ping response on both interface with multihoming setup

[szpuni]

Hello,

I was doing recently multihomed setup on one of my cisco routers and I ran into problem which I can't solve till now.

Basically there is 2 ISP connections and one private subnet range.
Problem is when i'm using default gateway I can't ping backup interface due to packet is not coming back over backup interface but main one instead.

Any ideas how I can force ping responses sent to Fa8 to go back over same interface not by gig0 interface?

gigabit0 interface is my main interface by which I sent most of traffic and fastethernet8 is interface for backup connection and to send traffic by only one host from subnet.

Interesting part of configuration:

interface FastEthernet8
description ISP_B
ip address 2.2.2.2 255.255.255.252
ip nat outside
no ip virtual-reassembly
duplex full
speed 100
!
!
interface GigabitEthernet0
description ISP_A
ip address 1.1.1.1 255.255.255.240
ip access-group acl_fcc_in in
ip nat outside
no ip virtual-reassembly
duplex full
speed 100
crypto map cm-cryptomap
!
!
interface Vlan1
ip address 192.168.100.4 255.255.255.0
ip nat inside
ip virtual-reassembly
ip policy route-map ISP_Policy

ip nat inside source route-map ISPA interface GigabitEthernet0 overload
ip nat inside source route-map ISPB interface FastEthernet8 overload

ip access-list extended backup_isp
deny ip 192.168.100.0 0.0.0.255 10.0.0.0 0.255.255.255
deny ip 192.168.100.0 0.0.0.255 192.168.0.0 0.0.255.255
permit ip host 192.168.100.153 any
permit ip host 192.168.100.151 any
deny ip any any

ip access-list extended NAT
deny ip any 10.0.0.0 0.255.255.255
deny ip any 192.168.0.0 0.0.255.255
deny ip any 172.16.0.0 0.15.255.255
permit ip 192.168.100.0 0.0.0.255 any

route-map ISPB permit 10
match ip address NAT
match interface FastEthernet8
!
route-map ISPA permit 10
match ip address NAT
match interface GigabitEthernet0
!
route-map ISP_Policy permit 10
match ip address backup_isp
set ip next-hop 2.2.2.1

 

[unclerico]

what address are you sourcing your icmp traffic from and what address are you trying to hit?? are you trying to hit your next-hop of 2.2.2.1 or something else further downstream??

 

[chieftan]

Unclerico, that was my thoughts exactly.

If you are trying to ping that interface from an address on the other subnet, then the echo reply will respond back down the same initiating route.... it will not use a different route to respond on.

So, for example, if you are pinging the fa8 interface via the gi0 interface then the echo response will return the same way, via the gi0 interface.

 

[szpuni]

Hello,

Sorry was away from computer for some time

I want to get response from both WAN interfaces in the same time while trying to ping them from internet not from inside network.
There is a simple diagram showing that:

Basically if I ping WAN1 (that computer at the top of diagram ) which is my gateway of last resort I got response from that IP but if I ping backup WAN2 interface I have no response cause packet is routed by WAN1 instead of WAN2.

And I'm trying to ping addresses of both interfaces Gig0 and Fa8 not next hops as next hops are my gateways for both ISP providers.
Any ideas?

 

[unclerico]

because your default route is pointing to ISPA, all of your return traffic will go that way. now, if you had floating statics for both ISPA and ISPB then there is a chance that some of the traffic would take the proper return path. just because traffic is received on an interface does not mean it will exit that same interface (known as asymmetric routing). when your router receives an ICMP echo, it formulates its ICMP echo-reply message by taking the original source IP (WAN2 in this case) and uses that as the new destination IP. the router does a lookup for this destination and because you don't have a more specific route back to the source it will choose the default route which is to ISPA. add a static route into your router for the source of WAN2 traffic and watch it return out ISPB interface.