I'm trying to get a dual WAN setup working with a 3120, and I'm having a bit of trouble.
I have my primary link on eth 0/1
I have my secondary link on sw 0/1
I created a new VLAN (vlan 2), set it up with the IP addressing of the secondary link, and assigned it to sw 0/1
I setup a monitor to monitor eth 0/1 and drop the link if it can't ping 4.2.2.2 6 times or more.
When eth 0/1 can't ping 4.2.2.2 6 times or more, or if I physically unplug (or shutdown) eth 0/1, my default route properly changes to sw 0/1
The problem is, since I'm running nat, I can't figure out how to setup my overload rule.
Before I setup the secondary link, my private policy-class was pretty straight forward:
ip policy-class Private
allow list VPN-10-vpn-selectors
allow list self self
nat source list wizard-ics interface eth 0/1 overload
and wizard-ics just being a permit any rule.
I tried adding a second overload thinking that if eth 0/1 was down, it'd just skip it, but it doesn't seem to do that. When I have my private policy like so
ip policy-class Private
allow list VPN-10-vpn-selectors
allow list self self
nat source list wizard-ics interface eth 0/1 overload
nat source list secondary-link interface vlan 2 overload
(secondary-link also just being a permit any)
and eth 0/1 is down, traffic just dies inside the router. If I ping out from the router it works, but anything behind NAT doesn't. If I move the secondary-link up one so it's priority is higher then the wizard-ics rule, it correctly overloads to vlan2.
What am I doing wrong inside my private policy-class?
(also when eth 0/1 goes down, my VPN properly establishes over vlan 2, and I'm able to send traffic over to the remote network from inside my local network, so it really feels like a natting problem to me)
- Thanks for posting on the forum!
The only thing you appear to be missing is a destination policy-class in your NAT statements under the Private policy-class. There should be a separate security zone for each public interface. The primary NAT out to the internet must be linked to the appropriate policy. A secondary NAT must also be created in the event of failover. This will cause the router to monitor for valid routes out of that policy before the traffic goes through NAT. If failover has occurred, no valid route will exist and the router will move on to the secondary NAT.
Syntax: nat source list <ACL name> address <public IP> policy <policy attached to interface>
EX: (config-policy-class)# nat source list wizard-ics interface eth 0/1 overload policy Public1
EX: (config-policy-class)# nat source list secondary-link interface vlan 2 overload
More information regarding this application can be found in the following guide: Configuring WAN Failover with Network Monitor in AOS
Please do not hesitate to let us know if you have any further questions.
Thanks,
Noor
- Thanks for posting on the forum!
The only thing you appear to be missing is a destination policy-class in your NAT statements under the Private policy-class. There should be a separate security zone for each public interface. The primary NAT out to the internet must be linked to the appropriate policy. A secondary NAT must also be created in the event of failover. This will cause the router to monitor for valid routes out of that policy before the traffic goes through NAT. If failover has occurred, no valid route will exist and the router will move on to the secondary NAT.
Syntax: nat source list <ACL name> address <public IP> policy <policy attached to interface>
EX: (config-policy-class)# nat source list wizard-ics interface eth 0/1 overload policy Public1
EX: (config-policy-class)# nat source list secondary-link interface vlan 2 overload
More information regarding this application can be found in the following guide: Configuring WAN Failover with Network Monitor in AOS
Please do not hesitate to let us know if you have any further questions.
Thanks,
Noor
I went ahead and flagged this post as “Assumed Answered.” If any of the responses on this thread assisted you, please mark them as either Correct or Helpful answers with the applicable buttons. This will make them visible and help other members of the community find solutions more easily. If you still need assistance, I would be more than happy to continue working with you on this - just let me know in a reply.
Thanks,
Noor
I went ahead and flagged the "Correct Answer" on this post to make it more visible and help other members of the community find solutions more easily. If you don't feel like the answer I marked was correct, feel free to come back to this post and unmark it and select another in its place with the applicable buttons. If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.
Thanks,
Noor