NAT Failover – Multiple WAN NAT with IP SLA

failovernat;wan

I am trying to setup IP SLA for my WAN interface and want the NAT to be setup to when the link goes down the NAT will switch over.

Here is the config:

version 15.5
track 1 ip sla 10 reachability
interface GigabitEthernet0/0
 ip address 10.1.10.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 ip address 74.92.x.x 255.255.255.252
 ip nat outside
 ip virtual-reassembly in
 shutdown
 duplex auto
 speed auto
!
interface GigabitEthernet0/2
 ip address 66.219.x.x 255.255.255.252
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
ip forward-protocol nd
ip nat inside source list 7 interface GigabitEthernet0/2 overload
ip route 0.0.0.0 0.0.0.0 66.219.x.x track 1
ip route 0.0.0.0 0.0.0.0 74.92.x.x 10
ip sla 10
 icmp-echo 8.8.8.8 source-interface GigabitEthernet0/2
 frequency 10
ip sla schedule 10 life forever start-time now
access-list 7 permit any

I have tried multiple different configurations with the NAT, but cannot seem to get both in there and working once the link fails over.

Best Answer

You're correct, I overlooked that you're using an access-list for the nat statement. You'll want to change it to a route map. Example:

ip nat inside source route-map wan1 interface GigabitEthernet0/1 overload
ip nat inside source route-map wan2 interface GigabitEthernet0/2 overload
route-map wan1 permit 10
 match interface GigabitEthernet0/1
!        
route-map wan2 permit 10
 match interface GigabitEthernet0/2

I labbed your config to do a full test and there are a few extra bits you'll want to add.

You want to add a route to the ip you're pinging so it always goes out the correct interface:

ip route 8.8.8.8 255.255.255.255 66.219.1.1

Full example config (tested in VIRL), I made up the last 2 octets of your public IPs and gateways:

track 1 ip sla 1 reachability

interface GigabitEthernet0/0
 ip address 10.1.10.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
    !
interface GigabitEthernet0/1
 ip address 74.92.1.2 255.255.255.252
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface GigabitEthernet0/2
 ip address 66.219.1.2 255.255.255.252
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface GigabitEthernet0/0
 ip address 10.1.10.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto

ip nat inside source route-map wan1 interface GigabitEthernet0/1 overload
ip nat inside source route-map wan2 interface GigabitEthernet0/2 overload
ip route 0.0.0.0 0.0.0.0 66.219.1.1 track 1
ip route 0.0.0.0 0.0.0.0 74.92.1.1 10
ip route 8.8.8.8 255.255.255.255 66.219.1.1
!
ip sla 1
 icmp-echo 8.8.8.8 source-interface GigabitEthernet0/2
 frequency 10
ip sla schedule 1 life forever start-time now
!
route-map wan1 permit 10
 match interface GigabitEthernet0/1
!        
route-map wan2 permit 10
 match interface GigabitEthernet0/2

Related Solutions

Cisco NAT Configuration – Troubleshooting Broken PPPoE with NAT

NAT is applied to g0/0, not di0 where it is required. (there's no IP running on g0/0, so none of the IP configuration matters there.)

int di0
 ip nat outside
!
no ip nat inside source list 1 interface GigabitEthernet0/1 overload
ip nat inside source list 1 interface di0 overload

The two route statements are not necessary. If you need something to trigger the dialer, the route would be ip route 0.0.0.0 0.0.0.0 dialer0, but it should be triggered as long as g0/0 is up/up.

Cisco IOS Multi WAN with NAT on Loopback0 Using IP SLA

I think you are doing this incorrectly. The WAN failover should be independent of your NAT. Try something like this:

track 100 ip sla 1 reachability
!
interface Loopback0
 ip address 1.2.3.224 255.255.255.254
 ip virtual-reassembly in
!
interface GigabitEthernet0/0
 description COLT WAN
 ip address 1.2.3.9 255.255.255.254
 ip nat outside
 ip virtual-reassembly in
 duplex full
 speed 100
 no cdp enable
!
interface GigabitEthernet0/1
 description INSIDE LAN
 ip address 172.200.0.1 255.255.0.0
 ip nat inside
 ip virtual-reassembly in
 duplex full
 speed 100
!         
interface GigabitEthernet0/1/0
 description VODAFONE INTERCONNECT
 switchport access vlan 100
 no ip address
 duplex full
 speed 100
 no cdp enable
!         
interface Vlan100
 description VODAFONE WAN
 ip address 1.2.3.135 255.255.255.254
 ip nat outside
 ip virtual-reassembly in
!
ip nat inside source list 10 interface Loopback0 overload
!
access-list 10 permit 172.200.0.0 0.0.255.255
!
ip route 0.0.0.0 0.0.0.0 1.2.3.134 track 100
ip route 0.0.0.0 0.0.0.0 1.2.3.8 200
!
ip sla 1
 icmp-echo 1.2.3.134 source-ip 1.2.3.135
 frequency 5000
ip sla schedule 1 life forever start-time now

You NAT from the inside interface GigabitEthernet0/1 to the outside interfaces GigabitEthernet0/0 and Vlan100. You use the Loopback0 interface as the address for the translation, not an outside interface, with the ip nat inside source list 10 interface Loopback0 overload command.

Best Answer

Related Solutions

Cisco NAT Configuration – Troubleshooting Broken PPPoE with NAT

Cisco IOS Multi WAN with NAT on Loopback0 Using IP SLA

Related Topic