dslreports logo
    All Forums Hot Topics Gallery
spc
Search Topic:
uniqs
5152
share rss forum feed

hang10

join:2002-11-03
Temecula, CA

Dual WAN Saga continues

Spending countless hours I am officially giving up.
First off this article sucks

»www.cisco.com/en/US/products/sw/ ··· p1069967

They make no mention to NAT in the article. My biggest issue seems to be integrating NAT into a reliable dual WAN setup. Fact is, It doesn't work with 2 Nat overload statements on different outside interfaces.
I have dealt with sonicwall, watchguard, and juniper and all of there ISR's provide easy configurations for implementing Dual WAN's. If anyone has any ideas on how to setup up dual DHCP ISP's I would love to hear it.

mr_dirt

join:2006-02-14
Denver, CO
Provide feedback on the doc on the cisco.com page. I've included notes before on what I think sucks on docs, and I've gotten emails from the people who write the docs asking how to make the docs more clear. Amazingly, the feedback eventually showed up in the doc.

Please post your config so we can see what you did. IIRC, I asked if you'd tried configuring a static route to the default you get from DHCP. Did you try it? I realize it would be a PITA to keep an eye on your route table to make sure it doesn't change, but it might address your failover requirement.

hang10

join:2002-11-03
Temecula, CA
Thanks for the reply.

I went out and bought a cheapy linksys router and attached it to the backup interface. This provided the ability to configure the backup with a static ip. My goal was to try to match the cisco doc verbatim. So I configured with DHCP on the Pri and Static on the backup. I got a good connection out both interfaces IF the first statement interface was up. So if I shutdown fast0/0, no internet was available. With 0/0 up I had a good connection out 0/0. Taking out the NAT statement for dsl I got a good connection out primary cable intereface. In my setup I needed NAT on on both interfaces.
This is the order of the NAT statments in the config.

ip nat inside source route-map dsl_backup interface FastEthernet0/0 overload
ip nat inside source route-map primary_cable interface FastEthernet0/1 overload

Because it dropped in Fast0/0 first this is the NAT statement it used no matter what I did. Also, this is the same interface it used for tracking, even though I setup tracking on the primary interface. It would always try to track out the backup intereface.

I dont have the config I was playing with anymore. I reloaded the router back to single ISP operation. I have also spent countless hours with cisco getting this to work and they were stumped. My post was a last ditch effort to see if anyone has a similar, working setup that I could look at. I would like to see cisco put out a doc for dual NAT, Dual DHCP WAN's in a Primary/backup internet role, but honestly i dont think it can be done.

hang10

Phraxos
Premium
join:2004-06-12
UK
Well I admire your persistance!

"I would like to see cisco put out a doc for dual NAT, Dual DHCP WAN's in a Primary/backup internet role" - well atm you aren't going to see that as Cisco specifically state that you can only use the "set ip next-hop dynamic dhcp" command with a single dhcp interface (as I told you in one of your previous posts »[HELP] Dual DHCP WAN with tracking help). Clearly you have tried to get round this with the use of the Linksys and I don't know why your config still wouldn't work.

I can assure you it is possible to get it to work as I have it running on my router. For various reasons I have mostly given up posting in this forum but I couldn't help sympathise with the frustration of your situation so I have stripped out the relevent portions from my config and have posted them below. I can't promise any help but at least you will have something to study.

With both interfaces up my default for most of my lan is through gig0/1 but the default for most services for a server on 192.168.111.11 is dialer1. Consequently web traffic is routed through gig0/1 for all lan hosts except 192.168.111.11. If I shut down gig0/1 then all hosts route web traffic through dialer1, if I shut down dialer1 then all hosts route web traffic through gig0/1. There are a few static routes for ip addresses related to services that only work through a specific interface, e.g. an ISP's news server.

Good luck :)

version 12.4
ip cef
!
!
ip sla 1
icmp-echo 195.8.69.7 source-interface Dialer1
timeout 1500
frequency 20
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo 62.31.144.39 source-interface GigabitEthernet0/1
timeout 1500
frequency 20
ip sla schedule 2 life forever start-time now
!
!
!
track 1 rtr 1
delay down 25
!
track 2 rtr 2
delay down 25
!
!
!
!
!
interface GigabitEthernet0/0
description LAN G0
ip address 192.168.111.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache policy
ip route-cache flow
ip policy route-map adsl
load-interval 30
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/1
description Cable G1
bandwidth 384
ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
ip route-cache policy
ip route-cache flow
load-interval 30
duplex auto
speed auto
no cdp enable
no mop enabled
!
!
interface ATM0/0/0
description ATM0
bandwidth 256
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
load-interval 30
no atm ilmi-keepalive
dsl operating-mode auto
hold-queue 224 in
pvc 0/38
vc-hold-queue 1024
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
!
interface Dialer1
description ATM Dialer1 D1
bandwidth 256
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
load-interval 30
dialer pool 1
dialer-group 1
no fair-queue
no cdp enable
ppp authentication chap callin
ppp chap hostname blah
ppp chap password 7 blah
!
!
ip local policy route-map saapings
ip route 0.0.0.0 0.0.0.0 Dialer1 254
ip route 195.8.68.0 255.255.255.0 Dialer1
ip route 195.8.69.0 255.255.255.0 Dialer1
ip route 194.117.143.0 255.255.255.0 dhcp
ip route 0.0.0.0 0.0.0.0 dhcp 50
!
!
ip nat inside source static tcp 192.168.111.11 25 interface Dialer1 25
ip nat inside source static tcp 192.168.111.11 80 interface Dialer1 80
ip nat inside source static tcp 192.168.111.11 21 interface Dialer1 21
ip nat inside source route-map natadsl interface Dialer1 overload
ip nat inside source route-map natcable interface GigabitEthernet0/1 overload
!
!
access-list 1 permit 192.168.111.0 0.0.0.255
access-list 100 deny ip 192.168.111.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 100 permit ip 192.168.111.0 0.0.0.255 any
access-list 110 deny tcp host 192.168.111.11 any eq 443
access-list 110 deny tcp host 192.168.111.11 any eq ftp
access-list 110 permit udp host 192.168.111.11 eq domain any
access-list 110 permit tcp host 192.168.111.11 eq domain any
access-list 110 permit udp host 192.168.111.11 any eq domain
access-list 110 permit tcp host 192.168.111.11 any eq domain
access-list 110 deny ip host 192.168.111.11 172.16.0.0 0.0.255.255
access-list 110 permit ip host 192.168.111.11 any
access-list 112 deny ip host 192.168.254.11 172.16.0.0 0.0.255.255
access-list 112 permit udp host 192.168.254.11 any eq snmp
access-list 198 permit icmp any host 195.8.69.7 echo
access-list 199 permit icmp any host 62.31.144.39 echo
dialer-list 1 protocol ip permit
!
!
!
!
route-map saapings permit 10
match ip address 198
set interface Dialer1 Null0
!
route-map saapings permit 20
match ip address 199
set ip next-hop dynamic dhcp
!
route-map natcable permit 10
match ip address 1
match interface GigabitEthernet0/1
!
route-map adsl permit 10
match ip address 112
set interface Dialer1
!
route-map adsl permit 20
match ip address 110
set ip next-hop verify-availability 195.8.68.240 10 track 1
!
route-map natadsl permit 10
match ip address 100
match interface Dialer1
!
!
!

hang10

join:2002-11-03
Temecula, CA
Wow thats good stuff. That will keep me busy for a while.
Guess Im back in the game. Thanks for the info.

hang10

mr_dirt

join:2006-02-14
Denver, CO
Admittedly, my backup WAN connection is through a different router, as I tend to run beta images in the router this config was taken from. I use the secondary WAN connection for a GRE+IPsec VPN, as well as a "back door" to get access to my LAN in the event unlikely :uhh: event that the beta image in the primary router takes the router out to lunch. Without further ado, here are the relevant parts of my config:

track timer interface 5
!
track 123 rtr 1 reachability
delay down 15 up 10
!
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly
zone-member security public
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap chap callin
ppp chap hostname [deleted]
ppp chap password 7 [deleted]
ppp pap sent-username [deleted] password 7 [deleted]
ppp ipcp dns request
crypto map vpn-1
!
interface BVI1
ip address 192.168.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security private
ip route-cache flow
!
!
ip route 0.0.0.0 0.0.0.0 Dialer0 track 123
ip route 0.0.0.0 0.0.0.0 192.168.1.253 254
!
ip nat inside source list 109 interface Dialer0 overload
!
ip sla 1
icmp-echo host.reachable.thru.dsl source-interface Dialer0
timeout 1000
threshold 40
frequency 3
ip sla schedule 1 life forever start-time now

I think I may have promised a while back that I would try both WAN connections through one box, but as you can tell, I haven't gotten around to it yet.

Out of curiosity, why did you elect to go with the route-map config for your NAT, instead of just using an ACL?

Phraxos
Premium
join:2004-06-12
UK
said by mr_dirt:

.....as I tend to run beta images in the router this config was taken from.
Wimp....where's your sense of adventure



said by mr_dirt:

Out of curiosity, why did you elect to go with the route-map config for your NAT, instead of just using an ACL?
Well I rewrote everything when I went from three routers (one for each wan connection and one to link the two routers to the lan) to one. This was three months ago so at my age it is difficult to remember Reviewing hang10's previous posts about this and my answers, I realise I have already answered this question in the last post of this thread »[HELP] Help with Routing 2 ISP

...it appears that in the abscence of the interface match, the router uses the first global NAT statement to try and NAT all NAT traffic regardless of which interface the traffic is actually present on.

I.E. The route-map is so I can do the interface match. I think this is exactly the the issue you have been having hang10 and it looks like I answered it three months ago . You will still need to use the Linksys though as there is still the limitation of not being able to use the "set ip next-hop dynamic dhcp" command with more than one DHCP interface.

I think this issue is an IOS bug. The fact that I have produced a workaround doesn't negate the fact that it shouldn't be necessary. hang10 did you try getting the TAC case owner to escalate the issue?

Let us know how you get on.

hang10

join:2002-11-03
Temecula, CA
Hi Phraxos,

I now have a working Dual WAN setup throwing the cheapy linksys in the mix. Thanks for your example it helped big time. My focus originally was getting it to work with DHCP assigned address on both WAN. Working with TAC and researching myself, it became clear (to me and tac)that it was not possible and they were going to research a workaround. Well the easiest workaround was buying a $50 dollar linksys and creating a static ip for the backup interface. I gave up on TAC after it was escalated and didnt pursue it further because it was taking to much time. Since it wasnt my primary interface I didnt mind putting a cheapy router in between the connection.
thanks again to all, and Phraxos, welcome back to the forum.

hang10

Phraxos
Premium
join:2004-06-12
UK
I'm really pleased you got it working and thanks for the kind words.

It's a shame that Cisco haven't put the work in to get an IOS that will support multiple DHCPs but maybe that will come in time. I think it is a reflection of Cisco's history; DHCP interfaces are not "enterprise" solutions so the software support comes later in the development cycle. At least you have a 90% solution for the moment.