Solved

Problems setting up Cisco router dual ISP with NAT, and SLA

Posted on 2011-02-24
4
1,788 Views
Last Modified: 2012-05-11
We currently have a Cisco 2911 router and am trying to set it up with to ISP connections. One to Charter, the other to Restech. I would like to make charter the primary, and is is connected to GE0/2. I would like to make Restech the backup, connected to GE0/1. With the Restech line I want all NAT static routes to go over it, it is more reliable. Everything seem to work until I try to change the default route from using the Restech gateway to using the Charter gateway. Internet continues to work internally, but none of the static NATs work can't access any thing from outside the company, which should go over the Restech line. Once I change it back it works fine.

Any help would be great.

The change I am trying to make is:
ip route 0.0.0.0 0.0.0.0 68.117.28.1 track 101 //Charter gateway
ip route 0.0.0.0 0.0.0.0 204.15.30.225 200 track 102 //Restech Gateway

Config:

!
! Last configuration change at 08:55:28 CST Thu Feb 24 2011 by admin
! NVRAM config last updated at 08:56:09 CST Thu Feb 24 2011 by admin
!
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname r1-dnastar
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
no logging console
!
no aaa new-model
!
!
!
clock timezone CST -6
clock summer-time CDT recurring
!
no ipv6 cef
ip source-route
ip cef
!
!
!
!
ip domain name dnastar.com
ip name-server 204.11.129.4
ip name-server 204.11.129.5
ip name-server 192.168.1.21
ip name-server 192.168.1.52
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
login block-for 1 attempts 1 within 5
login on-failure log
login on-success log
!
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint TP-self-signed-55830939
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-55830939
 revocation-check none
 rsakeypair TP-self-signed-55830939
!
!
crypto pki certificate chain TP-self-signed-55830939
 certificate self-signed 01
  3082024A 308201B3 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  2F312D30 2B060355 04031324 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 35353833 30393339 301E170D 31313032 32323139 33383339
  5A170D32 30303130 31303030 3030305A 302F312D 302B0603 55040313 24494F53
  2D53656C 662D5369 676E6564 2D436572 74696669 63617465 2D353538 33303933
  3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 810082E9
  451BEA19 656D2180 1B5EA0BA F53A7E89 AAC1A924 FB35FA45 9D1EDD48 6CBC9080
  29C43688 DEC43843 C8BB6453 38836125 3B29D133 7C2B1BC6 7CF74741 3D306AEF
  CB455F92 CE4103C3 7BAAC1F9 3BB78F59 6B6A593D A20BA24C 2B84E8FC CECFFA41
  443B35EB 050C181A C2B0638D 2F82CCA4 F1DF282F 77E6B855 016FEA28 68330203
  010001A3 76307430 0F060355 1D130101 FF040530 030101FF 30210603 551D1104
  1A301882 1672312D 646E6173 7461722E 646E6173 7461722E 636F6D30 1F060355
  1D230418 30168014 962B562F EE360FE8 70A8821F 4F891A35 A310A1A7 301D0603
  551D0E04 16041496 2B562FEE 360FE870 A8821F4F 891A35A3 10A1A730 0D06092A
  864886F7 0D010104 05000381 81005D7D 3DF5A564 5893F72F 881866FF 9F5A8159
  B476FC5C E12E0291 726A7098 6BD0A3C3 407F5A89 E5C389D8 C11FB448 F720117C
  67D5B10D 5337609E D6AF221B E303C90A EC6A1FBA D773D23B 515D6CB8 E2EFF843
  7DE63053 A2470CF1 4D1EDC71 1EEEFC0D AEA925DC EE4E75F2 2F81FA04 32437402
  63894BAA 2FF580CE 79751723 22D3
        quit
license udi pid CISCO2911/K9 sn FTX1453ALJQ
!
!
username admin privilege 15 secret !!!Removed for Security!!!
!
redundancy
!
!
!
track 101 ip sla 10 reachability
!
track 102 ip sla 20 reachability
!
class-map match-any nec-voice
 match ip precedence 3
 match ip precedence 5
 match  precedence 3
 match  precedence 5
 match access-group name VoIP-acl
class-map match-any voice
 match ip precedence 3
 match ip precedence 5
!
!
policy-map input-voice
 class nec-voice
  set ip precedence 5
policy-map nec-voice
 class nec-voice
    priority 640
 class class-default
    fair-queue
policy-map qos-voice
 class voice
    priority 240
 class class-default
    fair-queue
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 lifetime 1000
!
crypto isakmp policy 2
 encr 3des
 hash md5
 authentication pre-share
 lifetime 28800
 !!!Removed for Security!!!
!
!
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
 mode transport
crypto ipsec transform-set 3DES-MD5 esp-3des esp-md5-hmac
!
crypto ipsec profile SDM_Profile2
 set transform-set ESP-3DES-SHA2
!
!
crypto map VPN-MAP 10 ipsec-isakmp
 set peer 204.11.134.190
 set security-association lifetime seconds 28800
 set transform-set 3DES-MD5
 match address 110
crypto map VPN-MAP 20 ipsec-isakmp
 set peer 24.240.34.7
 set security-association lifetime seconds 28800
 set transform-set 3DES-MD5
 match address 111
crypto map VPN-MAP 30 ipsec-isakmp
 set peer 144.92.100.155
 set security-association lifetime seconds 28800
 set transform-set 3DES-MD5
 match address 112
!
!
!
!
!
interface Tunnel1
 bandwidth 1000
 ip address 10.92.0.1 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication DMVPN_NW
 ip nhrp map multicast dynamic
 ip nhrp network-id 100000
 ip nhrp holdtime 360
 ip tcp adjust-mss 1360
 delay 1000
 qos pre-classify
 tunnel source GigabitEthernet0/1
 tunnel mode gre multipoint
 tunnel key 100000
 tunnel protection ipsec profile SDM_Profile2
 !
!
interface GigabitEthernet0/0
 description private (inside) interface to production network
 bandwidth 10000000
 ip address 192.168.1.1 255.255.255.0
 ip flow ingress
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
 !
 service-policy input input-voice
!
interface GigabitEthernet0/1
 description Restech Line
 bandwidth 10500
 ip address 204.15.30.226 255.255.255.240
 ip access-group 108 in
 ip nat outside
 ip virtual-reassembly
 load-interval 30
 duplex auto
 speed auto
 crypto map VPN-MAP
 !
 service-policy output nec-voice
!
interface GigabitEthernet0/2
 description Chater Line
 ip address 68.117.28.2 255.255.255.252
 ip access-group 109 in
 ip nat outside
 ip virtual-reassembly
 load-interval 30
 duplex auto
 speed auto
 !
 service-policy output nec-voice
!
!
router eigrp 1
 network 192.168.1.0
 auto-summary
!
no ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip flow-cache timeout inactive 10
ip flow-cache timeout active 5
ip flow-export version 5
ip flow-export destination 192.168.1.12 9996
ip flow-top-talkers
 top 50
 sort-by packets
!
ip nat inside source route-map Charter interface GigabitEthernet0/2 overload
ip nat inside source route-map ResTech interface GigabitEthernet0/1 overload
ip nat inside source static 192.168.1.27 204.15.30.227 route-map ResTech extendable
ip nat inside source static 192.168.1.5 204.15.30.228 route-map ResTech extendable
ip nat inside source static 192.168.1.48 204.15.30.229 route-map ResTech extendable
ip nat inside source static 192.168.1.12 204.15.30.230 route-map ResTech extendable
ip nat inside source static 192.168.1.13 204.15.30.231 route-map ResTech extendable
ip route 0.0.0.0 0.0.0.0 204.15.30.225
ip route 4.2.2.2 255.255.255.255 68.117.28.1
ip route 4.2.2.3 255.255.255.255 204.15.30.225
ip route 10.91.0.0 255.255.0.0 192.168.1.65
ip route 10.92.154.0 255.255.255.0 10.92.0.6
ip route 10.92.155.0 255.255.255.0 10.92.0.5
ip route 10.92.156.0 255.255.255.0 10.92.0.4
ip route 10.92.158.0 255.255.255.0 10.92.0.3
ip route 10.92.159.0 255.255.255.0 10.92.0.2
!
ip access-list extended VoIP-acl
 permit ip host 192.168.1.20 any
 permit ip host 192.168.1.40 any
!
ip sla 10
 icmp-echo 4.2.2.2
 threshold 1000
 frequency 5
ip sla schedule 10 life forever start-time now
ip sla 20
 icmp-echo 4.2.2.3
 threshold 1000
 frequency 5
ip sla schedule 20 life forever start-time now
no logging trap
logging 192.168.1.29
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 107 deny   ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 107 deny   ip 192.168.1.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 107 deny   ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 107 deny   ip 192.168.1.0 0.0.0.255 10.92.159.0 0.0.0.255
access-list 107 deny   ip 192.168.1.0 0.0.0.255 10.92.155.0 0.0.0.255
access-list 107 deny   ip 192.168.1.0 0.0.0.255 10.92.158.0 0.0.0.255
access-list 107 deny   ip 192.168.1.0 0.0.0.255 10.92.157.0 0.0.0.255
access-list 107 deny   ip 192.168.1.0 0.0.0.255 10.92.156.0 0.0.0.255
access-list 107 permit ip 192.168.1.0 0.0.0.255 any
access-list 108 remark ** ACL for outside interface **
access-list 108 permit icmp any any
access-list 108 permit tcp any 204.15.30.0 0.0.0.255 established
access-list 108 permit udp any 204.15.30.0 0.0.0.255 gt 1023
access-list 108 permit tcp any host 204.15.30.227 eq ftp
access-list 108 permit tcp any host 204.15.30.227 eq ftp-data
access-list 108 permit tcp any host 204.15.30.227 eq www
access-list 108 permit tcp any host 204.15.30.227 gt 1023
access-list 108 permit tcp any host 204.15.30.228 eq www
access-list 108 permit tcp any host 204.15.30.228 eq 443
access-list 108 permit tcp any host 204.15.30.228 eq 143
access-list 108 permit tcp any host 204.15.30.228 eq pop3
access-list 108 permit tcp any host 204.15.30.228 eq smtp
access-list 108 permit tcp 64.18.0.0 0.0.255.255 host 204.15.30.228 eq smtp
access-list 108 permit tcp 216.139.234.0 0.0.0.255 host 204.15.30.228 eq smtp
access-list 108 permit tcp any host 204.15.30.229 eq 1723
access-list 108 permit tcp any host 204.15.30.229 eq 8081
access-list 108 permit tcp any host 204.15.30.229 eq 23560
access-list 108 permit tcp any host 204.15.30.230 eq www
access-list 108 permit tcp any host 204.15.30.230 eq 443
access-list 108 permit tcp any host 204.15.30.230 eq ftp-data
access-list 108 permit tcp any host 204.15.30.230 eq ftp
access-list 108 permit tcp any host 204.15.30.230 eq 8082
access-list 108 permit tcp any host 204.15.30.231 eq www
access-list 108 permit tcp 216.139.234.0 0.0.0.255 host 204.15.30.230 eq 1433
access-list 108 permit tcp 216.139.234.0 0.0.0.255 host 204.15.30.230 gt 1023
access-list 108 permit udp any host 204.15.30.226 eq non500-isakmp
access-list 108 permit udp any host 204.15.30.226 eq isakmp
access-list 108 permit udp any host 204.15.30.232 eq non500-isakmp
access-list 108 permit udp any host 204.15.30.232 eq isakmp
access-list 108 permit udp any host 63.131.6.49 eq non500-isakmp
access-list 108 permit udp any host 63.131.6.49 eq isakmp
access-list 108 permit udp any host 204.11.134.190 eq non500-isakmp
access-list 108 permit udp any host 204.11.134.190 eq isakmp
access-list 108 permit esp any any
access-list 108 permit ahp any any
access-list 108 permit gre any any
access-list 108 permit udp any any eq ntp
access-list 108 remark Auto generated by SDM for NTP (123) 128.105.37.11
access-list 108 permit udp host 128.105.37.11 eq ntp host 204.15.30.226 eq ntp
access-list 108 remark Auto generated by SDM for NTP (123) 63.247.194.250
access-list 108 permit udp host 63.247.194.250 eq ntp host 204.15.30.226 eq ntp
access-list 108 remark Auto generated by SDM for NTP (123) 128.118.25.3
access-list 108 permit udp host 128.118.25.3 eq ntp host 204.15.30.226 eq ntp
access-list 108 deny   ip any any log
access-list 108 remark Auto generated by SDM for NTP (123) 128.105.37.11
access-list 108 permit udp host 128.105.37.11 eq ntp host 68.117.28.2 eq ntp
access-list 108 remark Auto generated by SDM for NTP (123) 63.247.194.250
access-list 108 permit udp host 63.247.194.250 eq ntp host 68.117.28.2 eq ntp
access-list 108 remark Auto generated by SDM for NTP (123) 128.118.25.3
access-list 108 permit udp host 128.118.25.3 eq ntp host 68.117.28.2 eq ntp
access-list 109 remark ** ACL for Charter interface **
access-list 109 permit icmp any any
access-list 109 permit tcp any 68.117.28.0 0.0.0.255 established
access-list 109 permit udp any 68.117.28.0 0.0.0.255 gt 1023
access-list 109 permit esp any any
access-list 109 permit ahp any any
access-list 109 permit gre any any
access-list 109 permit udp any any eq ntp
access-list 109 remark Auto generated by SDM for NTP (123) 128.105.37.11
access-list 109 permit udp host 128.105.37.11 eq ntp host 68.117.28.2 eq ntp
access-list 109 remark Auto generated by SDM for NTP (123) 63.247.194.250
access-list 109 permit udp host 63.247.194.250 eq ntp host 68.117.28.2 eq ntp
access-list 109 remark Auto generated by SDM for NTP (123) 128.118.25.3
access-list 109 permit udp host 128.118.25.3 eq ntp host 68.117.28.2 eq ntp
access-list 109 deny   ip any any log
access-list 110 remark ** Traffic to encrypt to host 204.11.134.190 **
access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 111 remark ** Traffic to encrypt to host 63.131.6.49 **
access-list 111 permit ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 112 remark ** Traffic to encrypt to host 63.131.6.49 **
access-list 112 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
dialer-list 1 protocol ip permit
priority-list 1 protocol ip high list 10
!
!
!
!
route-map Charter permit 10
 match ip address 107
 match interface GigabitEthernet0/2
!
route-map ResTech permit 10
 match ip address 107
 match interface GigabitEthernet0/1
!
!
snmp-server ifindex persist
!
control-plane
 !
!
banner login C
This system is owned by DNASTAR, Inc.  Unauthorized access or use is a
violation of federal law and could result in criminal prosecution.

Use of this system is monitored and recorded by personnel.  Anyone using this
system expressly consents to such monitoring and is advised that if such
monitoring reveals possible evidence of criminal activity, system personnel may
provide the evidence to law enforcement officials.

!
line con 0
 login local
line aux 0
line vty 0 4
 privilege level 15
 login local
 transport input ssh
 transport output ssh
line vty 5 15
 privilege level 15
 login local
 transport input ssh
!
scheduler allocate 20000 1000
ntp server 128.118.25.3
ntp server 128.105.37.11 prefer
ntp server 63.247.194.250
end
0
Comment
Question by:grassshawn
  • 2
  • 2
4 Comments
 
LVL 24

Accepted Solution

by:
rfc1180 earned 500 total points
ID: 34971641
> Everything seem to work until I try to change the default route from using the Restech gateway to using the Charter gateway

it is not going to work; source and destinations are not the same and will have issues with the statefullness of TCP.  

The client is connecting to 204.15.30.227
the default route is via Charter
Return traffic is NATTED to  68.117.28.2

assuming TCP 3-way handshake

SYN to 204.15.30.227
SYN-ACK from 68.117.28.2

Will fail there

You need to implement route-maps and Policy Based Routing.

Billy
0
 

Author Comment

by:grassshawn
ID: 34971680
Do you have examples on how to set these up. I am using route-maps for the NAT overload statements.
0
 
LVL 24

Expert Comment

by:rfc1180
ID: 34973590
0
 

Author Closing Comment

by:grassshawn
ID: 34979446
Thank you for all of your help.
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

In a WLAN, anything you broadcast over the air can be intercepted.  By default a wireless network is wide open to all until security is configured. Even when security is configured information can still be intercepted! It is very important that you …
The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now