I am going to do this is a multi-part format because there are so many options and possibilities. The router I am using in this example is actually an emulated 2691 running under dynamips. I have configured this router using the SDM for use with a single ISP (fairly common configuration).
Lets get going...
1. First we are going to review the existing configuration. I am stripping out anything that is not relevant to shorten the post.
!
interface FastEthernet0/0
description $FW_INSIDE$
ip address 192.168.99.1 255.255.255.0
ip access-group 100 in
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
description $FW_OUTSIDE$
ip address 1.1.1.1 255.255.255.0
ip access-group 101 in
ip verify unicast reverse-path
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet1/0
no ip address
duplex auto
speed auto
!
ip route 0.0.0.0 0.0.0.0 1.1.1.254
ip route 192.168.32.0 255.255.255.0 192.168.99.254
!
ip nat inside source list 1 interface FastEthernet0/1 overload
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.99.0 0.0.0.255
access-list 100 permit ip any any
access-list 101 permit icmp any host 1.1.1.1 echo-reply
access-list 101 permit icmp any host 1.1.1.1 time-exceeded
access-list 101 permit icmp any host 1.1.1.1 unreachable
access-list 101 deny ip any any log
2. Now we need to make the inbound access list for the second ISP. I just copy the existing ACL applied to ISP1, rename it and modify the ip addresses to suit
access-list 102 permit icmp any host 2.2.2.1 echo-reply
access-list 102 permit icmp any host 2.2.2.1 time-exceeded
access-list 102 permit icmp any host 2.2.2.1 unreachable
access-list 102 deny ip any any log
As you can see this is a copy of ACL 101 with is applied to FA0/1. I changed the ip addresses to suit the new interface and changed the ACL number to an unused one. Once this is complete, paste it back into the router.
3. Now the second interface has to be configured with the ISP provided information. While we are at it we will configure the inspection, ACL, and NAT. Again this is just a copy of the primary ISP's interface modified to suit.
interface FastEthernet1/0
description ISP 2
ip address 2.2.2.1 255.255.255.0
ip access-group 102 in
ip verify unicast reverse-path
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly
duplex auto
speed auto
Once these changes have been made, paste them back into the router.
4. Now for the slightly more difficult part. We are going to have to change the way NAT(actually PAT in this situation) is configured. NAT does not work well on the outside interfaces when its source is an access list, so we are going to convert it to a route-map. One will need to be created for each outside interface
route-map ISP1 permit 10
match ip address 1
match interface FastEthernet 0/1
route-map ISP2 permit 10
match ip address 1
match interface FastEthernet 1/0
Then we have to take out the old NAT statement and replace it with the new one
no ip nat inside source list 1 interface FastEthernet0/1 overload
ip nat inside source route-map ISP1 interface FastEthernet0/1 overload
Now for the ISP2 NAT statement
ip nat inside source route-map ISP2 interface FastEthernet1/0 overload
5. Now if you read my last article, you know what is coming next, the failover. That article is for IOS 12.3 releases I have modified it here for 12.4
ip sla monitor 1
type echo protocol ipIcmpEcho 4.2.2.2
timeout 500
frequency 3
ip sla monitor schedule 1 life forever start-time now
track 1 rtr 1 reachability
no ip route 0.0.0.0 0.0.0.0 1.1.1.254
ip route 0.0.0.0 0.0.0.0 1.1.1.254 track 1
ip route 0.0.0.0 0.0.0.0 2.2.2.254 10
6. Test it! Now you should be able to interrupt connectivity on ISP1 and traffic should begin flowing over ISP2. Reconnect it and traffic should return to ISP 1
7. Here is the full running configuration after changes. In the next part we will go into the inbound NAT and how to publish servers on both interfaces at the same time!
| |
Building configuration...
Current configuration : 3563 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
enable password shawn
!
no aaa new-model
memory-size iomem 5
ip cef
!
!
!
!
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip sla monitor 1
type echo protocol ipIcmpEcho 4.2.2.2
timeout 500
frequency 3
ip sla monitor schedule 1 life forever start-time now
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username shawn privilege 15 password 0 shawn
!
!
!
track 1 rtr 1 reachability
!
!
!
!
!
interface FastEthernet0/0
description $FW_INSIDE$
ip address 192.168.99.1 255.255.255.0
ip access-group 100 in
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
description $FW_OUTSIDE$
ip address 1.1.1.1 255.255.255.0
ip access-group 101 in
ip verify unicast reverse-path
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet1/0
description ISP 2$ETH-WAN$
ip address 2.2.2.1 255.255.255.0
ip access-group 102 in
ip verify unicast reverse-path
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly
duplex auto
speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 1.1.1.254 track 1
ip route 0.0.0.0 0.0.0.0 2.2.2.254 10
ip route 192.168.32.0 255.255.255.0 192.168.99.254
!
!
ip http server
ip http authentication local
no ip http secure-server
ip nat inside source route-map ISP1 interface FastEthernet0/1 overload
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.99.0 0.0.0.255
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip 1.1.1.0 0.0.0.255 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 deny ip 192.168.99.0 0.0.0.255 any
access-list 101 permit icmp any host 1.1.1.1 echo-reply
access-list 101 permit icmp any host 1.1.1.1 time-exceeded
access-list 101 permit icmp any host 1.1.1.1 unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any log
access-list 102 permit icmp any host 2.2.2.1 echo-reply
access-list 102 permit icmp any host 2.2.2.1 time-exceeded
access-list 102 permit icmp any host 2.2.2.1 unreachable
access-list 102 deny ip any any log
!
route-map ISP2 permit 10
match ip address 1
match interface FastEthernet1/0
!
route-map ISP1 permit 10
match ip address 1
match interface FastEthernet0/1
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
login local
!
!
end
|