Cisco – NAT and two internet providers, how to configure failover

ciscofailoverNetwork

Will you please help me to setup ISP2 as a failover internet provider. Configuration as follows:

ip source-route
!
ip cef
!
no ip domain lookup
no ipv6 cef
!
multilink bundle-name authenticated
!
voice-card 0
!
crypto pki token default removal timeout 0
redundancy
!
!
ip ssh rsa keypair-name SSH_KEYS
ip ssh version 2
!
interface Loopback10
 ip address 10.10.10.10 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface Tunnel1
 description INT1
 ip address 10.7.1.1 255.255.255.252
 ip mtu 1400
 ip nat inside
 ip nat enable
 ip virtual-reassembly in
 tunnel source GigabitEthernet0/0.2
 tunnel destination 18.1.1.15
!
interface Tunnel99
 description INT2
 ip address 10.7.2.1 255.255.255.252
 ip nat inside
 ip virtual-reassembly in
 tunnel source GigabitEthernet0/0.2
 tunnel destination 8.2.1.201
!
interface GigabitEthernet0/0
 no ip address
 duplex auto
 speed auto
 media-type rj45
!
interface GigabitEthernet0/0.2
 description ISP1
 encapsulation dot1Q 2
 ip address 7.2.2.127 255.255.255.0
 ip nat outside
 ip virtual-reassembly in
!
interface GigabitEthernet0/0.3
 description ISP2
 encapsulation dot1Q 3
 ip address 7.1.0.46 255.255.255.252
 ip nat outside
 ip virtual-reassembly in
!
interface GigabitEthernet0/1
 no ip address
 duplex auto
 speed auto
 media-type rj45
!
interface GigabitEthernet0/1.10
 description LAN_TO_3750
 encapsulation dot1Q 10
 ip address 10.5.7.2 255.255.255.192
 ip nat inside
 ip virtual-reassembly in
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list 20 interface GigabitEthernet0/0.2 overload
ip nat inside source static udp 10.5.7.9 17566 7.2.2.127 17566 extendable
ip route 0.0.0.0 0.0.0.0 7.2.2.1 170
ip route 10.1.7.0 255.255.255.0 10.7.2.2 name INT2
ip route 10.1.2.0 255.255.255.128 10.7.1.2 name INT1
ip route 10.5.7.64 255.255.255.192 10.5.7.1
!
logging esm config
access-list 20 permit 10.5.7.0 0.0.0.255
access-list 20 permit 10.5.7.0 0.0.0.63
access-list 20 permit 10.1.2.0 0.0.0.128
access-list 20 permit 10.1.7.0 0.0.0.255
access-list 20 permit 10.1.2.0 0.0.0.255
access-list 30 permit 10.5.7.0 0.0.0.255
access-list 30 permit 10.1.2.0 0.0.0.255
access-list 69 permit 10.5.7.20
access-list 69 permit 10.5.7.9
!
route-map INT1 permit 10
!

Best Answer

You are a good ways off here. To provide simple failover it absolutely depends on the hardware you are using, some Cisco routers implement NAT slightly differently meaning your results would be different with the same config on two different devices.

For example;

While matching a NAT ACL on a 1941 series router; do not use permit any any in your ACL, it won't work.

To avoid explaining the fundamentals of networking here I will just assume you have a primary and secondary internet circuit and would like to fail from the primary to the secondary only when the primary experiences an issue, likewise I will just NAT the same networks as well.

First, this is correct; You have identified the inside and outside interfaces for NAT:

!
interface GigabitEthernet0/1.10
description LAN
ip address 10.5.7.2 255.255.255.192
ip nat inside                     <----
!
interface GigabitEthernet0/0.2
 description ISP1
 ip address 7.2.2.127 255.255.255.0
 ip nat outside                    <----
!
interface GigabitEthernet0/0.3
description ISP2
ip address 7.1.0.46 255.255.255.252
ip nat outside                     <----
!

Second, you should identify all networks that should be NATTED; Example for 10 space;

!
ip access-list extended LAN
 permit ip 10.0.0.0 0.255.255.255 any
!

Create two route-maps, tie these to your nat statements instead of the list, this allows you to tie in failover. Call the list in this route-map and match the WAN interface. What these route-maps say is that if the source ip matches the ACL 'LAN' and the OUTBOUND interface matches what's configured in the map, do something with it, we're doing NAT. Example;

!
route-map PRIMARY permit 10
 match ip address LAN
 match interface GigabitEthernet0/0.2
!
route-map SECONDARY permit 10
 match ip address LAN
 match interface GigabitEthernet0/0.3
!

Create sla/tracking to use as a failover detection mechanism to failover your routing. This is what actually fails over, the previously configured things just allow NAT to happen out of both links.Ping google (or any other constantly reachable IP) through your primary circuit.

!
ip sla 1
icmp-echo 8.8.8.8 source-interface g0/0.2
ip sla schedule 1 life forever start-time now
track 1 ip sla 1 reachability
!

Tie your tracks into your routing.

!
ip route 8.8.8.8 255.255.255.255 g0/0.2 
ip route 0.0.0.0 0.0.0.0 7.2.2.1 track 1
ip route 0.0.0.0 0.0.0.0 g0/0.3 10
!

Tie your route-maps into your NAT, i.e. configure your nat rules, basically as you normally would.

!
ip nat inside source route-map PRIMARY interface g0/0.2 overload
ip nat inside source route-map SECONDARY interface g0/0.3 overload
!

Some routers won't need this much engineering; in many cases the following would work fine; Remember, HARDWARE DOES MATTER!

!
interface GigabitEthernet0/1.10
description LAN
ip address 10.5.7.2 255.255.255.192
ip nat inside                     
!
interface GigabitEthernet0/0.2
 description ISP1
 ip address 7.2.2.127 255.255.255.0
 ip nat outside                    
!
interface GigabitEthernet0/0.3
description ISP2
ip address 7.1.0.46 255.255.255.252
ip nat outside                     
!
ip access-list extended LAN
 permit ip 10.0.0.0 0.255.255.255 any
!
ip sla 1
icmp-echo 8.8.8.8 source-interface g0/0.2
ip sla schedule 1 life forever start-time now
track 1 ip sla 1 reachability
!
ip route 8.8.8.8 255.255.255.255 g0/0.2 
ip route 0.0.0.0 0.0.0.0 7.2.2.1 track 1
ip route 0.0.0.0 0.0.0.0 g0/0.3 10
!
ip nat inside source list LAN interface g0/0.2 overload
ip nat inside source list LAN interface g0/0.3 overload
!

The implementation of NAT may change between the Cisco routers but the SLA and enhanced object tracking should be the same, the 'failover' is a function of the preferred outbound route in the above examples; ISP 1 will always be preferred unless the router cannot reach google when sourcing a ping from that interface.

Your ASA configuration:

route outside 0.0.0.0 0.0.0.0 172.16.1.1 1

This will provide a default route via the outside interface, but how will the ASA know how to reach subnets residing behind the Layer 3 Distribution Switch?

You'll need to add routes to the internal subnets via the inside interface using the Layer 3 Distribution Switch as the next-hop IP address.

ASA static routing example:

route inside 172.19.12.0 255.255.255.240 172.16.2.2
route inside 172.19.3.0 255.255.255.0 172.16.2.2
route inside 172.20.100.0 255.255.255.224 172.16.2.2

Your Cisco Router's configuration:

ip route 0.0.0.0 0.0.0.0 200.200.200.200

Additionally, how will your border router know how to reach subnets other than it's connected routes, and the catch all default route via the outside interface's next-hop address 200.200.200.200?

Router static routing example:

ip route 172.19.12.0 255.255.255.240 172.16.1.10
ip route 172.19.3.0 255.255.255.0 172.16.1.10
ip route 172.19.100.0 255.255.255.224 172.16.1.10
ip route 172.16.2.0 255.255.255.224 172.16.1.10

Cisco – Configure Cisco Aironet 1600 AP with RADIUS and multiple VLANs

One way to solve this problem is to change the AP connection to a layer 2 trunk with both VLANs on the trunk. You can have two different SSIDs (one for users, one for guests) and each SSID is associated with a VLAN. When a client connects to the Guest SSID, her data goes on VL 200; a regular user's data goes on VL 100.

You will need separate DHCP scopes for each VLAN, either on the AP or a central DHCP server.

Best Answer

Related Solutions

Cisco ASA Routing Issue

Your ASA configuration:

ASA static routing example:

Your Cisco Router's configuration:

Router static routing example:

Cisco – Configure Cisco Aironet 1600 AP with RADIUS and multiple VLANs

Related Topic