Equipment Support > Hardware By Brand > Cisco > IOS question, Two ISPs, can only ping one?

IOS question, Two ISPs, can only ping one?

Got a copy of your config for review net2be?

Can you also provide the output of "show ip route" as well?

Regards

reply to net2be
Makes sense seeing the modems IP.

It won't route through the T1 unless you told it to route the IP address you're pinging from, out the T1.

Show ip route at the dual homed 1841. What does it say?

reply to net2be
Is your 1841 router doing NAT as well? If yes, then you have to consider the fact that NAT takes place before routing. When let's say the router picks up the T1 NAT-ed IP address and try to route using the Cable modem path, the traffic gets lost.

Ok then the NATting is probably the issue then!

I have a nat inside on LAN interface, and a nat outside on the Cablemodem interface. But I do not have a nat outside on the T1 interface.

So you're saying even though I'm pinging the T1 interface, just the fact that I have a NAT, it will route from the T1 through to the Cablemodem?

Is there a way to keep them separate? What I'm trying to do is establish a VPN tunnel through the T1 but I can't seem to get out through that interface.
.

.

.

.

Here's the sh ip route:
Gateway of last resort is 76.199.179.214 to network 0.0.0.0

129.111.224.0/30 is subnetted, 1 subnets
C 129.111.224.144 is directly connected, Serial0/0/0
C 192.168.13.0/24 is directly connected, FastEthernet0/0
76.0.0.0/30 is subnetted, 1 subnets
C 76.199.179.212 is directly connected, FastEthernet0/1
S* 0.0.0.0/0 [5/0] via 76.199.179.214

and here's the config with some stuff removed:
version 12.4
service timestamps debug datetime localtime
service timestamps log datetime localtime show-timezone
service password-encryption
!
!
boot-start-marker
boot-end-marker
!
logging buffered 409600 debugging
enable secret 5 $1$xxx
!
aaa new-model
!
!
!
aaa session-id common
clock timezone EST -5
clock summer-time EDT recurring
no ip source-route
ip cef
!
!
no ip dhcp use vrf connected
!
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
!
!
!
!
crypto isakmp policy 1
hash md5
authentication pre-share
!
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 3
encr 3des
hash md5
authentication pre-share
group 2
lifetime 28800
crypto isakmp key xxx address 212.133.104.249
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set to_vpn esp-3des esp-md5-hmac
!
crypto map to_vpn 10 ipsec-isakmp
set peer 212.133.104.249
set transform-set to_vpn
match address 102

!
!
!
interface FastEthernet0/0
description connected to LAN
ip address 192.168.13.1 255.255.255.0
ip helper-address 192.168.10.12
no ip redirects
no ip proxy-arp
ip nat inside
ip virtual-reassembly
no ip mroute-cache
duplex auto
speed auto
!
interface FastEthernet0/1
description connected to Cablemodem
bandwidth 25000
ip address 76.199.179.213 255.255.255.252
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map to_vpn
!
interface Serial0/0/0
description connected to T1 Line
ip address 129.111.224.146 255.255.255.252
ip virtual-reassembly
no ip route-cache cef
no ip route-cache
no ip mroute-cache
!
no ip forward-protocol nd
no ip forward-protocol udp netbios-ns
no ip forward-protocol udp netbios-dgm
ip route 0.0.0.0 0.0.0.0 76.199.179.214 5
!
!
no ip http server
no ip http secure-server
ip nat inside source list 101 interface FastEthernet0/1 overload
!
ip access-list standard Telnet
permit 192.168.10.1
!
access-list 101 deny ip 192.168.13.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 101 deny ip 192.168.13.0 0.0.0.255 192.168.11.0 0.0.0.255
access-list 101 deny ip 192.168.13.0 0.0.0.255 192.168.12.0 0.0.0.255
access-list 101 deny ip 192.168.13.0 0.0.0.255 10.5.1.0 0.0.0.255
access-list 101 deny ip 192.168.13.0 0.0.0.255 10.11.0.0 0.0.255.255
access-list 101 deny ip 192.168.13.0 0.0.0.255 10.41.0.0 0.0.255.255
access-list 101 deny ip 192.168.13.0 0.0.0.255 10.52.0.0 0.0.255.255
access-list 101 deny ip 192.168.13.0 0.0.0.255 10.253.1.0 0.0.0.255
access-list 101 deny ip 192.168.13.0 0.0.0.255 10.254.1.0 0.0.0.255
access-list 101 permit ip 192.168.13.0 0.0.0.255 any
!
access-list 102 permit ip 192.168.13.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 102 permit ip 192.168.13.0 0.0.0.255 192.168.11.0 0.0.0.255
access-list 102 permit ip 192.168.13.0 0.0.0.255 192.168.12.0 0.0.0.255
!
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0

The answer to your question depends heavily on what the network requirements are and how you and your business partner (that connect through the T1) like to have. Certain companies requires some kind of NAT-ing either on your end or their end so that when the traffic travels over the private line such as your T1 circuit, the IP addresses (both source and destination) are recognized and can be processed accordingly.

When you do need to have NAT in place for traffic between your network and your business partner resides on the other end of the T1 circuit, then make sure appropriate NAT take place to distinguish between the Cable Internet and the T1.

Here are a list of questions and considerations as a start

* Whether the T1 is private line connecting to only business partner or also act as Internet connectivity
* Is there a plan to use the T1 to connect to the Internet at all?
* How do you usually use the T1 circuit? Is it just for Internet and VPN? Is it for internal connectivity? Or else?
* How does the T1 connect to your main location? Is the T1 point-to-point circuit between remote location and main office? Or else?
* Is the Cable Internet recent addition to the network in order to separate Internet traffic and internal traffic?

Ideally I'd like to use the two connections out to the Internet (through a NAT/PAT). So I can choose certain traffic to route through each connection, (for example 80 through the cablemodem, and rdp through the T1). Sort of a load balancing. Also I'd like it so that both interfaces has their own ipsec tunnel back to the main office (and do the same thing there, regular traffic through cablemodem and file backup traffic through the T1).

In both cases I'll have an IP SLA that will track which routes (or route maps) it will travel through each interface in the case that one interface should lose it's link.

So when I set up the cablemodem as the primary source, I figured I can get some test going on with T1. The first thing I did was see if I could ping the interface, and hopefully enable the ssh so I can get to it. But instead the ping timeouts so I wanted to see what was happening...

Now this wouldn't be an issue if I had two separate routers, each with its own external interface, and an internal interface. Then all I have to do is point the next hop to the right router. But I'm trying to do this from one single router to make it neater.

reply to aryoba

reply to net2be
In your situation, I don't think it is ideal to use both Cable Internet and the T1 for all connectivity. I'm suggesting reviewing your traffic pattern as a first step to see which traffic are as the top 10 talkers. If let's say most of your traffic is Internet traffic, then the traffic should be using the Cable Internet as primary and the T1 as backup.

Generally I always prefer to use the T1 for internal network connectivity (i.e. VPN to other location) while keeping Cable Internet mainly as Internet connectivity since T1 has SLA while Cable Internet has none. Better solution (if your company can afford it) is MPLS for internal network connectivity compared to IPSec VPN.

In regards of unstable T1 circuit, you may want to put some kind of monitoring system to quickly detect circuit issue as first step. You may also want to have the telco test the circuit including running various loop tests to confirm there is issue within local loop. Obviously all traffic have to use the Cable Internet during the test to avoid downed network.

reply to net2be
Assuming you use the T1 for internal connectivity (VPN) and use the Cable Internet for Internet only, then the solution is simply like the following.

Your router configuration needs to have the following static routes

ip route 0.0.0.0 0.0.0.0.0 76.199.179.214
ip route 212.133.104.249 255.255.255.255 129.111.224.145
ip route 10.5.1.0 255.255.255.0 129.111.224.145
ip route 10.11.0.0 255.255.0.0 129.111.224.145
ip route 10.41.0.0 255.255.0.0 129.111.224.145
ip route 10.52.0.0 255.255.0.0 129.111.224.145
ip route 10.253.1.0 255.255.0.0 129.111.224.145
ip route 10.254.1.0 255.255.0.0 129.111.224.145
ip route 192.168.10.0 255.255.0.0 129.111.224.145
ip route 192.168.11.0 255.255.0.0 129.111.224.145
ip route 192.168.12.0 255.255.0.0 129.111.224.145

Reviewing your ACL 102, I believe the ACL 102 should permit whatever ACL 101 denies in order to permit internal traffic to go through the VPN tunnel.

In order to work, the other end of VPN tunnel must use your T1 IP address as VPN peer which is the 129.111.224.146

reply to net2be
No reason why you couldn't use the dual ISP / OER config as a baseline, and as you said,
use static routing or route-maps to push traffic out a specific interface. aryoba makes
some good points about knowing WHAT you want to do, plus being aware of the SLAs on each
line and routing accordingly.

Regards

reply to aryoba

Re: IOS question, Two ISPs, can only ping one?

reply to net2be
You can also consider a used load balancer on the cheap like an old Linkproof. I used them before. Gotta say, they worked well back in our slow link days.

»www.ebay.com/itm/Link-Proof-LT-9···08560334