Will you please help me to setup ISP2 as a failover internet provider. Configuration as follows:
ip source-route
!
ip cef
!
no ip domain lookup
no ipv6 cef
!
multilink bundle-name authenticated
!
voice-card 0
!
crypto pki token default removal timeout 0
redundancy
!
!
ip ssh rsa keypair-name SSH_KEYS
ip ssh version 2
!
interface Loopback10
ip address 10.10.10.10 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Tunnel1
description INT1
ip address 10.7.1.1 255.255.255.252
ip mtu 1400
ip nat inside
ip nat enable
ip virtual-reassembly in
tunnel source GigabitEthernet0/0.2
tunnel destination 18.1.1.15
!
interface Tunnel99
description INT2
ip address 10.7.2.1 255.255.255.252
ip nat inside
ip virtual-reassembly in
tunnel source GigabitEthernet0/0.2
tunnel destination 8.2.1.201
!
interface GigabitEthernet0/0
no ip address
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/0.2
description ISP1
encapsulation dot1Q 2
ip address 7.2.2.127 255.255.255.0
ip nat outside
ip virtual-reassembly in
!
interface GigabitEthernet0/0.3
description ISP2
encapsulation dot1Q 3
ip address 7.1.0.46 255.255.255.252
ip nat outside
ip virtual-reassembly in
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1.10
description LAN_TO_3750
encapsulation dot1Q 10
ip address 10.5.7.2 255.255.255.192
ip nat inside
ip virtual-reassembly in
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list 20 interface GigabitEthernet0/0.2 overload
ip nat inside source static udp 10.5.7.9 17566 7.2.2.127 17566 extendable
ip route 0.0.0.0 0.0.0.0 7.2.2.1 170
ip route 10.1.7.0 255.255.255.0 10.7.2.2 name INT2
ip route 10.1.2.0 255.255.255.128 10.7.1.2 name INT1
ip route 10.5.7.64 255.255.255.192 10.5.7.1
!
logging esm config
access-list 20 permit 10.5.7.0 0.0.0.255
access-list 20 permit 10.5.7.0 0.0.0.63
access-list 20 permit 10.1.2.0 0.0.0.128
access-list 20 permit 10.1.7.0 0.0.0.255
access-list 20 permit 10.1.2.0 0.0.0.255
access-list 30 permit 10.5.7.0 0.0.0.255
access-list 30 permit 10.1.2.0 0.0.0.255
access-list 69 permit 10.5.7.20
access-list 69 permit 10.5.7.9
!
route-map INT1 permit 10
!
Best Answer
You are a good ways off here. To provide simple failover it absolutely depends on the hardware you are using, some Cisco routers implement NAT slightly differently meaning your results would be different with the same config on two different devices.
For example;
While matching a NAT ACL on a 1941 series router; do not use permit any any in your ACL, it won't work.
To avoid explaining the fundamentals of networking here I will just assume you have a primary and secondary internet circuit and would like to fail from the primary to the secondary only when the primary experiences an issue, likewise I will just NAT the same networks as well.
First, this is correct; You have identified the inside and outside interfaces for NAT:
Second, you should identify all networks that should be NATTED; Example for 10 space;
Create two route-maps, tie these to your nat statements instead of the list, this allows you to tie in failover. Call the list in this route-map and match the WAN interface. What these route-maps say is that if the source ip matches the ACL 'LAN' and the OUTBOUND interface matches what's configured in the map, do something with it, we're doing NAT. Example;
Create sla/tracking to use as a failover detection mechanism to failover your routing. This is what actually fails over, the previously configured things just allow NAT to happen out of both links.Ping google (or any other constantly reachable IP) through your primary circuit.
Tie your tracks into your routing.
Tie your route-maps into your NAT, i.e. configure your nat rules, basically as you normally would.
Some routers won't need this much engineering; in many cases the following would work fine; Remember, HARDWARE DOES MATTER!
The implementation of NAT may change between the Cisco routers but the SLA and enhanced object tracking should be the same, the 'failover' is a function of the preferred outbound route in the above examples; ISP 1 will always be preferred unless the router cannot reach google when sourcing a ping from that interface.