Dual WAN on Cisco 1841
I currently have a Cisco 1841 with the two embedded NIC's, one is for inside and the other is for the outside. The outside has five staic IP's and we have some one to one NAT's and ports mapped to inside devices. We need to add a second WAN for redundancy, the new connection will have static IP's as well. We want normal web brousing and VPN traffic to use the second WAN connection and if it goes offline all the traffic should use the original WAN. Also the original WAN will be used primarily for server traffic (i.e. smtp, web.....).
When I added the new HWIC and configured it for the backup ISP, I was able to browse the internet but all traffic stopped flowing for the original WAN, no smtp or other traffic at all.
What am I doing wrong, is there a way to have primary web going through my second WAN and if it goes offline all traffic failover to the primary WAN? Also can both WAN connections have NAT'ing to inside devices, even NAT'ing of the same port number like 25?
When I added the new HWIC and configured it for the backup ISP, I was able to browse the internet but all traffic stopped flowing for the original WAN, no smtp or other traffic at all.
What am I doing wrong, is there a way to have primary web going through my second WAN and if it goes offline all traffic failover to the primary WAN? Also can both WAN connections have NAT'ing to inside devices, even NAT'ing of the same port number like 25?
wingatesl
It is quite doable. Please post your config (after masking your external IP info). Typically you will create a route map for each outside connection and use this on your nat overlaod statements. For dual inbound access you will put 2 ip addresses on the target servers and use a route map to handle the return traffic. For failover you will use a SLA and track statements to manage your routing table.
ASKER
Thanks for the reply wingatesl, her is the config, note that FA0/0/0 will be the new internet connection.
!
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname gate
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
enable secret 5 $1$JVzu$X0UtR94gX5y2BJLlUm
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization network groupauthor local
!
!
!
!
!
aaa session-id common
!
clock timezone America -6 0
clock summer-time America/Chicago date Apr 6 2003 2:00 Oct 26 2003 2:00
dot11 syslog
ip source-route
!
!
!
!
!
ip cef
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 smtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip inspect name DEFAULT100 icmp
ip domain name mydomain.local
ip name-server 192.168.250.220
ip name-server 134.215.200.126
!
multilink bundle-name authenticated
!
password encryption aes
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-2329787546
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
revocation-check none
rsakeypair TP-self-signed-2329787546
!
!
crypto pki certificate chain TP-self-signed-2329787546
certificate self-signed 01
30820249 308201B2 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32333239 37383735 3436301E 170D3032 30333031 30303233
30375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 33323937
38373534 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100C592 65F1B188 9C2C7EE7 1A4C144A 96F6E756 529370C9 BD3167F7 2792D647
E17AF456 93FCC326 2F9A8463 4C69A428 BD953751 713D7107 B67DE1F1 C80A1D41
2D729491 70E0F1E8 5B18E761 1936F24F 12D89B7B 4E6DEF95 3B95ADB0 B45734E2
EED5420F F6F0856A 3870173E 9C25289B C7A644AE 4B70DD7B D8606E09 073C026B
81DD0203 010001A3 71306F30 0F060355 1D130101 FF040530 030101FF 301C0603
551D1104 15301382 11676174 652E6B69 6E746572 2E6C6F63 616C301F 0603551D
23041830 16801484 D9B8BC54 979D30BA 01B6D312 EC869847 C6001930 1D060355
1D0E0416 041484D9 B8BC5497 9D30BA01 B6D312EC 869847C6 0019300D 06092A86
4886F70D 01010405 00038181 00053529 C47B72B5 628D3354 60C27C15 6E738CBD
71956D14 AAB03688 DA38B696 1F3C599A 6A350B09 4CE441CC 8EA1DA8F 07AA2844
BEB2315B 7A93C73A 4A008F63 AD8A9386 F561D3D5 86BB20DD 54DD097F 3FBA68DA
D65DCC3B DF89B8FF E30D9FCA 5064F0F4 65226C70 0E4DC779 70D40D8D EC50F1E8
5E543557 C0619FA9 DB3D7B9C 07
quit
!
!
license udi pid CISCO1841 sn FTX0916Y0JY
username admin privilege 15 secret 5 nachos
!
redundancy
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 20
encr aes
authentication pre-share
group 5
crypto isakmp key 6 gJETIgWRbXRJUQYdc\BUfMXCfU
crypto isakmp key 6 HMBPbO[M_WdN]TOSII`NbWiSaR
!
crypto isakmp client configuration group remoteteam
key 6 256axxess
dns 192.168.250.220
wins 192.168.250.220
domain kinter.local
pool ssl
acl 162
!
!
crypto ipsec transform-set esp-aes-sha esp-aes esp-sha-hmac
crypto ipsec transform-set 3DES esp-3des esp-md5-hmac
!
crypto dynamic-map MyMap 10
set transform-set 3DES
reverse-route
!
!
crypto map vpn client authentication list ciscocp_vpn_xauth_ml_1
crypto map vpn isakmp authorization list groupauthor
crypto map vpn client configuration address respond
crypto map vpn 10 ipsec-isakmp
set peer VPN-a
set transform-set esp-aes-sha
match address 160
crypto map vpn 20 ipsec-isakmp
set peer VPN-b
set transform-set esp-aes-sha
match address 161
crypto map vpn 65535 ipsec-isakmp dynamic MyMap
!
!
!
!
!
interface FastEthernet0/0
description $FW_INSIDE$$ETH-LAN$$ETH-S
ip address 192.168.250.254 255.255.255.0
ip access-group 100 in
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface FastEthernet0/1
description $FW_OUTSIDE$$ETH-WAN$
ip address A.A.A.234 255.255.255.248
ip flow ingress
ip flow egress
ip inspect DEFAULT100 out
ip nat outside
ip virtual-reassembly in
speed auto
full-duplex
crypto map vpn
!
interface FastEthernet0/0/0
description Comcast WAN
ip address B.B.B.B
ip inspect DEFAULT100 out
ip nat outside
ip virtual-reassembly in
shutdown
speed auto
full-duplex
crypto map vpn
!
interface Virtual-Template1
ip unnumbered FastEthernet0/0
!
!
router eigrp 33
!
ip local pool ssl 192.168.10.1 192.168.10.20
no ip forward-protocol nd
ip http server
ip http secure-server
!
ip flow-cache timeout active 1
ip flow-export source FastEthernet0/1
ip flow-export version 5 peer-as
ip flow-export destination 192.168.250.253 2020
ip flow-aggregation cache as
cache entries 2046
cache timeout inactive 200
cache timeout active 45
export destination 192.168.250.253 2020
enabled
!
!
ip nat inside source route-map RMAP_1 interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.250.220 25 A.A.A.234 25 extendable
ip nat inside source static tcp 192.168.250.220 443 A.A.A.234 443 extendable
ip nat inside source static tcp 192.168.250.220 587 A.A.A.234 587 extendable
ip nat inside source static tcp 192.168.250.220 993 A.A.A.234 993 extendable
ip nat inside source static tcp 192.168.250.37 3389 A.A.A.234 1065 extendable
ip nat inside source static tcp 192.168.250.253 3389 A.A.A.234 3389 extendable
ip nat inside source static tcp 192.168.250.213 8080 A.A.A.234 8080 extendable
ip nat inside source static 192.168.250.249 A.A.A.235 extendable
ip nat inside source static 192.168.250.223 A.A.A.236 route-map mitel_NAT
ip route 0.0.0.0 0.0.0.0 A.A.A.233 permanent
!
ip access-list extended mitel
permit tcp any host A.A.A.236 eq 443
permit tcp any host A.A.A.236 eq 22
permit tcp any host A.A.A.236 eq 4000
permit tcp any host A.A.A.236 eq 44000
permit tcp any host A.A.A.236 eq 5566
permit udp any host A.A.A.236 eq 5567
permit udp host A.A.A.236 any range 5004 5069
permit udp host A.A.A.236 any range 6004 6604
permit udp host A.A.A.236 any eq tftp
permit tcp host A.A.A.236 any range 6800 6802
permit udp host A.A.A.236 any range 50098 50508
!
logging esm config
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 permit ip any host 192.168.250.254
access-list 100 deny ip A.A.A.232 0.0.0.7 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 101 permit icmp any host A.A.A.234 echo-reply
access-list 101 permit icmp any host A.A.A.234 time-exceeded
access-list 101 permit icmp any host A.A.A.234 unreachable
access-list 101 permit tcp any host A.A.A.234 eq 3389
access-list 101 permit tcp any host A.A.A.234 eq 1065
access-list 101 permit tcp any host A.A.A.234 eq 443
access-list 101 permit tcp any host A.A.A.234 eq 993
access-list 101 permit tcp any host A.A.A.234 eq 587
access-list 101 permit tcp any host A.A.A.234 eq smtp
access-list 101 permit udp any host A.A.A.234 eq non500-isakmp
access-list 101 permit udp any host A.A.A.234 eq isakmp
access-list 101 permit esp any host A.A.A.234
access-list 101 permit tcp any host A.A.A.234 eq 22
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any log
access-list 102 deny ip 192.168.250.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 102 deny ip 192.168.250.0 0.0.0.255 192.168.240.0 0.0.0.255
access-list 102 deny ip 192.168.250.0 0.0.0.255 192.168.230.0 0.0.0.255
access-list 102 deny ip 192.168.250.0 0.0.0.255 192.168.220.0 0.0.0.255
access-list 102 permit ip any any
access-list 160 permit ip 192.168.250.0 0.0.0.255 192.168.230.0 0.0.0.255
access-list 161 permit ip 192.168.250.0 0.0.0.255 192.168.220.0 0.0.0.255
access-list 162 permit ip 192.168.250.0 0.0.0.255 192.168.10.0 0.0.0.255
!
!
!
route-map RMAP_1 permit 1
match ip address 102
!
route-map mitel_NAT permit 10
match ip address mitel
!
!
!
!
control-plane
!
!
banner login ^C
--------------------------
For Support Call 1-847-249-2027
Allied Tele-Com
--------------------------
^C
!
line con 0
line aux 0
line vty 0 4
privilege level 15
transport input telnet ssh
line vty 5 15
privilege level 15
transport input telnet ssh
!
scheduler allocate 20000 1000
ntp server 69.65.40.29
end
!
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname gate
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
enable secret 5 $1$JVzu$X0UtR94gX5y2BJLlUm
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization network groupauthor local
!
!
!
!
!
aaa session-id common
!
clock timezone America -6 0
clock summer-time America/Chicago date Apr 6 2003 2:00 Oct 26 2003 2:00
dot11 syslog
ip source-route
!
!
!
!
!
ip cef
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 smtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip inspect name DEFAULT100 icmp
ip domain name mydomain.local
ip name-server 192.168.250.220
ip name-server 134.215.200.126
!
multilink bundle-name authenticated
!
password encryption aes
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-2329787546
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
revocation-check none
rsakeypair TP-self-signed-2329787546
!
!
crypto pki certificate chain TP-self-signed-2329787546
certificate self-signed 01
30820249 308201B2 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32333239 37383735 3436301E 170D3032 30333031 30303233
30375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 33323937
38373534 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100C592 65F1B188 9C2C7EE7 1A4C144A 96F6E756 529370C9 BD3167F7 2792D647
E17AF456 93FCC326 2F9A8463 4C69A428 BD953751 713D7107 B67DE1F1 C80A1D41
2D729491 70E0F1E8 5B18E761 1936F24F 12D89B7B 4E6DEF95 3B95ADB0 B45734E2
EED5420F F6F0856A 3870173E 9C25289B C7A644AE 4B70DD7B D8606E09 073C026B
81DD0203 010001A3 71306F30 0F060355 1D130101 FF040530 030101FF 301C0603
551D1104 15301382 11676174 652E6B69 6E746572 2E6C6F63 616C301F 0603551D
23041830 16801484 D9B8BC54 979D30BA 01B6D312 EC869847 C6001930 1D060355
1D0E0416 041484D9 B8BC5497 9D30BA01 B6D312EC 869847C6 0019300D 06092A86
4886F70D 01010405 00038181 00053529 C47B72B5 628D3354 60C27C15 6E738CBD
71956D14 AAB03688 DA38B696 1F3C599A 6A350B09 4CE441CC 8EA1DA8F 07AA2844
BEB2315B 7A93C73A 4A008F63 AD8A9386 F561D3D5 86BB20DD 54DD097F 3FBA68DA
D65DCC3B DF89B8FF E30D9FCA 5064F0F4 65226C70 0E4DC779 70D40D8D EC50F1E8
5E543557 C0619FA9 DB3D7B9C 07
quit
!
!
license udi pid CISCO1841 sn FTX0916Y0JY
username admin privilege 15 secret 5 nachos
!
redundancy
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 20
encr aes
authentication pre-share
group 5
crypto isakmp key 6 gJETIgWRbXRJUQYdc\BUfMXCfU
crypto isakmp key 6 HMBPbO[M_WdN]TOSII`NbWiSaR
!
crypto isakmp client configuration group remoteteam
key 6 256axxess
dns 192.168.250.220
wins 192.168.250.220
domain kinter.local
pool ssl
acl 162
!
!
crypto ipsec transform-set esp-aes-sha esp-aes esp-sha-hmac
crypto ipsec transform-set 3DES esp-3des esp-md5-hmac
!
crypto dynamic-map MyMap 10
set transform-set 3DES
reverse-route
!
!
crypto map vpn client authentication list ciscocp_vpn_xauth_ml_1
crypto map vpn isakmp authorization list groupauthor
crypto map vpn client configuration address respond
crypto map vpn 10 ipsec-isakmp
set peer VPN-a
set transform-set esp-aes-sha
match address 160
crypto map vpn 20 ipsec-isakmp
set peer VPN-b
set transform-set esp-aes-sha
match address 161
crypto map vpn 65535 ipsec-isakmp dynamic MyMap
!
!
!
!
!
interface FastEthernet0/0
description $FW_INSIDE$$ETH-LAN$$ETH-S
ip address 192.168.250.254 255.255.255.0
ip access-group 100 in
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface FastEthernet0/1
description $FW_OUTSIDE$$ETH-WAN$
ip address A.A.A.234 255.255.255.248
ip flow ingress
ip flow egress
ip inspect DEFAULT100 out
ip nat outside
ip virtual-reassembly in
speed auto
full-duplex
crypto map vpn
!
interface FastEthernet0/0/0
description Comcast WAN
ip address B.B.B.B
ip inspect DEFAULT100 out
ip nat outside
ip virtual-reassembly in
shutdown
speed auto
full-duplex
crypto map vpn
!
interface Virtual-Template1
ip unnumbered FastEthernet0/0
!
!
router eigrp 33
!
ip local pool ssl 192.168.10.1 192.168.10.20
no ip forward-protocol nd
ip http server
ip http secure-server
!
ip flow-cache timeout active 1
ip flow-export source FastEthernet0/1
ip flow-export version 5 peer-as
ip flow-export destination 192.168.250.253 2020
ip flow-aggregation cache as
cache entries 2046
cache timeout inactive 200
cache timeout active 45
export destination 192.168.250.253 2020
enabled
!
!
ip nat inside source route-map RMAP_1 interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.250.220 25 A.A.A.234 25 extendable
ip nat inside source static tcp 192.168.250.220 443 A.A.A.234 443 extendable
ip nat inside source static tcp 192.168.250.220 587 A.A.A.234 587 extendable
ip nat inside source static tcp 192.168.250.220 993 A.A.A.234 993 extendable
ip nat inside source static tcp 192.168.250.37 3389 A.A.A.234 1065 extendable
ip nat inside source static tcp 192.168.250.253 3389 A.A.A.234 3389 extendable
ip nat inside source static tcp 192.168.250.213 8080 A.A.A.234 8080 extendable
ip nat inside source static 192.168.250.249 A.A.A.235 extendable
ip nat inside source static 192.168.250.223 A.A.A.236 route-map mitel_NAT
ip route 0.0.0.0 0.0.0.0 A.A.A.233 permanent
!
ip access-list extended mitel
permit tcp any host A.A.A.236 eq 443
permit tcp any host A.A.A.236 eq 22
permit tcp any host A.A.A.236 eq 4000
permit tcp any host A.A.A.236 eq 44000
permit tcp any host A.A.A.236 eq 5566
permit udp any host A.A.A.236 eq 5567
permit udp host A.A.A.236 any range 5004 5069
permit udp host A.A.A.236 any range 6004 6604
permit udp host A.A.A.236 any eq tftp
permit tcp host A.A.A.236 any range 6800 6802
permit udp host A.A.A.236 any range 50098 50508
!
logging esm config
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 permit ip any host 192.168.250.254
access-list 100 deny ip A.A.A.232 0.0.0.7 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 101 permit icmp any host A.A.A.234 echo-reply
access-list 101 permit icmp any host A.A.A.234 time-exceeded
access-list 101 permit icmp any host A.A.A.234 unreachable
access-list 101 permit tcp any host A.A.A.234 eq 3389
access-list 101 permit tcp any host A.A.A.234 eq 1065
access-list 101 permit tcp any host A.A.A.234 eq 443
access-list 101 permit tcp any host A.A.A.234 eq 993
access-list 101 permit tcp any host A.A.A.234 eq 587
access-list 101 permit tcp any host A.A.A.234 eq smtp
access-list 101 permit udp any host A.A.A.234 eq non500-isakmp
access-list 101 permit udp any host A.A.A.234 eq isakmp
access-list 101 permit esp any host A.A.A.234
access-list 101 permit tcp any host A.A.A.234 eq 22
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any log
access-list 102 deny ip 192.168.250.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 102 deny ip 192.168.250.0 0.0.0.255 192.168.240.0 0.0.0.255
access-list 102 deny ip 192.168.250.0 0.0.0.255 192.168.230.0 0.0.0.255
access-list 102 deny ip 192.168.250.0 0.0.0.255 192.168.220.0 0.0.0.255
access-list 102 permit ip any any
access-list 160 permit ip 192.168.250.0 0.0.0.255 192.168.230.0 0.0.0.255
access-list 161 permit ip 192.168.250.0 0.0.0.255 192.168.220.0 0.0.0.255
access-list 162 permit ip 192.168.250.0 0.0.0.255 192.168.10.0 0.0.0.255
!
!
!
route-map RMAP_1 permit 1
match ip address 102
!
route-map mitel_NAT permit 10
match ip address mitel
!
!
!
!
control-plane
!
!
banner login ^C
--------------------------
For Support Call 1-847-249-2027
Allied Tele-Com
--------------------------
^C
!
line con 0
line aux 0
line vty 0 4
privilege level 15
transport input telnet ssh
line vty 5 15
privilege level 15
transport input telnet ssh
!
scheduler allocate 20000 1000
ntp server 69.65.40.29
end
Lets start with simple failover. Once that is done, we will work on the redundant inbound connections.
This is what you will need to change in your existing config;
! Create the route-maps for the nat overload statements
Route-Map ISP1 permit 10
match ip address 102
match interface FastEthernet0/1
Route-Map ISP2 permit 10
match ip address 102
match interface FastEthernet0/0/0
! delete your old overload statement and add new using the route-maps. Notice the routemap relation to the interface
no ip nat inside source route-map RMAP_1 interface FastEthernet0/1 overload
ip nat inside source route-map ISP1 interface FastEthernet0/1 overload
ip nat inside source route-map ISP2 interface FastEthernet0/0/0 overload
! Create a sla to track the reachability of a public ip address
ip sla 1
icmp-echo 4.2.2.2
timeout 500
threshold 2
frequency 3
ip sla schedule 1 life forever start now
! track the sla reachability status
track 1 ip sla reach
! remove your current default route and replace it with a permanent route to your tracked object, and then a route
! to your primary ISP that uses your track statement. Add a route for the second ISP with a higher metric.
no ip route 0.0.0.0
ip route 4.2.2.2 255.255.255.255 <ISP1 Gateway> permanent
ip route 0.0.0.0 0.0.0.0 <ISP1 Gateway> track 1
ip route 0.0.0.0 0.0.0.0 <ISP2 Gateway> 10
In the event the first ISP does not allow the sla to return ok, the router will remove the traced route and the secondary will take over.
This is what you will need to change in your existing config;
! Create the route-maps for the nat overload statements
Route-Map ISP1 permit 10
match ip address 102
match interface FastEthernet0/1
Route-Map ISP2 permit 10
match ip address 102
match interface FastEthernet0/0/0
! delete your old overload statement and add new using the route-maps. Notice the routemap relation to the interface
no ip nat inside source route-map RMAP_1 interface FastEthernet0/1 overload
ip nat inside source route-map ISP1 interface FastEthernet0/1 overload
ip nat inside source route-map ISP2 interface FastEthernet0/0/0 overload
! Create a sla to track the reachability of a public ip address
ip sla 1
icmp-echo 4.2.2.2
timeout 500
threshold 2
frequency 3
ip sla schedule 1 life forever start now
! track the sla reachability status
track 1 ip sla reach
! remove your current default route and replace it with a permanent route to your tracked object, and then a route
! to your primary ISP that uses your track statement. Add a route for the second ISP with a higher metric.
no ip route 0.0.0.0
ip route 4.2.2.2 255.255.255.255 <ISP1 Gateway> permanent
ip route 0.0.0.0 0.0.0.0 <ISP1 Gateway> track 1
ip route 0.0.0.0 0.0.0.0 <ISP2 Gateway> 10
In the event the first ISP does not allow the sla to return ok, the router will remove the traced route and the secondary will take over.
ASKER
So ISP1 would the Internet that I want to be primary, correct?
ASKER
Sorry for the late response, I did as you suggested and I was able to have the traffice use my preffered ISP2 and once I unplugged the connection to that ISP2 the IPS1 kicked in within about 2 minutes. Not sure if thats normal or not.
However when I did that all of my NAT'ed traffic from ISP1 stopped as well as teh VPN tunnels, that is the original WAN connection and NAT'ed IP's on FA0/1. So I removed all of the added statements to take the router back to original config.
Is there something that I overlooked, should my NAT'ing have stopped?
However when I did that all of my NAT'ed traffic from ISP1 stopped as well as teh VPN tunnels, that is the original WAN connection and NAT'ed IP's on FA0/1. So I removed all of the added statements to take the router back to original config.
Is there something that I overlooked, should my NAT'ing have stopped?
The natting should have stopped. We wanted to start with simple failover. In order to failover the inbound NAT, you will need to add a secondary IP address to the internal servers, then you will create a nat statement for each new IP to the secondary ISP. We will then create a route-map to "push" traffic from the secondary IP to the new internet connection. For the VPN that is going to be a lot more work, and should be the subject of another post. Is it a router at the other end, and do they have two connections as well?
Please set the secondary addresses on your natted servers and write back what they are and I will help you build the nat statements and route-map.
Please set the secondary addresses on your natted servers and write back what they are and I will help you build the nat statements and route-map.
ASKER
hi wingatsel,
sorry for not getting back sooner, I had an accident thats kept me incapacitated for a while.
my sbs server is 192.168.250.220 the secondary ip will be 192.168.250.111
terminal serv is 192.168.250.253 the secondary ip will be 192.168.250.153
NVR is 192.168.250.213 the secondary ip will be 192.168.250.113
I am not sure how to handle the phone system, we have remote IP phones, the system does not support alternate IP addresses
sorry for not getting back sooner, I had an accident thats kept me incapacitated for a while.
my sbs server is 192.168.250.220 the secondary ip will be 192.168.250.111
terminal serv is 192.168.250.253 the secondary ip will be 192.168.250.153
NVR is 192.168.250.213 the secondary ip will be 192.168.250.113
I am not sure how to handle the phone system, we have remote IP phones, the system does not support alternate IP addresses
Can you post a current sanitized config please.
ASKER
The current config is the same as the original posted.
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname gate
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
enable secret 5 $1$JVzu$X0UtR94gX5y2BJLlUm
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization network groupauthor local
!
!
!
!
!
aaa session-id common
!
clock timezone America -6 0
clock summer-time America/Chicago date Apr 6 2003 2:00 Oct 26 2003 2:00
dot11 syslog
ip source-route
!
!
!
!
!
ip cef
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 smtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip inspect name DEFAULT100 icmp
ip domain name mydomain.local
ip name-server 192.168.250.220
ip name-server 134.215.200.126
!
multilink bundle-name authenticated
!
password encryption aes
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-2329787546
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
revocation-check none
rsakeypair TP-self-signed-2329787546
!
!
crypto pki certificate chain TP-self-signed-2329787546
certificate self-signed 01
30820249 308201B2 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32333239 37383735 3436301E 170D3032 30333031 30303233
30375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 33323937
38373534 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100C592 65F1B188 9C2C7EE7 1A4C144A 96F6E756 529370C9 BD3167F7 2792D647
E17AF456 93FCC326 2F9A8463 4C69A428 BD953751 713D7107 B67DE1F1 C80A1D41
2D729491 70E0F1E8 5B18E761 1936F24F 12D89B7B 4E6DEF95 3B95ADB0 B45734E2
EED5420F F6F0856A 3870173E 9C25289B C7A644AE 4B70DD7B D8606E09 073C026B
81DD0203 010001A3 71306F30 0F060355 1D130101 FF040530 030101FF 301C0603
551D1104 15301382 11676174 652E6B69 6E746572 2E6C6F63 616C301F 0603551D
23041830 16801484 D9B8BC54 979D30BA 01B6D312 EC869847 C6001930 1D060355
1D0E0416 041484D9 B8BC5497 9D30BA01 B6D312EC 869847C6 0019300D 06092A86
4886F70D 01010405 00038181 00053529 C47B72B5 628D3354 60C27C15 6E738CBD
71956D14 AAB03688 DA38B696 1F3C599A 6A350B09 4CE441CC 8EA1DA8F 07AA2844
BEB2315B 7A93C73A 4A008F63 AD8A9386 F561D3D5 86BB20DD 54DD097F 3FBA68DA
D65DCC3B DF89B8FF E30D9FCA 5064F0F4 65226C70 0E4DC779 70D40D8D EC50F1E8
5E543557 C0619FA9 DB3D7B9C 07
quit
!
!
license udi pid CISCO1841 sn FTX0916Y0JY
username admin privilege 15 secret 5 nachos
!
redundancy
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 20
encr aes
authentication pre-share
group 5
crypto isakmp key 6 gJETIgWRbXRJUQYdc\BUfMXCfU
crypto isakmp key 6 HMBPbO[M_WdN]TOSII`NbWiSaR
!
crypto isakmp client configuration group remoteteam
key 6 256axxess
dns 192.168.250.220
wins 192.168.250.220
domain kinter.local
pool ssl
acl 162
!
!
crypto ipsec transform-set esp-aes-sha esp-aes esp-sha-hmac
crypto ipsec transform-set 3DES esp-3des esp-md5-hmac
!
crypto dynamic-map MyMap 10
set transform-set 3DES
reverse-route
!
!
crypto map vpn client authentication list ciscocp_vpn_xauth_ml_1
crypto map vpn isakmp authorization list groupauthor
crypto map vpn client configuration address respond
crypto map vpn 10 ipsec-isakmp
set peer VPN-a
set transform-set esp-aes-sha
match address 160
crypto map vpn 20 ipsec-isakmp
set peer VPN-b
set transform-set esp-aes-sha
match address 161
crypto map vpn 65535 ipsec-isakmp dynamic MyMap
!
!
!
!
!
interface FastEthernet0/0
description $FW_INSIDE$$ETH-LAN$$ETH-S
ip address 192.168.250.254 255.255.255.0
ip access-group 100 in
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface FastEthernet0/1
description $FW_OUTSIDE$$ETH-WAN$
ip address A.A.A.234 255.255.255.248
ip flow ingress
ip flow egress
ip inspect DEFAULT100 out
ip nat outside
ip virtual-reassembly in
speed auto
full-duplex
crypto map vpn
!
interface FastEthernet0/0/0
description Comcast WAN
ip address B.B.B.B
ip inspect DEFAULT100 out
ip nat outside
ip virtual-reassembly in
shutdown
speed auto
full-duplex
crypto map vpn
!
interface Virtual-Template1
ip unnumbered FastEthernet0/0
!
!
router eigrp 33
!
ip local pool ssl 192.168.10.1 192.168.10.20
no ip forward-protocol nd
ip http server
ip http secure-server
!
ip flow-cache timeout active 1
ip flow-export source FastEthernet0/1
ip flow-export version 5 peer-as
ip flow-export destination 192.168.250.253 2020
ip flow-aggregation cache as
cache entries 2046
cache timeout inactive 200
cache timeout active 45
export destination 192.168.250.253 2020
enabled
!
!
ip nat inside source route-map RMAP_1 interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.250.220 25 A.A.A.234 25 extendable
ip nat inside source static tcp 192.168.250.220 443 A.A.A.234 443 extendable
ip nat inside source static tcp 192.168.250.220 587 A.A.A.234 587 extendable
ip nat inside source static tcp 192.168.250.220 993 A.A.A.234 993 extendable
ip nat inside source static tcp 192.168.250.37 3389 A.A.A.234 1065 extendable
ip nat inside source static tcp 192.168.250.253 3389 A.A.A.234 3389 extendable
ip nat inside source static tcp 192.168.250.213 8080 A.A.A.234 8080 extendable
ip nat inside source static 192.168.250.249 A.A.A.235 extendable
ip nat inside source static 192.168.250.223 A.A.A.236 route-map mitel_NAT
ip route 0.0.0.0 0.0.0.0 A.A.A.233 permanent
!
ip access-list extended mitel
permit tcp any host A.A.A.236 eq 443
permit tcp any host A.A.A.236 eq 22
permit tcp any host A.A.A.236 eq 4000
permit tcp any host A.A.A.236 eq 44000
permit tcp any host A.A.A.236 eq 5566
permit udp any host A.A.A.236 eq 5567
permit udp host A.A.A.236 any range 5004 5069
permit udp host A.A.A.236 any range 6004 6604
permit udp host A.A.A.236 any eq tftp
permit tcp host A.A.A.236 any range 6800 6802
permit udp host A.A.A.236 any range 50098 50508
!
logging esm config
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 permit ip any host 192.168.250.254
access-list 100 deny ip A.A.A.232 0.0.0.7 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 101 permit icmp any host A.A.A.234 echo-reply
access-list 101 permit icmp any host A.A.A.234 time-exceeded
access-list 101 permit icmp any host A.A.A.234 unreachable
access-list 101 permit tcp any host A.A.A.234 eq 3389
access-list 101 permit tcp any host A.A.A.234 eq 1065
access-list 101 permit tcp any host A.A.A.234 eq 443
access-list 101 permit tcp any host A.A.A.234 eq 993
access-list 101 permit tcp any host A.A.A.234 eq 587
access-list 101 permit tcp any host A.A.A.234 eq smtp
access-list 101 permit udp any host A.A.A.234 eq non500-isakmp
access-list 101 permit udp any host A.A.A.234 eq isakmp
access-list 101 permit esp any host A.A.A.234
access-list 101 permit tcp any host A.A.A.234 eq 22
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any log
access-list 102 deny ip 192.168.250.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 102 deny ip 192.168.250.0 0.0.0.255 192.168.240.0 0.0.0.255
access-list 102 deny ip 192.168.250.0 0.0.0.255 192.168.230.0 0.0.0.255
access-list 102 deny ip 192.168.250.0 0.0.0.255 192.168.220.0 0.0.0.255
access-list 102 permit ip any any
access-list 160 permit ip 192.168.250.0 0.0.0.255 192.168.230.0 0.0.0.255
access-list 161 permit ip 192.168.250.0 0.0.0.255 192.168.220.0 0.0.0.255
access-list 162 permit ip 192.168.250.0 0.0.0.255 192.168.10.0 0.0.0.255
!
!
!
route-map RMAP_1 permit 1
match ip address 102
!
route-map mitel_NAT permit 10
match ip address mitel
!
!
!
!
control-plane
!
!
banner login ^C
--------------------------
For Support Call 1-847-249-2027
Allied Tele-Com
--------------------------
^C
!
line con 0
line aux 0
line vty 0 4
privilege level 15
transport input telnet ssh
line vty 5 15
privilege level 15
transport input telnet ssh
!
scheduler allocate 20000 1000
ntp server 69.65.40.29
end
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname gate
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
enable secret 5 $1$JVzu$X0UtR94gX5y2BJLlUm
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization network groupauthor local
!
!
!
!
!
aaa session-id common
!
clock timezone America -6 0
clock summer-time America/Chicago date Apr 6 2003 2:00 Oct 26 2003 2:00
dot11 syslog
ip source-route
!
!
!
!
!
ip cef
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 smtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip inspect name DEFAULT100 icmp
ip domain name mydomain.local
ip name-server 192.168.250.220
ip name-server 134.215.200.126
!
multilink bundle-name authenticated
!
password encryption aes
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-2329787546
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
revocation-check none
rsakeypair TP-self-signed-2329787546
!
!
crypto pki certificate chain TP-self-signed-2329787546
certificate self-signed 01
30820249 308201B2 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32333239 37383735 3436301E 170D3032 30333031 30303233
30375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 33323937
38373534 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100C592 65F1B188 9C2C7EE7 1A4C144A 96F6E756 529370C9 BD3167F7 2792D647
E17AF456 93FCC326 2F9A8463 4C69A428 BD953751 713D7107 B67DE1F1 C80A1D41
2D729491 70E0F1E8 5B18E761 1936F24F 12D89B7B 4E6DEF95 3B95ADB0 B45734E2
EED5420F F6F0856A 3870173E 9C25289B C7A644AE 4B70DD7B D8606E09 073C026B
81DD0203 010001A3 71306F30 0F060355 1D130101 FF040530 030101FF 301C0603
551D1104 15301382 11676174 652E6B69 6E746572 2E6C6F63 616C301F 0603551D
23041830 16801484 D9B8BC54 979D30BA 01B6D312 EC869847 C6001930 1D060355
1D0E0416 041484D9 B8BC5497 9D30BA01 B6D312EC 869847C6 0019300D 06092A86
4886F70D 01010405 00038181 00053529 C47B72B5 628D3354 60C27C15 6E738CBD
71956D14 AAB03688 DA38B696 1F3C599A 6A350B09 4CE441CC 8EA1DA8F 07AA2844
BEB2315B 7A93C73A 4A008F63 AD8A9386 F561D3D5 86BB20DD 54DD097F 3FBA68DA
D65DCC3B DF89B8FF E30D9FCA 5064F0F4 65226C70 0E4DC779 70D40D8D EC50F1E8
5E543557 C0619FA9 DB3D7B9C 07
quit
!
!
license udi pid CISCO1841 sn FTX0916Y0JY
username admin privilege 15 secret 5 nachos
!
redundancy
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 20
encr aes
authentication pre-share
group 5
crypto isakmp key 6 gJETIgWRbXRJUQYdc\BUfMXCfU
crypto isakmp key 6 HMBPbO[M_WdN]TOSII`NbWiSaR
!
crypto isakmp client configuration group remoteteam
key 6 256axxess
dns 192.168.250.220
wins 192.168.250.220
domain kinter.local
pool ssl
acl 162
!
!
crypto ipsec transform-set esp-aes-sha esp-aes esp-sha-hmac
crypto ipsec transform-set 3DES esp-3des esp-md5-hmac
!
crypto dynamic-map MyMap 10
set transform-set 3DES
reverse-route
!
!
crypto map vpn client authentication list ciscocp_vpn_xauth_ml_1
crypto map vpn isakmp authorization list groupauthor
crypto map vpn client configuration address respond
crypto map vpn 10 ipsec-isakmp
set peer VPN-a
set transform-set esp-aes-sha
match address 160
crypto map vpn 20 ipsec-isakmp
set peer VPN-b
set transform-set esp-aes-sha
match address 161
crypto map vpn 65535 ipsec-isakmp dynamic MyMap
!
!
!
!
!
interface FastEthernet0/0
description $FW_INSIDE$$ETH-LAN$$ETH-S
ip address 192.168.250.254 255.255.255.0
ip access-group 100 in
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface FastEthernet0/1
description $FW_OUTSIDE$$ETH-WAN$
ip address A.A.A.234 255.255.255.248
ip flow ingress
ip flow egress
ip inspect DEFAULT100 out
ip nat outside
ip virtual-reassembly in
speed auto
full-duplex
crypto map vpn
!
interface FastEthernet0/0/0
description Comcast WAN
ip address B.B.B.B
ip inspect DEFAULT100 out
ip nat outside
ip virtual-reassembly in
shutdown
speed auto
full-duplex
crypto map vpn
!
interface Virtual-Template1
ip unnumbered FastEthernet0/0
!
!
router eigrp 33
!
ip local pool ssl 192.168.10.1 192.168.10.20
no ip forward-protocol nd
ip http server
ip http secure-server
!
ip flow-cache timeout active 1
ip flow-export source FastEthernet0/1
ip flow-export version 5 peer-as
ip flow-export destination 192.168.250.253 2020
ip flow-aggregation cache as
cache entries 2046
cache timeout inactive 200
cache timeout active 45
export destination 192.168.250.253 2020
enabled
!
!
ip nat inside source route-map RMAP_1 interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.250.220 25 A.A.A.234 25 extendable
ip nat inside source static tcp 192.168.250.220 443 A.A.A.234 443 extendable
ip nat inside source static tcp 192.168.250.220 587 A.A.A.234 587 extendable
ip nat inside source static tcp 192.168.250.220 993 A.A.A.234 993 extendable
ip nat inside source static tcp 192.168.250.37 3389 A.A.A.234 1065 extendable
ip nat inside source static tcp 192.168.250.253 3389 A.A.A.234 3389 extendable
ip nat inside source static tcp 192.168.250.213 8080 A.A.A.234 8080 extendable
ip nat inside source static 192.168.250.249 A.A.A.235 extendable
ip nat inside source static 192.168.250.223 A.A.A.236 route-map mitel_NAT
ip route 0.0.0.0 0.0.0.0 A.A.A.233 permanent
!
ip access-list extended mitel
permit tcp any host A.A.A.236 eq 443
permit tcp any host A.A.A.236 eq 22
permit tcp any host A.A.A.236 eq 4000
permit tcp any host A.A.A.236 eq 44000
permit tcp any host A.A.A.236 eq 5566
permit udp any host A.A.A.236 eq 5567
permit udp host A.A.A.236 any range 5004 5069
permit udp host A.A.A.236 any range 6004 6604
permit udp host A.A.A.236 any eq tftp
permit tcp host A.A.A.236 any range 6800 6802
permit udp host A.A.A.236 any range 50098 50508
!
logging esm config
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 permit ip any host 192.168.250.254
access-list 100 deny ip A.A.A.232 0.0.0.7 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 101 permit icmp any host A.A.A.234 echo-reply
access-list 101 permit icmp any host A.A.A.234 time-exceeded
access-list 101 permit icmp any host A.A.A.234 unreachable
access-list 101 permit tcp any host A.A.A.234 eq 3389
access-list 101 permit tcp any host A.A.A.234 eq 1065
access-list 101 permit tcp any host A.A.A.234 eq 443
access-list 101 permit tcp any host A.A.A.234 eq 993
access-list 101 permit tcp any host A.A.A.234 eq 587
access-list 101 permit tcp any host A.A.A.234 eq smtp
access-list 101 permit udp any host A.A.A.234 eq non500-isakmp
access-list 101 permit udp any host A.A.A.234 eq isakmp
access-list 101 permit esp any host A.A.A.234
access-list 101 permit tcp any host A.A.A.234 eq 22
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any log
access-list 102 deny ip 192.168.250.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 102 deny ip 192.168.250.0 0.0.0.255 192.168.240.0 0.0.0.255
access-list 102 deny ip 192.168.250.0 0.0.0.255 192.168.230.0 0.0.0.255
access-list 102 deny ip 192.168.250.0 0.0.0.255 192.168.220.0 0.0.0.255
access-list 102 permit ip any any
access-list 160 permit ip 192.168.250.0 0.0.0.255 192.168.230.0 0.0.0.255
access-list 161 permit ip 192.168.250.0 0.0.0.255 192.168.220.0 0.0.0.255
access-list 162 permit ip 192.168.250.0 0.0.0.255 192.168.10.0 0.0.0.255
!
!
!
route-map RMAP_1 permit 1
match ip address 102
!
route-map mitel_NAT permit 10
match ip address mitel
!
!
!
!
control-plane
!
!
banner login ^C
--------------------------
For Support Call 1-847-249-2027
Allied Tele-Com
--------------------------
^C
!
line con 0
line aux 0
line vty 0 4
privilege level 15
transport input telnet ssh
line vty 5 15
privilege level 15
transport input telnet ssh
!
scheduler allocate 20000 1000
ntp server 69.65.40.29
end
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
no responses