08-08-2011 11:54 AM - edited 03-04-2019 01:13 PM
hi,
i have a scenario ( as attached in the pic) where our internal networks 172.16.0.0/24 & 192.168.0.0 /24 connect to router A.
inside network -- Router A -- outside (public routed ip pool from ISP 1) -- Router B -- ISP 1
router A connects to router B which has ISP 1 terminating its last mile . a public IP pool is provided by ISP 1 which resides between the routers A & B.
means that the ISP connects to our edge via private cloud and they have a public routed pool given to us which we use in between router A & B.
all VPN users dial vpn using the public IP set at router A 202.x.x.1.
this setup works well for us all internal networks access internet via router A which nats the traffic while leaving for router B after ehich it is routed to ISP1.
now a secondry isp is needed which needs to terminate on the edge router also. this isp however has given only a public ip address to use on our end directly 125.x.x.1 .
I have successfuly established a IP SLA failover with multi homing using dual nats / route maps while use the secondry ISP on router A,
but the ISP2 link needs to be on the router B as it is the internet Edge router and this is where my problem starts...
i have tried doing the following
inside traffic from router A (LAN facing interfaces marked as inside) has a default router to router B which while exiting router A (from interface facing router B marked as outside) gets natted with 202.x.x.1 and goes through router B to ISP 1
on router B, interface facing router A is marked as inside and interface facing ISP 2 is marked as outside. how do i nat specific traffic (via ACL) originating from internal network 172.16.0.x and 192.168.0.x to be aloowed to go through ISP 2 ?
i have successfully setup IP SLA between ISP 1 & 2 the default routes are switched successfully , i am unable to manipulate the natting part.
any help would be great... wouldnt the traffic exiting from router A (which is natted with 202.x.x.1) reach the router B with source header also from 202.x.x.1 ?? which i then try to nat again with ISP2's public ip on interface ie 125.x.x.1 ??
isnt there a way where i do not nat anything exiting from router A and instead control all natting on the router B ?? im just confused.....
08-08-2011 06:21 PM
Hi
from your description and the attached digram i can see that all the required configuration need to be done on the Internet edge router which is router B for NATing to two differnt ISPs also you could improve your Internet routing by using reliable PBR using PBR with IPSLA so for example you can keep using your ISP1 for VPN traffic and use ISP2 for http and ftp for example
by using ACL matches IPse and ACL matches http and ftp and use in your PBR and the ISPs will work in failover mode in the case of one link down, but for VPN you do not need to have failover as the range of Public IPs from ISP1 only
anyway all waht you need for nating is a route map that match the exit interface of each ISP/NAT
please refer to the bellow link which will guide you step by step how to configure it
https://supportforums.cisco.com/docs/DOC-8313
HTH
if helpful Rate
08-11-2011 11:03 PM
Hi thanks for the reply and the article i would surely follow..
there is one more thing, in my scenario we have
LAN 172.16.0.0/24 ------ router 1--------- router 2 ---- isp 1 & isp 2
the article is based on the fact that the LAN connects to router 2 directly, however in my scenario we connect to router 1 where we have a nat command for traffic exiting from router 1 to router 2 which is controlled by an ACL to choose selected ip addresses which are allowed to be natted .
when this traffic exits router 1 (natted with public IP of isp 1) and enters router 2 from where there is a default route to the isp 1 gateway ( probably a router placed at their location)
now my question is should i do this (and if yes can you please explain how)
instead of nattting traffic on router 1 (with public ip of rotuer 1) i simple forward selected traffic out of router 1 (by using ACL on exit interface) to router 2 with their original header of 172.16.0.0 .....
then on router 2 i define a pool for public IP ( a single public IP address given by isp1) which i use to nat traffic while exiting out router 2's interface for isp 1 gateway ..
here is my preception of how the config should be like .. : ( need your help to see if its correct.)
Router 1
interface GigabitEthernet0/0
description *******USER VLAN 1
ip address 172.16.0.254 255.255.255.0
!
interface GigabitEthernet0/1
description *******SERVER VLAN 101
ip address 192.168.0.254 255.255.255.0
!
interface Vlan3 (access port mapped on fe 0/0/3 , rotuer 1's exit interface for internet edge router)
description *******INTERNET ROUTER on fe0/03*********
ip address 202.x.x.97 255.255.255.240 ( this public ip pool is given by isp 1 which is routed behind their private cloud)
crypto map clientmap ( this interface also accepts vpn client cnnections via cisco ipsec vpn client)
ip access-group INTERNET-ACCESS out
!
ip route 0.0.0.0 0.0.0.0 202.x.x.98 (this is router 2 interface IP facing router 1)
ip access-list extended INTERNET-ACCESS (this access list needs to be applied on the router 1 exit interface)
permit ip host 172.16.0.1 any (ip allowed to reach internet)
! end
Router 2
interface Vlan3 (interface connecting to router 1)
ip address 202.x.x.98 255.255.255.240
ip nat inside
ip policy route-map PBR
interface GigabitEthernet0/0 ( last mile connectivity using ISP's own private subnet)
description ****** ISP 1 ***********
ip address 192.168.79.110 255.255.255.252
ip nat outside
interface Vlan4 ( last mile connectivity for ISP 2 using its public ip address
description *********** ISP 2 *********
ip address 125.y.y.18 255.255.255.252
ip nat outside
please see if ia m following this correctly ....
ip nat inside source route-map ISP1 interface gigabitethernet 0/0 overload
ip nat inside source route-map ISP2 interface vlan 4 overload
ip route 0.0.0.0 0.0.0.0 192.168.79.109 track 10
ip route 0.0.0.0 0.0.0.0 125.y.y.17 track 20
track 10 rtr 1 reachability
delay down 1 up 1
!
track 20 rtr 2 reachability
delay down 1 up 1
!
ip sla 1
icmp-echo 192.168.79.109
timeout 500
threshold 500
frequency 3
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo 125.x.x.17
timeout 500
frequency 1
ip sla schedule 2 life forever start-time now
access-list 100 permit tcp 172.16.0.0 0.0.0.255 any eq telnet
access-list 100 permit tcp 172.16.0.0 0.0.0.255 any eq www
access-list 100 permit tcp 172.16.0.0 0.0.0.255 any eq 443
access-list 101 permit ip any any
route-map PBR permit 10
match ip address 100
set ip next-hop verify-availability 125.y.y.17 1 track 20
!
route-map PBR permit 30
match ip address 101
set ip next-hop verify-availability 192.168.79.109 2 track 10
!
thanks for the help .... regards zaid
08-11-2011 11:23 PM
Hi Zaid
your idea is better
but as long as ISP1 provided you with range of public IP address why you wasting 2 IPs and use to connect R1 to R2
you can simplify it and configure the interface between R1 and R2 as private range for example 10.1.1.1/30
and keep all the control on R2 for PBR, NATing and ACLs
also you need to add a stat NAT entry for the VPN access to NAT it from the Puclic IP provided to remote VPN users to the private IP suggested above
172.16.0.0 ---- R1--.1---10.1.1.0/30 --.2--R2----internet
NAT in R2 the VPN public IP to 10.1.1.1 so that the VPN works on R1
in this case you can use the article i provided to you to configure the PBRs and NATing
let me know if you goign to do it this way and if yes post your config before you apply to check it for you
good luck
plz rate the helpful posts
08-11-2011 11:38 PM
thats a neat idea too ...
im weak at natting .. how do i nat on R2 so it brings the vpn traffic to R1 ?
08-12-2011 12:28 AM
ip nat inside source static 10.1.1.1 x.x.x.x
where x.x.x.x is the public ip you use for the VPN and 10.1.1.1 is the private IP address to be given to R1
make sure the VPN encapsulation uses ESP in the transport
the above will NAT everything to x.x.x to 10.1.1.1
if you want only VPN to be NATED you can use the static PAT bellow
ip nat inside source static esp 10.10.10.1 x.x.x.x
ip nat inside source static udp 10.10.10.1 500 x.x.x.x 500
HTH
09-06-2011 04:16 AM
Hi Marwan,
sorry for the late reply was on vacations ... now got back to finish the work ...
i am posting the config for my 2 routers for you to check...
router 1 is Cisco 2911 (Firewall) and router 2 is also Cisco 2911 (Internet Edge Router)
(we call is firewall as this will be replaced with ASA in future)
User LAN 172.16.0.0/24 & Server Farm 192.168.0.0/24------(ROUTER1)---172.16.200.8/30---(ROUTER2)------ ISP1 202.163.x.x & ISP2 202.141.y.y
i had to user ACL group for outbound on router 1's interface which connects to router 2 as i have to select specified IPs from 172.16.0.0 and 192.168.0.0 subnet which are allowd to the internet edge router..
then on the router 2 i use destination based PBR to divert traffic..
can you please check if i have messed up somthing
ROUTER1 FIREWALL
## user for VPN
username zaid privilege 0 secret 5 $1$2LV1$6xcxxcxcdcdcdc
!
### VPN Configuration
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group vpnclient
key cisco12345
dns 192.168.0.100 192.168.0.101
pool ippool
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
reverse-route
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
## Interface connecting to the user LAN
interface GigabitEthernet0/0
description *******CORE SWITCH USER VLAN 1 - SUBNET *********
ip address 172.16.0.254 255.255.255.0
ip helper-address 192.168.0.100
ip helper-address 192.168.0.101
ip directed-broadcast
ip nbar protocol-discovery
ip flow ingress
ip virtual-reassembly
duplex auto
speed auto
!
!
## Interface connecting to the server farm
interface GigabitEthernet0/1
description *******CORE SWITCH SERVER VLAN 101 - SUBNET *********
ip address 192.168.0.254 255.255.255.0
ip directed-broadcast
ip nbar protocol-discovery
ip flow ingress
ip virtual-reassembly
duplex auto
speed auto
!
!
## Interface connecting to Internet Edge Router & Interface for accepting VPN traffic
## out ACL is implemented to control which internal traffic is allow to go to the internet Router (eg proxy servers mail servers, etc etc)
interface GigabitEthernet0/2
description ******* FIREWALL TO INTERNET EDGE - Private SUBNET *********
ip address 172.16.200.9 255.255.255.252
duplex auto
speed auto
crypto map clientmap
ip access group INTERNET-ACCESS out
!
interface FastEthernet0/0/0
switchport access vlan 2
!
!
##Interface connecting to MPLS Edge Router for branches
interface Vlan2
description *******DATA ROUTER - SUBNET fe0/0/0 *********
ip address 172.16.200.1 255.255.255.248
ip nbar protocol-discovery
ip flow ingress
!
## IP pool for VPN Clients
ip local pool ippool 172.16.100.10 172.16.100.50
!
## Default Route to Internet Edge Router
ip route 0.0.0.0 0.0.0.0 172.16.200.10
## Branch Routes to MPLS Edge Router
ip route 172.16.10.0 255.255.255.0 172.16.200.2
ip route 172.16.11.0 255.255.255.0 172.16.200.2
ip route 172.16.12.0 255.255.255.0 172.16.200.2
ip route 172.16.13.0 255.255.255.0 172.16.200.2
ip route 172.16.14.0 255.255.255.0 172.16.200.2
ip route 172.16.15.0 255.255.255.0 172.16.200.2
ip route 172.16.16.0 255.255.255.0 172.16.200.2
ip route 172.16.150.0 255.255.255.0 172.16.200.2
!
## acccesslist for controlling which trafic goes to the internet Edge router via Gi0/2 interface
ip access-list extended INTERNET-ACCESS
permit ip host 192.168.0.2 any
permit ip host 192.168.0.10 any
permit tcp host 192.168.0.51 any eq 993
permit tcp host 192.168.0.51 any eq 995
permit tcp host 192.168.0.51 any eq 465
permit tcp 172.16.0.0 0.0.0.255 any eq 993
permit tcp 172.16.0.0 0.0.0.255 any eq 995
permit tcp 172.16.0.0 0.0.0.255 any eq 465
permit ip 172.16.0.0 0.0.0.255 host 202.12.1.45
permit tcp 172.16.0.0 0.0.0.255 host 124.29.245.51 eq 7795
permit ip host 172.16.0.86 any
END
INTERNET EDGE ROUTER
## Interface connecting to FIREWALL also set as inside
## Interface is also defined for PBR
interface GigabitEthernet0/0
description ********** FIREWALL SUBNET ***********
ip address 172.16.200.10 255.255.255.252
ip nat inside
duplex auto
speed auto
ip policy route-map PBR
!
!
## Interface connecting to ISP1 Fiber media converter with their private IP address
interface GigabitEthernet0/1
description ********** CYBERNET - SUBNET ***********
ip address 192.168.79.110 255.255.255.252
ip nbar protocol-discovery
ip flow ingress
duplex auto
speed auto
ip nat outside
!
!
interface FastEthernet0/0/2
switchport access vlan 3
!
interface FastEthernet0/0/3
switchport access vlan 4
!
## Interface with ISP 1 Public IP address (routed pool behind the private last mile)
## Users also use this IP address to dian in VPN via cisco ipsec vpn client
interface Vlan3
description ********** CYBERNET - Public SUBNET ***********
ip address 202.163.x.x 255.255.255.240
ip nbar protocol-discovery
ip flow ingress
ip nat outside
!
!
## Interface with ISP2 public ip address
interface Vlan4
description ********** MULTINET - Public SUBNET ***********
ip address 202.141.y.y 255.255.255.252
ip nbar protocol-discovery
ip flow ingress
ip nat outside
!
## default routes with tracking as per doc
ip route 0.0.0.0 0.0.0.0 192.168.79.109 track 10
ip route 0.0.0.0 0.0.0.0 202.141.y.z track 20
## routes to internal user LAN & server farm via router 1
ip route 192.168.0.0 255.255.255.0 172.16.200.9
ip route 172.16.0.0 255.255.255.0 172.16.200.9
!
## ip sla config as per doc
ip sla 1
icmp-echo 192.168.79.109
timeout 500
frequency 1
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo 202.141.2x.1x
timeout 500
frequency 1
ip sla schedule 2 life forever start-time now
track 10 rtr 1 reachability
delay down 1 up 1
!
track 20 rtr 2 reachability
delay down 1 up 1
!
## ACL 10 selects all traffic forwarded from Router 1 with 172.16.200.0/24 header
access-list 10 permit 172.16.200.0 0.0.0.255
## ACL > CYB for all traffice comming from FIREWALL (Router 1)
ip access-list ex CYB
permit ip host 172.16.200.9 any
## ACL > MUL for tcp 993, 995, 465 and host 202.163.1.2 comming from FIREWALL (Router 1)
ip access-list ex MUL
permit tcp host 172.16.200.9 any eq 993
permit tcp host 172.16.200.9 any eq 995
permit tcp host 172.16.200.9 any eq 465
permit ip host 172.16.200.9 host 202.163.1.2
## Policy routing , FIRST checks ACL > MUL and for all mating traffic set next hop to ISP 2
route-map PBR permit 10
match ip address MUL
set ip next-hop verify-availability 202.141.y.z 2 track 10
!
## Policy routing, SECOND checks ACL > CYB and for all remaining traffic set next hop to ISP 1
route-map PBR permit 30
match ip address CYB
set ip next-hop verify-availability 192.166.70.109 1 track 20
!
## Policy routing to control ISP 1 nat, which matches ACL 10
route-map CYB permit 10
match ip address 10
match interface vlan3
!
## Policy routing to control ISP 2 nat which matches ACL 10
route-map MUL permit 10
match ip address 10
match interface vlan4
## nat commands for both ISPs
ip nat inside source route-map CYB interface vlan 3 overload
ip nat inside source route-map MUL interface vlan 4 overload
## Static NAT / PAT for VPN Traffic, which is forwarded to 172.16.200.9 (router1's gi0/2 interface) which is set to accept vpn traffic
ip nat inside source static esp 172.16.200.9 202.163.x.x
ip nat inside source static udp 172.16.200.9 500 202.163.x.x 500
## Static NAT / PAT for Exchange Traffic
ip nat inside source static tcp 192.168.0.103 25 202.163.x.9x 25
ip nat inside source static tcp 192.168.0.103 443 202.163.x.9x 443
Message was edited by: Zaid Farooqui
09-06-2011 04:43 AM
Hi Zaid
welcome b ck and good luck with your changes
about your config it looks ok
however i have couple of notes
1- you seem to be using interfaces vlan3 and 4 for outside connectivity and NATing
why thn eyour default route here using the interface with private IP
ip route 0.0.0.0 0.0.0.0 192.168.79.109 track 10
and the interface with private IP is being used in the NAT route-mpas and as not IP na tout side
check this point
wiht the PBR
config bellow
route-map PBR permit 30
match ip address CYB
set ip next-hop verify-availability 192.166.70.109 1 track 20
your trafifc soruced from R1 which including VPN will go to th eprivate IP ISP link and no NATing will happen !
is this wha you want ?
2-just update this line
ip nat inside source static esp 172.16.200.9 202.163.104.97
so th eabove public IP users will used fo rVPN access which is through diffrent ISP i asusme but the PBR will send the
traffic back from the R1 to ISP link wiht the private IP diffent path and not nating then you will have issue with the VPN
by the way make sur eyou hide you public IPs here better for you
now in general your config ok you need to review the ISP link and VPN bit only
if you have a lab or GNS its better to test it before you put it in production
HTH
09-06-2011 05:06 AM
hi,
yes i used the private ip (which is the ISP1's next hop) on the fiber link in the default route, hoever while leaving this interface the packet needs to be natted with the ISP1's public IP which is set on vlan 3..
so i guess ill have to add "ip nat outside" on the interface gi0/1 also ..
for tracking also i am using the private ip address as this address is the ip of the ISP router port .. ( they do not have public IP address on the next hop gateway device)
point 2 yes that was a typo ip nat inside source static esp 172.16.200.9 202.163.x.x .. not that the private ip interface is set as outside so the traffice should be natted witht eh 202.163.x.x public ip address for ISP1 and the vpn should work..
right ? i will test it tomorrow hopefully
09-06-2011 05:14 AM
ok so ISP one they will route the public IP even if it comes over the private IP link ? if this is the case not problem
but in your nating you need the ip nat outside on that interface
and also you need the match interface to be the one with private IP as this represent the exit interface
once you test le tme know about the result or if you have nay issue
good luck
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide