3 Replies Latest reply on Feb 18, 2013 12:37 PM by noor

    Using a 3120 with two WAN

    gbove New Member

      I'm trying to get a dual WAN setup working with a 3120, and I'm having a bit of trouble.

       

      I have my primary link on eth 0/1

      I have my secondary link on sw 0/1

       

      I created a new VLAN (vlan 2), set it up with the IP addressing of the secondary link, and assigned it to sw 0/1

       

      I setup a monitor to monitor eth 0/1 and drop the link if it can't ping 4.2.2.2 6 times or more.

       

      When eth 0/1 can't ping 4.2.2.2 6 times or more, or if I physically unplug (or shutdown) eth 0/1, my default route properly changes to sw 0/1

       

      The problem is, since I'm running nat, I can't figure out how to setup my overload rule.

       

      Before I setup the secondary link, my private policy-class was pretty straight forward:

       

      ip policy-class Private

        allow list VPN-10-vpn-selectors

        allow list self self

        nat source list wizard-ics interface eth 0/1 overload

       

      and wizard-ics just being a permit any rule.

       

      I tried adding a second overload thinking that if eth 0/1 was down, it'd just skip it, but it doesn't seem to do that. When I have my private policy like so

       

      ip policy-class Private

        allow list VPN-10-vpn-selectors

        allow list self self

        nat source list wizard-ics interface eth 0/1 overload

        nat source list secondary-link interface vlan 2 overload

       

      (secondary-link also just being a permit any)

       

      and eth 0/1 is down, traffic just dies inside the router. If I ping out from the router it works, but anything behind NAT doesn't. If I move the secondary-link up one so it's priority is higher then the wizard-ics rule, it correctly overloads to vlan2.

       

      What am I doing wrong inside my private policy-class?

       

      (also when eth 0/1 goes down, my VPN properly establishes over vlan 2, and I'm able to send traffic over to the remote network from inside my local network, so it really feels like a natting problem to me)

        • Re: Using a 3120 with two WAN
          Employee

          gbove - Thanks for posting on the forum!

           

          The only thing you appear to be missing is a destination policy-class in your NAT statements under the Private policy-class. There should be a separate security zone for each public interface. The primary NAT out to the internet must be linked to the appropriate policy. A secondary NAT must also be created in the event of failover. This will cause the router to monitor for valid routes out of that policy before the traffic goes through NAT. If failover has occurred, no valid route will exist and the router will move on to the secondary NAT.

           

          Syntax: nat source list <ACL name> address <public IP> policy <policy attached to interface>

           

          EX: (config-policy-class)# nat source list wizard-ics interface eth 0/1 overload policy Public1

          EX: (config-policy-class)# nat source list secondary-link interface vlan 2 overload

           

          More information regarding this application can be found in the following guide: Configuring WAN Failover with Network Monitor in AOS

           

          Please do not hesitate to let us know if you have any further questions.

           

          Thanks,

          Noor

            • Re: Using a 3120 with two WAN
              Employee

              gbove -

              I went ahead and flagged this post as “Assumed Answered.”  If any of the responses on this thread assisted you, please mark them as either Correct or Helpful answers with the applicable buttons.  This will make them visible and help other members of the community find solutions more easily.  If you still need assistance, I would be more than happy to continue working with you on this - just let me know in a reply.


              Thanks,

              Noor

                • Re: Using a 3120 with two WAN
                  Employee

                  I went ahead and flagged the "Correct Answer" on this post to make it more visible and help other members of the community find solutions more easily. If you don't feel like the answer I marked was correct, feel free to come back to this post and unmark it and select another in its place with the applicable buttons.  If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.

                   

                  Thanks,

                  Noor