08-08-2013 07:48 AM - edited 03-04-2019 08:42 PM
Good day to all!
I have faced with a problem when I tryed to use route-maps and dynamic PAT (overload) on ASR1002 series.
At the moment there are:
2x ASR 1002
Cisco IOS Software, IOS-XE Software (PPC_LINUX_IOSD-ADVENTERPRISEK9-M), Version 15.3(2)S1, RELEASE SOFTWARE (fc1)
IOS XE Version: 03.09.01.S
System image file is "bootflash:/asr1000rp1-adventerprisek9.03.09.01.S.153-2.S1.bin
There is one ISP at the moment.
ASRs acting as a border gatrway between internal network and internet.
Inside interfaces of both ASR are connected with HSRP.
On ASRs there are already:
- dynamic PAT (internet for internal users)
- static NAT (one server that should be accessed from outside)
- ZBFW
- RA VPN
There are NO bgp, PI-addresses and AS.
The task is rather simple: to make connection to the second ISP for redundancy (the best will be to use both ISP at the same time but for due to the bug(feature) that I will describe it is impossible).
Interfaces on ASR:
Po1.101 - internal network (192.168.0.0/16 and 10.0.0.0/8). 10.255.255.0/24 - RA-VPN pool, 10.10.10.2 - host that should have a static NAT.
Po2.2 - ISP1 (1.1.1.0/27, GW: 1.1.1.30)
Po2.3 - ISP2 (2.2.2.0/29, GW: 2.2.2.6)
Config:
...
!
interface Port-channel1.101
description INSIDE
encapsulation dot1Q 101
ip address 10.0.0.2 255.255.255.248
no ip redirects
ip nat inside
zone-member security INSIDE
standby version 2
standby 1 ip 10.0.0.1
standby 1 priority 110
standby 1 preempt
standby 1 name INSIDE
standby 1 track 1 decrement 30
standby 1 track 2 decrement 20
standby 1 track 3 decrement 20
standby 1 track 4 decrement 40
standby 1 track 5 decrement 30
!
...
!
interface Port-channel2.2
description ISP1
encapsulation dot1Q 2
ip address 1.1.1.1 255.255.255.224
no ip redirects
ip nat outside
zone-member security OUTSIDE
crypto map MYMAP
!
interface Port-channel2.3
description ISP2
encapsulation dot1Q 3
ip address 2.2.2.2 255.255.255.248
no ip redirects
ip nat outside
zone-member security OUTSIDE
crypto map MYMAP
!
...
!
ip route 0.0.0.0 0.0.0.0 1.1.1.30 track 2
ip route 10.255.255.0 255.255.255.0 Port-channel2.2 track 2
ip route 0.0.0.0 0.0.0.0 2.2.2.6 250
ip route 10.0.0.0 255.0.0.0 10.0.0.6
ip route 10.255.255.0 255.255.255.0 Port-channel2.3 250
ip route 192.168.0.0 255.255.0.0 10.0.0.6
!
...
!
route-map ISP1 permit 10
description ISP1
match ip address NAT
match interface Port-channel2.2
!
route-map ISP2 permit 10
description ISP2
match ip address NAT
match interface Port-channel2.3
!
route-map EXT_via_ISP1 permit 10
match ip address EXT_ROUTE_MAP
match interface Port-channel2.2
!
route-map EXT_via_ISP2 permit 10
match ip address EXT_ROUTE_MAP
match interface Port-channel2.3
!
...
!
ip access-list extended NAT
deny ip host 10.10.10.2 any
deny ip 192.168.0.0 0.0.255.255 10.255.255.0 0.0.0.255
deny ip 10.0.1.0 0.0.0.255 10.255.255.0 0.0.0.255
deny ip 10.10.10.0 0.0.0.255 10.255.255.0 0.0.0.255
deny ip 10.1.0.0 0.0.0.255 10.255.255.0 0.0.0.255
permit ip 192.168.0.0 0.0.255.255 any
permit ip 10.0.0.0 0.255.255.255 any
!
ip access-list extended EXT_ROUTE_MAP
permit ip host 10.10.10.2 any
!
ip nat inside source route-map ISP2 interface Port-channel2.3 overload
ip nat inside source route-map ISP1 interface Port-channel2.2 overload
ip nat inside source static 10.10.10.2 1.1.1.2 route-map EXT_via_ISP1 redundancy INSIDE
ip nat inside source static 10.10.10.2 2.2.2.3 route-map EXT_via_ISP2 redundancy INSIDE
The problem is connected with this command:
"ip nat inside source route-map ISP1 interface Port-channel2.2 overload"
After this command had been entered the behavior of NAT becomes very strange.
There are no dynamic translation in nat table EXCEPT icmp...
Inside users can ping everything on internet but they cannot access to any external resource...
After replacing this command with
"ip nat inside source list NAT interface Port-channel2.2 overload"
and clearing translaion everything begins to work (dynamic translations appears in NAT-table).
There is no any syslog message...
Host 10.10.10.2 is avalibale form inernet with address 1.1.1.2 regardless of dynamic nat configuration (with and without route-map)...
Is there something that I forgot or limitation ?
Or is this a bug?
In my scenario there is no way to use 2 ISP (with backup scheme and even more so when we want to use tham at the same time) without route-maps...
Thanks for any help in advance.