03-30-2003 10:51 PM - edited 03-02-2019 06:16 AM
I have a Cisco 1720 router with leased line to internet and ISDN backup to internet. The ISDN backup is using "Backup interface" method. My ISP assign different IP pool for my leased line and ISDN. So I use route-map so that the router will select appropiate pool when using leased line or ISDN.
For testing purposes, When I am connecting using leased line, I issue a continuous ping to my ISP primary DNS server, 165.21.83.88. When I remove the leased line connection, the ISDN kick in and runs fine, but my ping never recovered from "request timeout"! if I stop the ping and issue a new ping to my ISP secondary DNS server, 165.21.100.88, I got reply. when I cancel this ping and ping back 165.21.83.88, it still request timeout!
Now when I put back the leased line connection, the ISDN goes down. Now I can ping 165.21.83.88 but I cannot ping 165.21.100.88.
It seems like the NAT translation for 165.21.83.88 continuously stick to leased line although I am using ISDN backup. likewise the NAT translation for 165.21.100.88 stick to ISDN connection even though I am using leased line.
Why?? How to solve this problem??
03-31-2003 09:48 AM
I'd suggest running some debugs the next time you test the failover to see what is happening to the translations... debug ip nat and debug ip nat detailed.
03-31-2003 11:30 AM
First you need to make sure that the dns servers, primary and secondary, assigned via leased line and via isdn PPP link are the same.
Now you can automatically clear that nat entries using command "ip nat translation .....". You can use "ip nat translation dns-timeout 5" where 5 is in secs to clear that dns nat entry in 5 secs.
Pl. visit following url for more on that
04-01-2003 10:15 AM
DNS server is the same for leased line and ISDN. Pinging the dns server is just an example. It happens even when I ping another fixed public IP. Does the "ip nat translation dns-timeout 5" command resolve issues like pinging to another fixed public IP?
04-01-2003 05:54 PM
--begin ciscomoderator note-- The following post has been edited to remove potentially confidential information. Please refrain from posting confidential information on the site to reduce security risks to your network. -- end ciscomoderator note --
My config is as follows:
--moderator edit-- router#sh ru
Building configuration...
Current configuration : 1709 bytes
!
version 12.1
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname --moderator edit-- router
!
logging rate-limit console 10 except errors
enable secret 5 --moderator edit-- xxxxxxx
!
memory-size iomem 25
ip subnet-zero
no ip source-route
no ip finger
no ip domain-lookup
!
isdn switch-type basic-net3
!
!
!
interface BRI0
ip address --moderator edit-- nnn.nn.nn.250 255.255.255.252
ip nat outside
encapsulation ppp
dialer idle-timeout 60
dialer map ip --moderator edit-- nnn.nn.nn.249 name --moderator edit-- router 65375200
dialer-group 1
isdn switch-type basic-net3
ppp authentication pap callin
ppp pap sent-username --moderator edit-- router password 7 --moderator edit--
!
interface FastEthernet0
ip address --moderator edit-- qqq.qqq.qqq.4 255.255.0.0
ip nat inside
speed auto
!
interface Serial0
backup delay 0 30
backup interface BRI0
ip address --moderator edit-- rrr.rr.rr.250 255.255.255.252
no ip proxy-arp
ip nat outside
no cdp enable
!
ip nat pool MAYPOOL --moderator edit-- sss.sss.ss.194 --moderator edit-- sss.sss.ss.198 netmask 255.255.255.248
ip nat pool Leased_Line_Pool --moderator edit-- vvv.vvv.vvv.33 --moderator edit-- vvv.vvv.vvv.33 prefix-length 28
ip nat inside source route-map ISDN_Map pool MAYPOOL overload
ip nat inside source route-map Leased_Line_Map pool Leased_Line_Pool overload
ip classless
ip route 0.0.0.0 0.0.0.0 --moderator edit-- rrr.rr.rr.249
ip route 0.0.0.0 0.0.0.0 --moderator edit-- nnn.nn.nn.249 200
no ip http server
!
access-list 1 permit --moderator edit-- ttt.ttt.0.0 0.0.255.255
dialer-list 1 protocol ip permit
route-map ISDN_Map permit 10
match ip address 1
match interface BRI0
!
route-map Leased_Line_Map permit 10
match ip address 1
match interface Serial0
!
!
line con 0
logging synchronous
transport input none
line aux 0
line vty 0 4
password 7 --moderator edit--
login
!
no scheduler allocate
end
04-01-2003 07:56 PM
take the "match ip address 1" statement out from both of the route maps.
Since basically you are defining the same rule in two different route maps.
Once the "match ip address 1" rules gets parsed then the NAT does not in effect bothers for other rules.
The catch here is to have the policies in your route maps as different as possible. Try just with match interface statement & that should work for you.
04-07-2003 04:26 AM
I have a similar problem using route-maps with two different pools. The situation occurs when the first link goes down and the second link assumes the connection but the NAT doesnt change the pool unless enter manual command like clear ip nat translation *.
Some part of my configuration is as follows:
Interface Serial0/0:0
ip address 200.184.229.109 255.255.255.252
ip nat outside
!
Interface Serial0/1:0
ip address 200.157.1.1 255.255.255.0
ip nat outside
ip nat pool RS102 200.184.1.1 200.184.1.254 netmask 255.255.255.0
ip nat pool RS101 198.22.1.1 198.22.1.254 netmask 255.255.255.0
!two different pools
ip nat inside source route-map POOL1 pool RS101
ip nat inside source route-map POOL2 pool RS102
!two different route-maps
ip route 0.0.0.0 0.0.0.0 200.184.229.110
ip route 0.0.0.0 0.0.0.0 200.157.1.2 50
!two default routes with different administrative distance
access-list 10 permit 200.184.229.110
access-list 20 permit 200.157.1.2
route-map POOL2 permit 10
match ip next-hop 20
!
route-map POOL1 permit 10
match ip next-hop 10
ip nat translation timeout 10
NAT translation never expires !
cpe-nat-multi-h#sh ip nat tran ic ver
Pro Inside global Inside local Outside local Outside global
icmp 198.22.1.1:256 10.0.0.1:256 20.0.0.1:256 20.0.0.1:256
create 00:00:29, use 00:00:00, left 00:00:09, Map-Id(In): 1,
icmp 198.22.1.3:256 10.0.0.2:256 20.0.0.1:256 20.0.0.1:256
create 00:00:25, use 00:00:00, left 00:00:09, Map-Id(In): 1,
C 200.157.1.0/24 is directly connected, Serial0/1:0
10.0.0.0/24 is subnetted, 1 subnets
C 10.0.0.0 is directly connected, FastEthernet3/0
S* 0.0.0.0/0 [50/0] via 200.157.1.2
IOS software: c3640-jsx-mz.122-13.T.bin
The NAT doesnt assume the condition defined in route-maps to change the pool (even using only one statement in each Route-map).
Does this problem represent a Bug? Any suggestion?
Thanks
04-07-2003 12:57 PM
This is interesting but the real problem here is the isp thats making people buy two address pools. That's rediculous and unecessisary. For one thing it means you cannot have any incoming traffic, no onsite servers for email or web hosting. Your DNS on the internet will only point to one of the address spaces and it can take 7 days to update DNS on the internet. Not a very good failover time. The ISP should be able to reroute to the same pool through the isdn backup.
To make this work you need to make the route maps sensitive to the status of the WAn circuit. i dont think thats possible.
04-10-2003 06:47 AM
Thanks for the answer, but the explanation is trying to show that the change from one pool to another doesnt work correctly, because any kind of combination was already configured in Route-map (match interface, match ip next-hop) and NAT translation never expires the time for the instance because it doesnt use the information on Route-maps.
These two statements can be sensitive to the status of the wan circuit, but unfortunately the pools are not changed if one link goes down because the NAT seems that doesnt use the information on Route-maps.
This case is not a commercial case but technical and the customer will not buy two addresses from the same ISP. He has a configuration with two different addresses from two ISPs and is trying to use some kind of automatic redundancy without BGP.
04-10-2003 07:05 AM
have you seen this doc? It might help, its called nat order of operation.
http://www.cisco.com/en/US/customer/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml
04-14-2003 12:51 PM
Thanks for the answer. This paper confirms the first question: Policy routing is performed before NAT, but in a specific lab environment the router doesnt join the statement like "match ip next hop" with the correct NAT pool.
Similar questions about NAT with different pools using Route-maps are already described in others conversations. I think that Cisco can clarify the issues about the configuration with NAT and Route-maps.
Is there someone from Cisco to help us?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide