Configuring a fallback for default-route on a Cisco router

This was a wish from one of my customer and I was investing a lot of time to connect the site2site VPN on both WAN uplinks with EIGRP metric and so on… but there is another simple way to configure an automatic default-route fallback which solves all our problems in case the primary WAN links will fail:

We will configure a task which pings every three seconds to a self-defined target (for example the central-office router):

ip sla 10
icmp-echo 99.22.11.44
timeout 1000
threshold 2
frequency 3

ip sla schedule 10 life forever start-time now

Now we will define that the target needs to be reachable

track 10 rtr 1 reachability

/edi: On Version 15.x use this:

track 10 ip sla 10 reachability

the primary WAN uplink / default-route will only be used when the target is reachable and will only use our secondary WAN link (in this example a dialer-interface) in case the icmp echo is not working. So we also add a default-route out to the dialer-interface with a higher distance metric administrative distance:

ip route 0.0.0.0 0.0.0.0 88.77.66.55 track 10
ip route 0.0.0.0 0.0.0.0 Dialer1 200

to be on the safe side we will also NAT overload for both interfaces:

ip access-list extended tonat_wan1
deny   ip any 10.0.0.0 0.255.255.255
deny   ip any 172.16.0.0 0.15.255.255
deny   ip any 192.168.0.0 0.0.255.255
permit ip 192.168.23.0 0.0.0.255 any

ip access-list extended tonat_wan2
deny   ip any 10.0.0.0 0.255.255.255
deny   ip any 172.16.0.0 0.15.255.255
deny   ip any 192.168.0.0 0.0.255.255
permit ip 192.168.23.0 0.0.0.255 any

ip nat inside source list tonat_primary_wan interface FastEthernet0 overload

ip nat inside source list tonat_secondary_wan interface Dialer1 overload

you can also bind your VPN crypto map to both WAN uplinks so you will also have a VPN fallback. Keep in mind to configure “ip tcp adjust-mss 1452” at your internal LAN interface, otherwise you can’t surf on webservers in the internet.