NAT Port Forward on Dual WAN Link

Hi,

I have a network with one LAN and dual WAN links. The router is configured with WAN failover but there seems to be a problem with port forwarding. SSH port of LAN IP 192.168.0.2 is forwarded but when the WAN failover occurs (primary WAN goes down and secondary is active) the port forward stops working. I would like the port forward to be active on both primary and secondary WAN so during failover, the port can get accessed by the secondary WAN.

Please view the config below and help would be appreciated.


track 1 ip sla 1 reachability
!
track 2 ip sla 2 reachability
!
interface GigabitEthernet0/0
no ip address
ip flow ingress
duplex auto
speed auto
no cdp enable
no mop enabled
!
interface GigabitEthernet0/0.10
description LAN
encapsulation dot1Q 10
ip address 192.168.0.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat enable
ip virtual-reassembly in
ip verify unicast reverse-path
no cdp enable
!
interface GigabitEthernet0/1
description Primary-WAN
ip address 1.1.1.2 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat enable
ip virtual-reassembly in
ip verify unicast reverse-path
duplex auto
speed auto
no lldp transmit
no lldp receive
no cdp enable
no mop enabled
!
interface GigabitEthernet0/2
description Secondary-WAN
ip address 9.9.9.2 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat enable
ip virtual-reassembly in
ip verify unicast reverse-path
duplex auto
speed auto
no lldp transmit
no lldp receive
no cdp enable
no mop enabled
!
ip forward-protocol nd
!
no ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat source route-map 1 interface GigabitEthernet0/1 overload
ip nat source route-map 2 interface GigabitEthernet0/2 overload
ip nat source static tcp 192.168.0.2 22 interface GigabitEthernet0/1 22
ip route 0.0.0.0 0.0.0.0 9.9.9.1 track 2
ip route 0.0.0.0 0.0.0.0 1.1.1.1 10
ip route 1.1.1.0 255.255.255.0 1.1.1.1
ip route 2.2.2.0 255.255.255.0 1.1.1.1
ip route 3.3.3.0 255.255.255.0 1.1.1.1
ip route 4.4.4.0 255.255.255.0 1.1.1.1
ip route 5.5.5.0 255.255.255.0 1.1.1.1
!
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
ip sla 1
 icmp-echo 1.1.1.1 source-interface GigabitEthernet0/1
 threshold 500
 timeout 500
 frequency 2
ip sla schedule 1 life forever start-time now
ip sla 2
 icmp-echo 9.9.9.1 source-interface GigabitEthernet0/2
 threshold 500
 timeout 500
 frequency 2
ip sla schedule 2 life forever start-time now
!
route-map 1 permit 10
match ip address 1
set interface GigabitEthernet0/1
!
route-map 2 permit 10
match ip address 1
set interface GigabitEthernet0/2
!
!
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
Mustafa ChapalCEOAsked:
Who is Participating?
 
JustInCaseCommented:
SSH port of LAN IP 192.168.0.2 is forwarded but when the WAN failover occurs (primary WAN goes down and secondary is active) the port forward stops working. I would like the port forward to be active on both primary and secondary WAN so during failover, the port can get accessed by the secondary WAN.
You can configure port forward on both WAN interfaces for failover. Additional requirement would be to configure all static routes with IP SLA tracking (actually 2 IP SLA should be configured one for each WAN interface), so routes can be removed from routing table if link via one of WAN links goes down.
Additionally, during failover there will be always need to reestablish tcp connection since source/destination IP address for all existing sessions.
ip route 1.1.1.0 255.255.255.0 1.1.1.1 track 1
ip route 2.2.2.0 255.255.255.0 1.1.1.1 track 1
ip route 3.3.3.0 255.255.255.0 1.1.1.1 track 1
ip route 4.4.4.0 255.255.255.0 1.1.1.1 track 1
ip route 5.5.5.0 255.255.255.0 1.1.1.1 track 1
ip route 0.0.0.0 0.0.0.0 9.9.9.1 track 2
!
ip nat source static tcp 192.168.0.2 22 interface GigabitEthernet0/2 22 extendable
ip nat source static tcp 192.168.0.2 22 interface GigabitEthernet0/1 22 extendable

Open in new window

Extendable command may not be available on all devices (all IOS version or all versions of NAT configuration), and if source address and port are the same it will overwrite previously entered static nat configuration. Possible workaround can be to configure the second static NAT to different port on interface Gi0/1, different device (for example router itself and then you can ssh from router to device 192.168.0.2 or static destination NAT).
ip nat source static tcp 192.168.0.2 22 interface GigabitEthernet0/2 22
ip nat source static tcp 192.168.0.2 22 interface GigabitEthernet0/1 23

Open in new window

In that case you would need to reconfigure access port (above 23) when you are accessing via secondary interface.
0
 
Reece DoddsCommented:
What router is it?
Can your source be set to any IP on any interface?
Is the source using the port aware of the 2nd WAN IP address?
0
 
Fred MarshallPrincipalCommented:
It seems to me, in the dim past, there could be an issue of maintaining an SSH type of connection when the WAN switched.
For that reason, in load balancing mode, one might bind a protocol to one of the WANs.
And, for that reason, in failover mode, one might expect to have to reinitialize a connection.

Something to consider and research.....
0
 
Pushpakumara MahagamageVPCommented:
Can you see the LAN WAN1 WAN2 in your firewall rule section, if so you have to add duplicate inbound entry for your secondary wan interface.

Do you have WAN fail over for both direction or only for outbound.
0
 
Mustafa ChapalCEOAuthor Commented:
The router is Cisco 2911. The WAN failover is working fine. As you can see the port forward rule is set on static on Primary-ISP which is the following:

ip nat source static tcp 192.168.0.2 22 interface GigabitEthernet0/1 22

I want this port forward rule to work after the WAN failover takes place.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.