Hi Selvarathnam,

There are 2 Failovers that need to happen when using 2 internet connections;
Network failover: when internet cannot be reached via one ISP network, the Router should
use the other available ISP network. You configure this using Track, IP SLA, & PBR to tell
the router which ISP to use and what criteria to cause the router to switch over. And you have
to apply the route-map configured here to your LAN facing interface.
NAT Failover: When one link fails, the NAT entries of the failed ISP network cannot be
routed via the available ISP network since they are different subnets, the router therefore
needs to immediately build a fresh NAT entry for the same affected LAN subnet(s). If this is
not properly setup, the router can failover to the 2nd ISP with the old NAT entry and the
traffic will begin to get dropped. As per your sceenario, The following example should help;

ISP 1 = 100.100.100.1
ISP 2 = 200.200.200.1
Router F0/0 = 100.100.100.2
Router F0/1 = 200.200.200.2
Router F1/0.100 (LAN1) = 192.168.100.0/24
Router F1/0.200 (LAN2) = 192.168.200.0/24

Configs
track 1 ip sla 1 reachability
delay down 1 up 1
track 2 ip sla 2 reachability
delay down 1 up 1

schedule (plannifier/programmer)
threshold (Seuil)
SLA (Validation du niveau service)

ip sla 1
icmp-echo 100.100.100.1 source-interface FastEthernet0/0
timeout 5000
threshold 5000 (if the latency on this link goes beyond 5000ms, note that this SLA will
consider this link as failed)
frequency 5
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo 200.200.200.1 source-interface FastEthernet0/1
timeout 5000
threshold 5000 (if the latency on this link goes beyond 5000ms, note that this SLA will
consider this link as failed)

frequency 5
ip sla schedule 2 life forever start-time now

ip access-list extended LAN1_ACL

deny ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255 (Needed to unapply the policy for
inter-LAN traffic)
permit ip 192.168.100.0 0.0.0.255 any
ip access-list extended LAN2_ACL
deny ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255 (Needed to unapply the policy for
inter-LAN traffic)
permit ip 192.168.200.0 0.0.0.255 any
route-map LAN1_INTERNET_POLICY permit 10
match ip address LAN1_ACL
set ip next-hop verify-availability 100.100.100.1 1 track 1
set ip next-hop verify-availability 200.200.200.1 2 track 2
route-map LAN2_INTERNET_POLICY permit 10
match ip address LAN2_ACL
set ip next-hop verify-availability 200.200.200.1 1 track 2
set ip next-hop verify-availability 100.100.100.1 2 track 1
interface f0/0
ip nat outside
interface f0/1
ip nat outside
int f1/0.100
ip nat inside
ip policy route-map LAN1_INTERNET_POLICY
int f1/0.200
ip nat inside
ip policy route-map LAN2_INTERNET_POLICY
At this point, you have completed the Network Failover part of the config, if one link goes
down now, the router will switch to the other available link. Notice each PBR carries double
ip next-hop entries with sequence numbering telling it which next-hop to use first, if you have
5 ISPs, you'll have 5 entries using the sequence numbers to give priority. Also notice we had
to first deny inter-LAN traffic from being used for this policy, this is important only if your
LANs pass thru the router to inter-communicate, without it you may have shutdown inter-

LAN comms by the Policy, if inter-LAN comms happen on an internal switch, then the deny
lines of the ACLs will not be needed
The next Agenda is to implement NAT failover; it's really not a failover, it is called Multihoming whereby the router automatically builds the right NAT entry for any traffic traversing
it notwithstanding the no of ISPs available. See as follows;

ip access-list standard NAT_ACL

permit any
route-map ISP1_NAT permit 10
match ip address NAT_ACL
match interface f0/0
route-map ISP2_NAT permit 10
match ip address NAT_ACL
match interface f0/1
ip nat inside source route-map ISP1_NAT interface FastEthernet0/0 overload
ip nat inside source route-map ISP2_NAT interface FastEthernet0/1 overload

That's it! We are done. Notice our NAT ACL just matches any traffic and it's the same ACL
for both ISPs NAT route-maps. Only the matched interfaces differ. You might as well
configure your NAT ACL to permit only both internal subnets (192.168.100.0/24 &
192.168.200.0/24) instead of any. It will still achieve the same thing. Bottom line is your NAT
ACL must match & permit all traffic that will require NAT whether using their primary or
secondary ISPs correspondingly. What enforces which ISP each LAN should use per time are
the PBRs applied on their respective LAN interfaces.
Optionally, if you need to test this with ICMP stateful failover (you might need to add ip nat
translation icmp-timeout 1)