2 Replies Latest reply on Feb 13, 2014 5:42 PM by xucraig

    Admin Access on Second WAN

    xucraig New Member

      I have a 3448 running R10.9.0.E.  There are two WANs (one on ETH 0/1, the other on ETH 0/2), and I have failover working like it should.  I have admin access enabled on both WANs, but I can only get in on the secondary WAN when the primary WAN has failed.  I believe this is by design and I have to set up a route-map. I'm hoping someone can confirm this or tell me if there is a better way to do it.

       

      ip access-list extended WAN2-ADMIN-ACCESS

           permit ip host X.X.X.X ip host Y.Y.Y.Y (where XXXX is where I need to access from and YYYY is the IP of my second WAN)

       

      route-map SECOND-WAN permit 10

           match ip address WAN2-ADMIN-ACCESS

           set ip next-hop Y.Y.Y.Z (default gateway of WAN2)

       

      interface eth 0/2

           ip policy route-map SECOND-WAN

       

      Since I already have the admin-access rule working when WAN2 is up, this should be all I need, correct?

       

      Please let me know if you need any more info or if there is a better way to do this. 

       

      Thanks for your help

      craig

        • Re: Admin Access on Second WAN
          Employee

          xucraig - Thanks for posting your question on the forum!

           

          You are definitely on the right track regarding your configuration. I'm just going to suggest a couple of changes:

           

          - The ACL should actually reference the reverse traffic. Your traffic is hitting the router but is then being sent out the primary connection. In this case the ACL should look like this:

           

          ip access-list extended WAN2-ADMIN-ACCESS

               permit ip host Y.Y.Y.Y ip host X.X.X.X (where XXXX is where I need to access from and YYYY is the IP of my second WAN)

           

          - Your route-map needs to be applied to the router locally. This is because admin access traffic is destined to and sourced from the router itself.

           

          ip local policy route-map SECOND-WAN


          - You will need to disable RPF check on the public WAN access-policies

           

          no ip policy-class <policy-class Name> rpf-check


          Please do not hesitate to let us know if you have any questions.

          Thanks,

          Noor