Hello,
Sorry for asking what I believe is a fairly basic question, but I haven't been able to find the information elsewhere.
I have a Cisco 2801 with a 4-port switch module. I need to have 2 ISP's connected for redundancy. My problem is, that I have been trying to get the 2 internal interfaces to do outside NAT, but so far with little luck.
I have a subnet;10.193.0.0/255.255.255.0. The two interfaces are on 2 different ISP network. Their IP addresses are 62.242.206.2 and
83.93.155.2, with gateways on 62.242.206.1 and 82.93.155.1.I need to have crypto tunnels to a remote office. If ISP 1 (62.242.206.x) dies, then it should go through ISP 2 (83.93.155.x), both the tunnel and ordinary surfing.
I can imagine that the (psuedo) config is something like this:
interface FastEthernet0/0 description ISP 1 ip address 62.242.206.2 ip nat outside ip virtual-reassembly ip route-cache flow no cdp enable crypto map remote-pix
interface FastEthernet0/1 description ISP 2 ip address 83.93.155.2 ip nat outside ip virtual-reassembly ip route-cache flow no cdp enable crypto map remote-pix
crypto map remote-pix 15 ipsec-isakmp set peer 80.60.40.20 set transform-set strongsha match address 141
route-map nonat permit 10 match ip address 131
ip route 0.0.0.0 0.0.0.0 62.242.206.1 1 (metric 1) ip route 0.0.0.0 0.0.0.0 82.93.155.1 10 (metric 10)
I have an ACL 141 for not NAT'ing (what goes through the tunnel) and a reverse ACL 131 for NAT'ing (going to the internet).
However, when it gets to do the actual NAT'ing, this is what causes me problems: ip nat inside source route-map nonat interface FastEthernet0/0 overload
Now - seeing that it's not too keen on creating multiple of these, how do I go about implementing transparent redundancy on the line(s) ? I need to have the two lines take over for each other when one goes down. There is no inbound traffic other than the tunnel (and obviously I create multiple peers on the remote PIX).
Thank you very much for your suggestions!
Best regards,
-Allan Jensen