1841 Dual WAN Question

Hey guys, first post.

I have a Cisco 1841 with an HWIC-4ESW. We have a T1 going into a 1700 and from there I would like it to go to Fe0/0 on the 1841. We will be getting a business cable connection which will be going into Fe0/1 on the 1841. I would like all of the web browsing to go out on Fe0/1 and everything else out on Fe0/0. Is this possible?

Thanks!!!

Find more posts tagged with

SAVE $250 on Your CISCO Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View CISCO Boot Camps

Comments

gojericho0

You could use policy routing. You would create an extended access-list to permit all web traffic than match it to a route-map and set the next hop or interface to go out fe0/1.

You would apply the route-map to the fe0/0 so it can match the incoming traffic to the access-list then any packets heading for the web will be redirected to fe0/1. See the link below for more details

http://www.cisco.com/warp/public/105/36.pdf

mikearama

Good to have you with us, FRK... welcome aboard.

Jericho probably describes the "best practice" method of using access lists to do the job.

Based on the simplicity of your network, though, I'd go with a default route...

Assuming that you're either using static routes or a routing protocol on the network, and to the networks on the other end of the T1, all known traffic is accounted for. By using a default route, any unknown destinations (ie, internet sites) would get pushed out the internet link.

ip route 0.0.0.0 0.0.0.0 fastethernet0/1

Of course, this assumes you don't currently have a default gateway pointing elsewhere.

Just an option,
Mike

CmptrFrk

Thanks for the info and link gojericho0!

mikearama right now our setup is T1-1700-DMZ-WatchGuard Firebox-LAN
We have about 120 users, a few VPN's, and a offsite replication server. Needless to say, internet browsing is pretty sloooooow. Hopefully the cable modem handling web only will fix the issue.

CmptrFrk

R1#sh run
Building configuration...

Current configuration : 1203 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
no aaa new-model
ip cef
!
!
interface FastEthernet0/0
ip address Cable IP and Mask
ip route-cache policy
ip policy route-map Web%Browsing
duplex auto
speed auto
!
interface FastEthernet0/1
ip address T1 IP and Mask
duplex auto
speed auto
!
interface FastEthernet0/0/0
!
interface FastEthernet0/0/1
switchport access vlan 2
!
interface FastEthernet0/0/2
!
interface FastEthernet0/0/3
!
interface Vlan1
no ip address
!
interface Vlan2
ip address LAN IP and Mask
!
ip route 0.0.0.0 0.0.0.0 T1 Router IP
!
ip http server
no ip http secure-server
!
ip access-list extended test
!
access-list 101 permit tcp any any eq www
access-list 101 permit tcp any any eq 443
route-map Web%Browsing permit 10
match ip address 101
set ip next-hop Cable Modem IP
!
!
control-plane
end

CmptrFrk

Changed to

interface FastEthernet0/0
ip address Cable IP and Mask
duplex auto
speed auto
!
interface FastEthernet0/1
ip address T1 IP and Mask
ip route-cache policy
ip policy route-map Web%Browsing
duplex auto
speed auto

and still nothing, any ideas?

rossonieri#1

CmptrFrk wrote:

ip route 0.0.0.0 0.0.0.0 T1 Router IP
!
ip http server
end

where is ip route 0/0 via cable modem?

and - that ip http server :: turn it off if you dont need it badly.

HTH.

cheers.

CmptrFrk

Added cable modem route. Turned off HTTP Server.

interface FastEthernet0/0
ip address Cable IP and Mask
duplex auto
speed auto
!
interface FastEthernet0/1
ip address T1 IP and Mask
ip route-cache policy
ip policy route-map Web%Browsing
duplex auto
speed auto
!
interface FastEthernet0/0/0
!
interface FastEthernet0/0/1
switchport access vlan 2
!
interface Vlan1
no ip address
!
interface Vlan2
ip address LAN IP and Mask
!
ip route 0.0.0.0 0.0.0.0 T1 Router IP
ip route 0.0.0.0 0.0.0.0 Cable Modem IP
!
no ip http server
no ip http secure-server
!
access-list 101 permit tcp any any eq www
access-list 101 permit tcp any any eq 443
route-map Web%Browsing permit 10
match ip address 101
set interface FastEthernet0/0

When connected to the router I can ping out from each Int, but cant ping out from the LAN.

rossonieri#1

mmm..

any firewall in front on or inside 1800?

your route-map is still heading your T1 ip.

try ping via each interface by shut down your t1 first - look for reply,
then next one.

NAT?? PAT?? set?? on both interface??

HTH.

cheers.

georgemc

CmptrFrk,
I'm guessing your layout looks something like this. Let me know if this isn't correct

Let's try this for the router config on the 1841.

interface FastEthernet0/0
!***Your original post said the Cable Modem would go to FA0/1
ip address Cable IP and Mask
duplex auto
speed auto
!
interface FastEthernet0/1
!***Your original post said the T1 Connection would go to FA0/0
ip address T1 IP and Mask
! (move next command to the LAN interface)
ip route-cache policy
! (move next command to the LAN Interface)
ip policy route-map Web%Browsing
duplex auto
speed auto
!
interface FastEthernet0/0/0
!
interface FastEthernet0/0/1
switchport access vlan 2
!
interface Vlan1
no ip address
!
interface Vlan2
ip address LAN IP and Mask
ip route-cache policy
!this will apply the policy routing to all of your LAN traffic destined for the outside world
ip policy route-map Web%Browsing
!
ip route 0.0.0.0 0.0.0.0 T1 Router IP
! (Remove this,it's not needed)ip route 0.0.0.0 0.0.0.0 Cable Modem IP
!
no ip http server
no ip http secure-server
!
access-list 101 permit tcp any any eq www
access-list 101 permit tcp any any eq 443
route-map Web%Browsing permit 10
match ip address 101
set interface FastEthernet0/0

I think this is what you're attempting to do. I'm assuming that you 120 LAN users are off of VLAN 2

Can you ping the gateway from the LAN? How about the IP address on FA0/0 and FA0/1?

Because of your default route you wont be able to ping(ICMP) anything beyond the other side of FA0/0. Pings should work through FA0/1 to the outside world just fine.

George

CmptrFrk

rossonieri#1, no firewall yet, but I have a watchguard firebox that I will be placing between the router and LAN. I could ping out each interface until I removed the route to the cable modem. No NAT yet.

georgemc, plus a watchguard firebox between the 1841 and LAN.

Moved policy route to Vlan 2. Removed route to cable modem, but now cant ping out of that interface.

I can ping the default gateway (Vlan 2) and both interfaces from the LAN.

CmptrFrk

Would I put IP NAT OUTSIDE on both of the WAN interfaces, and IP NAT INSIDE on the LAN interface?

Thanks,

Josh

rossonieri#1

well - that is what i've asked you right?

actually for the T1 link it does not necessary do NAT as long as you have a functioning network routing.
(the most important one is your cable that has to have NAT/PAT :: sorry for my bad english

).
but that - you have to make sure your firewall will pass the requested traffic for the T1 link.

for the simplicity just do PAT on both link that goes to T1 and cable.

HTH.

CmptrFrk

Thanks guys, everything is finally working.

hostname R1
!
boot-start-marker
boot-end-marker
!
no aaa new-model
ip cef
!
interface FastEthernet0/0
description Cable$Connection
ip address Cable IP and Mask
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
description T1$Connection
ip address T1 IP and Mask
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/0/0
switchport access vlan 2
!
interface FastEthernet0/0/1
switchport access vlan 2
!
interface Vlan1
no ip address
!
interface Vlan2
ip address 192.168.0.250 255.255.255.0
ip nat inside
ip virtual-reassembly
ip route-cache policy
ip policy route-map Web%Browsing
!
ip route 0.0.0.0 0.0.0.0 T1 Router IP
ip route 0.0.0.0 0.0.0.0 Cable Modem IP
!
no ip http server
no ip http secure-server
ip nat inside source route-map ISP1 interface FastEthernet0/0 overload
ip nat inside source route-map ISP2 interface FastEthernet0/1 overload
!
access-list 101 permit tcp any any eq www
access-list 101 permit tcp any any eq 443
access-list 120 permit ip 192.168.0.0 0.0.0.255 any
route-map Web%Browsing permit 10
match ip address 101
set ip next-hop Cable Modem IP
!
route-map ISP2 permit 10
match ip address 120
match interface FastEthernet0/1
!
route-map ISP1 permit 10
match ip address 120
match interface FastEthernet0/0
!
end