cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Anonymous
Not applicable

Admin Access on Second WAN

Jump to solution

I have a 3448 running R10.9.0.E.  There are two WANs (one on ETH 0/1, the other on ETH 0/2), and I have failover working like it should.  I have admin access enabled on both WANs, but I can only get in on the secondary WAN when the primary WAN has failed.  I believe this is by design and I have to set up a route-map. I'm hoping someone can confirm this or tell me if there is a better way to do it.

ip access-list extended WAN2-ADMIN-ACCESS

     permit ip host X.X.X.X ip host Y.Y.Y.Y (where XXXX is where I need to access from and YYYY is the IP of my second WAN)

route-map SECOND-WAN permit 10

     match ip address WAN2-ADMIN-ACCESS

     set ip next-hop Y.Y.Y.Z (default gateway of WAN2)

interface eth 0/2

     ip policy route-map SECOND-WAN

Since I already have the admin-access rule working when WAN2 is up, this should be all I need, correct?

Please let me know if you need any more info or if there is a better way to do this. 

Thanks for your help

craig

0 Kudos
1 Solution

Accepted Solutions
Anonymous
Not applicable

Re: Admin Access on Second WAN

Jump to solution

- Thanks for posting your question on the forum!

You are definitely on the right track regarding your configuration. I'm just going to suggest a couple of changes:

- The ACL should actually reference the reverse traffic. Your traffic is hitting the router but is then being sent out the primary connection. In this case the ACL should look like this:

ip access-list extended WAN2-ADMIN-ACCESS

     permit ip host Y.Y.Y.Y ip host X.X.X.X (where XXXX is where I need to access from and YYYY is the IP of my second WAN)

- Your route-map needs to be applied to the router locally. This is because admin access traffic is destined to and sourced from the router itself.

ip local policy route-map SECOND-WAN


- You will need to disable RPF check on the public WAN access-policies

no ip policy-class <policy-class Name> rpf-check


Please do not hesitate to let us know if you have any questions.

Thanks,

Noor

View solution in original post

2 Replies
Anonymous
Not applicable

Re: Admin Access on Second WAN

Jump to solution

- Thanks for posting your question on the forum!

You are definitely on the right track regarding your configuration. I'm just going to suggest a couple of changes:

- The ACL should actually reference the reverse traffic. Your traffic is hitting the router but is then being sent out the primary connection. In this case the ACL should look like this:

ip access-list extended WAN2-ADMIN-ACCESS

     permit ip host Y.Y.Y.Y ip host X.X.X.X (where XXXX is where I need to access from and YYYY is the IP of my second WAN)

- Your route-map needs to be applied to the router locally. This is because admin access traffic is destined to and sourced from the router itself.

ip local policy route-map SECOND-WAN


- You will need to disable RPF check on the public WAN access-policies

no ip policy-class <policy-class Name> rpf-check


Please do not hesitate to let us know if you have any questions.

Thanks,

Noor

Anonymous
Not applicable

Re: Admin Access on Second WAN

Jump to solution

Thanks, Noor, that did the trick!