Discussion:
[c-nsp] Static NAT and route-maps
Matt Stevens
2004-11-01 20:33:27 UTC
Permalink
I have a customer with two ISP connections going into a 2600. Using NAT
and route-maps I can specify which pool gets used, based on which
outbound interface things are sent through.

My problem is with hosts given a static translation. If I give an inside
host two statics, one out of each providers address space, I can only
access the host with the static from the current primary (default
routed) provider.

Whenever I access the host via the non-primary static the return traffic
is sent out the wrong interface. Since the source address isn't correct,
the upstreams drop the traffic.

I've tried matching the traffic with route-maps on the outbound
interfaces so that I always send traffic out the proper interface based
on source address, but it doesn't seem to work.

Ideas? Config is below...
--
matt


interface Ethernet1/0
ip address 206.176.235.234 255.255.255.248
ip nat outside
ip policy route-map right-interface
!
interface Ethernet1/1
ip address 192.168.254.1 255.255.255.0
ip nat inside
!
interface Ethernet1/2
ip address 64.7.66.245 255.255.255.248
ip nat outside
ip policy route-map right-interface
!
ip nat inside source route-map vista interface Ethernet1/0 overload
ip nat inside source route-map webpercep interface Ethernet1/2 overload
!
ip nat inside source static tcp 192.168.254.150 80 64.7.81.130 80 extendable
ip nat inside source static tcp 192.168.254.150 80 206.176.235.235 80
extendable
!
ip route 0.0.0.0 0.0.0.0 206.176.235.233 10
ip route 0.0.0.0 0.0.0.0 64.7.66.241 80
!
access-list 3 permit 64.7.66.241
access-list 4 permit 206.176.235.233
access-list 5 deny 192.168.254.150
access-list 5 deny 192.168.254.1
access-list 5 deny 192.168.254.112
access-list 5 deny 192.168.254.105
access-list 5 permit 192.168.254.0 0.0.0.255
access-list 6 permit 64.7.66.240 0.0.0.7
access-list 6 permit 64.7.81.128 0.0.0.31
access-list 7 permit 206.176.235.232 0.0.0.7
!
route-map right-interface permit 10
match ip address 6
set ip next-hop 64.7.66.241
!
route-map right-interface permit 20
match ip address 7
set ip next-hop 206.176.235.233
!
route-map webpercep permit 10
match ip address 5
match ip next-hop 3
!
route-map vista permit 10
match ip address 5
match ip next-hop 4

_______________________________________________
cisco-nsp mailing list cisco-***@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Brian Feeny
2004-11-02 03:03:07 UTC
Permalink
Allow me to make some suggestions:

First, make sure you local policy route the ip you wish to manage the
router with, otherwise
you may not be able to reach the router when you need to:

match ip address 103
ip local policy route-map local
route-map local permit 10
match ip address 103
set interface Serial0


PBR is done on the "inside" interface. You are putting it on the
outside interface.
You want to put it on the INSIDE interface and match against the IP
address BEFORE
it gets translated by NAT.

Definitely make sure CEF is turned on.


Brian
Post by Matt Stevens
I have a customer with two ISP connections going into a 2600. Using
NAT and route-maps I can specify which pool gets used, based on which
outbound interface things are sent through.
My problem is with hosts given a static translation. If I give an
inside host two statics, one out of each providers address space, I
can only access the host with the static from the current primary
(default routed) provider.
Whenever I access the host via the non-primary static the return
traffic is sent out the wrong interface. Since the source address
isn't correct, the upstreams drop the traffic.
I've tried matching the traffic with route-maps on the outbound
interfaces so that I always send traffic out the proper interface
based on source address, but it doesn't seem to work.
Ideas? Config is below...
--
matt
interface Ethernet1/0
ip address 206.176.235.234 255.255.255.248
ip nat outside
ip policy route-map right-interface
!
interface Ethernet1/1
ip address 192.168.254.1 255.255.255.0
ip nat inside
!
interface Ethernet1/2
ip address 64.7.66.245 255.255.255.248
ip nat outside
ip policy route-map right-interface
!
ip nat inside source route-map vista interface Ethernet1/0 overload
ip nat inside source route-map webpercep interface Ethernet1/2 overload
!
ip nat inside source static tcp 192.168.254.150 80 64.7.81.130 80 extendable
ip nat inside source static tcp 192.168.254.150 80 206.176.235.235 80
extendable
!
ip route 0.0.0.0 0.0.0.0 206.176.235.233 10
ip route 0.0.0.0 0.0.0.0 64.7.66.241 80
!
access-list 3 permit 64.7.66.241
access-list 4 permit 206.176.235.233
access-list 5 deny 192.168.254.150
access-list 5 deny 192.168.254.1
access-list 5 deny 192.168.254.112
access-list 5 deny 192.168.254.105
access-list 5 permit 192.168.254.0 0.0.0.255
access-list 6 permit 64.7.66.240 0.0.0.7
access-list 6 permit 64.7.81.128 0.0.0.31
access-list 7 permit 206.176.235.232 0.0.0.7
!
route-map right-interface permit 10
match ip address 6
set ip next-hop 64.7.66.241
!
route-map right-interface permit 20
match ip address 7
set ip next-hop 206.176.235.233
!
route-map webpercep permit 10
match ip address 5
match ip next-hop 3
!
route-map vista permit 10
match ip address 5
match ip next-hop 4
_______________________________________________
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
---------------------------------------------
Brian Feeny, CCIE #8036, CISSP
Network Engineer
ShreveNet Inc.
Phillip Vandry
2004-11-05 21:45:09 UTC
Permalink
Post by Matt Stevens
My problem is with hosts given a static translation. If I give an inside
host two statics, one out of each providers address space, I can only
access the host with the static from the current primary (default
routed) provider.
If you can't get it to work, you might try this workaround.

Assign two private IPs to each of the servers. Have the servives bind
to both IP addresses (or INADDR_ANY). NAT connections from ISP1 to
private address 1 and connections from ISP2 to private address 2.
Use policy routing to source route traffic from private address 1 to
ISP1 and traffic from private address 2 to ISP2. (The server's "main"
IP address, which could be yet a third private address, can follow
the default route to whichever ISP is active).

-Phil
_______________________________________________
cisco-nsp mailing list cisco-***@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Continue reading on narkive:
Loading...