip any 192.168.0.0 0.0.255.255 log
 remark Site to Site VPN
 permit udp any any eq isakmp
 permit ahp any any
 permit esp any any
 remark Client Services
 permit tcp any any established
 permit udp any any eq ntp
 permit udp any any eq domain
 remark Management
 permit icmp any host 75.99.67.70
 permit tcp any host 75.99.67.70 eq 22
 remark IMPLICIT DENY WITH LOG NEXT
 deny   ip any any log
!
ip sla 1
 icmp-echo 69.43.160.149 source-interface GigabitEthernet0/0
 frequency 5
ip sla schedule 1 life forever start-time now
access-list 101 deny   ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
access-list 101 permit ip 10.0.0.0 0.255.255.255 any
access-list 102 permit ip 10.0.0.0 0.255.255.255 10.2.0.0 0.0.255.255
access-list 103 permit ip 10.0.0.0 0.255.255.255 10.3.0.0 0.0.255.255
access-list 104 permit ip 10.0.0.0 0.255.255.255 10.4.0.0 0.0.255.255
access-list 106 permit ip 10.0.0.0 0.255.255.255 10.6.0.0 0.0.255.255
access-list 109 permit ip 10.0.0.0 0.255.255.255 10.9.0.0 0.0.255.255
access-list 111 deny   ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
access-list 111 permit ip 10.0.0.0 0.255.255.255 any
!
Join the community to see this answer!
Join our exclusive community to see this answer & millions of others.
Unlock 1 Answer and 6 Comments.
Join the Community
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 6 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros