Can't ping WAN interface of multihomed router

Discussion in 'Cisco' started by JmanSC, Jan 14, 2009.

  1. JmanSC

    JmanSC

    Joined:
    Jan 14, 2009
    Messages:
    8
    I have a Cisco 2811 with 3 DSL interfaces to the same ISP, all of which are up. For examples sake, let's say that the public IP of those interfaces are:
    1.1.1.1/32 (directly connected to gateway 1.1.2.1)
    1.1.1.2/32 (directly connected to gateway 1.1.2.2)
    1.1.1.3/32 (directly connected to gateway 1.1.2.3)

    This router has an inside network of 192.168.1.0/24, the traffic from which gets overload NAT'd using a route-map. I have 3 static routes to the ISP's gateways to load balance traffic, which works just fine.

    From home, on a different ISP I have a public address of, let's say 2.2.2.2.

    Ever since the system was setup, my ability to ping the public interfaces of the 2811 changes and is inconsistent. For example, right now, here is what will work:

    2.2.2.2 -> 1.1.1.1 = Reply
    2.2.2.2 -> 1.1.1.2 or 1.1.1.3 = Timed out

    From the router pinging with a specific source address:
    1.1.1.2 -> 2.2.2.2 = Reply
    1.1.1.1 or 1.1.1.3 -> 2.2.2.2 = Timed out

    What's strange is that from home to the router only one interface will work at a time. The same from the router to home, but it's a different interface that works.

    I've done some packet captures to see if I'm receiving the reply with a different source address, but that's not the case. If I ping from 2.2.2.2 to 1.1.1.2, I simply don't get a reply at all, even though the interface is up and carrying traffic.

    Any ideas?
    JmanSC, Jan 14, 2009
    #1
    1. Advertising

  2. JmanSC

    JmanSC

    Joined:
    Jan 14, 2009
    Messages:
    8
    Does anybody have any ideas of things I can check? I'm kinda stuck on this one...


    Thanks.
    JmanSC, Jan 23, 2009
    #2
    1. Advertising

  3. JmanSC

    ensnare

    Joined:
    Jan 24, 2009
    Messages:
    5
    Hi -- you have to make a policy-map for the secondary WAN interfaces that tell packets coming in on that interface to go out over the same interface. Otherwise they will go out over the router's default gateway and will time out.

    Try something like this:

    ip local policy route-map BackOnISP2

    access-list 170 remark ***** TRAFFIC ALLOWED IN OVER ISP2
    access-list 170 permit tcp host 1.2.3.4 any <-- external IP of wan2 int

    route-map BackOnISP2 permit 10
    match ip address 170
    set ip next-hop 1.1.1.1 <-- default gateway for secondary interface

    Hope this helps,
    Adam
    ensnare, Jan 24, 2009
    #3
  4. JmanSC

    JmanSC

    Joined:
    Jan 14, 2009
    Messages:
    8
    Hi Adam,

    Thanks for the reply. Here's a picture that may help clarify:

    192.168.1.0/24 -> router -> 1.1.1.1 (DSL1) -> 1.1.2.1 (DSL1's gateway)
    -> 1.1.1.2 (DSL2) -> 1.1.2.2 (DSL2's gateway)
    -> 1.1.1.3 (DSL3) -> 1.1.2.3 (DSL3's gateway)

    Currently if I do "show ip route" the "gateway of last resort" is the next-hop for one of the DSL Lines (1.1.2.2). If I try to telnet to the IP associated with that interface (1.1.1.2), I'm still unsuccessful, but again, only from certain connections (for example, it doesn't work from home but does work from work).

    Do you think this is still the same problem?

    I currently have 3 route-maps to NAT the internal traffic. Here is the relevant part of the config associated with that:

    ip route 0.0.0.0 0.0.0.0 1.1.2.1
    ip route 0.0.0.0 0.0.0.0 1.1.2.2
    ip route 0.0.0.0 0.0.0.0 1.1.2.3

    ip nat inside source route-map NATdailer0 interface Dialer0 overload
    ip nat inside source route-map NATdailer1 interface Dialer1 overload
    ip nat inside source route-map NATdailer2 interface Dialer2 overload

    access-list 1 permit 192.168.1.0 0.0.0.255

    route-map NATdailer0 permit 10
    match ip address 1
    match interface Dialer0

    route-map NATdailer1 permit 10
    match ip address 1
    match interface Dialer1

    route-map NATdailer2 permit 10
    match ip address 1
    match interface Dialer2

    Should I add 3 new route-maps as you suggested or modify the existing ones?

    Thanks again for your help!
    JmanSC, Jan 29, 2009
    #4
  5. JmanSC

    JmanSC

    Joined:
    Jan 14, 2009
    Messages:
    8
    New problem

    I tried what was suggested and I'm now able to consistently get into the router for administration.

    However, I'm doing some port forwarding to access a server inside the local LAN. I have a similar problem in that the port forwarding seems to work when only one line is active, but quits working when the other two are active.

    I guess this is another route-map problem, but I'm not sure how to fix it.

    Here's an example of my current port forward command:

    ip nat inside source static tcp 192.168.1.245 80 1.1.1.1 80 extendable

    I looked at the nat translation table and when only 1 WAN connection is active, the outside local and global entries for inbound 80 traffic are empty - just a dashed line. After enabling the other 2 connections (and 3 are active at a time) the outside local and global populate with my remote IP and source port, but this is when it doesn't work.

    Can anyone help?

    Thanks!
    Last edited: Mar 16, 2009
    JmanSC, Mar 16, 2009
    #5
  6. JmanSC

    JmanSC

    Joined:
    Jan 14, 2009
    Messages:
    8
    I figured out my problem.

    I had to create a route-map for the internal host and bind it to the ethernet interface:

    access-list 160 permit ip host 192.168.1.245 any
    route-map webserver permit 10
    match ip address 160
    set ip next-hop 1.1.1.1

    int f0/0
    ip policy route-map webserver
    JmanSC, Mar 18, 2009
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Dan Berlin
    Replies:
    3
    Views:
    673
    Vincent C Jones
    Jun 18, 2004
  2. war_wheelan@yahoo.com
    Replies:
    1
    Views:
    3,419
    war_wheelan@yahoo.com
    Dec 14, 2005
  3. Agustin
    Replies:
    3
    Views:
    751
    Agustin
    Sep 5, 2006
  4. superkingkong
    Replies:
    2
    Views:
    1,772
    superkingkong
    Apr 17, 2010
  5. Nicholas Alpha
    Replies:
    1
    Views:
    718
    tpheuk
    Jan 19, 2013
Loading...

Share This Page