We help IT Professionals succeed at work.
Get Started

NAT Port Forward on Dual WAN Link

Mustafa
Mustafa asked
on
191 Views
Last Modified: 2018-03-26
Hi,

I have a network with one LAN and dual WAN links. The router is configured with WAN failover but there seems to be a problem with port forwarding. SSH port of LAN IP 192.168.0.2 is forwarded but when the WAN failover occurs (primary WAN goes down and secondary is active) the port forward stops working. I would like the port forward to be active on both primary and secondary WAN so during failover, the port can get accessed by the secondary WAN.

Please view the config below and help would be appreciated.


track 1 ip sla 1 reachability
!
track 2 ip sla 2 reachability
!
interface GigabitEthernet0/0
no ip address
ip flow ingress
duplex auto
speed auto
no cdp enable
no mop enabled
!
interface GigabitEthernet0/0.10
description LAN
encapsulation dot1Q 10
ip address 192.168.0.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat enable
ip virtual-reassembly in
ip verify unicast reverse-path
no cdp enable
!
interface GigabitEthernet0/1
description Primary-WAN
ip address 1.1.1.2 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat enable
ip virtual-reassembly in
ip verify unicast reverse-path
duplex auto
speed auto
no lldp transmit
no lldp receive
no cdp enable
no mop enabled
!
interface GigabitEthernet0/2
description Secondary-WAN
ip address 9.9.9.2 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat enable
ip virtual-reassembly in
ip verify unicast reverse-path
duplex auto
speed auto
no lldp transmit
no lldp receive
no cdp enable
no mop enabled
!
ip forward-protocol nd
!
no ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat source route-map 1 interface GigabitEthernet0/1 overload
ip nat source route-map 2 interface GigabitEthernet0/2 overload
ip nat source static tcp 192.168.0.2 22 interface GigabitEthernet0/1 22
ip route 0.0.0.0 0.0.0.0 9.9.9.1 track 2
ip route 0.0.0.0 0.0.0.0 1.1.1.1 10
ip route 1.1.1.0 255.255.255.0 1.1.1.1
ip route 2.2.2.0 255.255.255.0 1.1.1.1
ip route 3.3.3.0 255.255.255.0 1.1.1.1
ip route 4.4.4.0 255.255.255.0 1.1.1.1
ip route 5.5.5.0 255.255.255.0 1.1.1.1
!
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
ip sla 1
 icmp-echo 1.1.1.1 source-interface GigabitEthernet0/1
 threshold 500
 timeout 500
 frequency 2
ip sla schedule 1 life forever start-time now
ip sla 2
 icmp-echo 9.9.9.1 source-interface GigabitEthernet0/2
 threshold 500
 timeout 500
 frequency 2
ip sla schedule 2 life forever start-time now
!
route-map 1 permit 10
match ip address 1
set interface GigabitEthernet0/1
!
route-map 2 permit 10
match ip address 1
set interface GigabitEthernet0/2
!
!
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
Comment
Watch Question
CERTIFIED EXPERT
Distinguished Expert 2018
Commented:
This problem has been solved!
Unlock 1 Answer and 5 Comments.
See Answer
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE