anyconnect nat multiple isp dynamic ip's

ino · ‎09-18-2022

a c1111 with a build in lte modem (cellular 0/2/0) and a second LTE connection on its WAN port (Gi0/0/0) from a mikrotik modem with lte passthrough

GigabitEthernet0/0/0   xx.xxx.183.118  YES DHCP   up                    up
Cellular0/2/0          yy.yyy.200.208  YES IPCP   up                    up

Gateway of last resort is xx.xxx.183.117 to network 0.0.0.0

S*    0.0.0.0/0 [254/0] via xx.xxx.183.117
      xx.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        xx.xxx.183.116/30 is directly connected, GigabitEthernet0/0/0
L        xx.xxx.183.118/32 is directly connected, GigabitEthernet0/0/0
      yy.0.0.0/32 is subnetted, 1 subnets
C        yy.yyy.200.208 is directly connected, Cellular0/2/0

with this i can ping xx.xxx183.118 from outside this settings (gateway of last resort) are from the dhcp

i can not ping yy.yyy.200.208

if a add

ip route 0.0.0.0 0.0.0.0 cellular 0/2/0

i can ping it yy.yyy.200.208 but i cant ping xx.xxx.183.118 any longer and i have no internet on connected devices any more

this is the nat of the xx.xxx.200.208

ip nat inside source list NAT interface GigabitEthernet0/0/0 overload

what i would like is to be able to ping both ip's more correctly to connect to both with anyconnect

and having forwarded ports on both

ip nat inside source static tcp 10.0.0.12 123 interface  Cellular0/2/0 123

also is it possible to forward both interfaces to the same target???

ip nat inside source static tcp 10.0.0.12 123 interface GigabitEthernet0/0/0 123
ip nat inside source static tcp 10.0.0.12 123 interface  Cellular0/2/0  123

this will not work the second line will erase the first

both IP are dynamic and can change any time

MHM Cisco World · ‎09-18-2022

you need static route with route-map as following
ip nat inside static route-map ISP1 interface <ISP1>
ip nat inside static route-map ISP2 interface <ISP2>
!
route-map ISP1 permit 10
match ip add 100
match interface <ISP1>
!
route-map ISP2 permit 10
match ip add 101
match interface <ISP2>
!
ip access extended 100
permit ip < > < >
!
ip access extended 101
permit ip < > < >

ino · ‎09-18-2022

i cant create static nat

c1111(config)#ip nat ?
  create       Create flow entries
  inside       Inside address translation
  log          NAT Logging
  name         Rule name
  outside      Outside address translation
  pool         Define pool of addresses
  service      Special translation for application using non-standard port
  settings     NAT general settings
  switchover   NAT datapath switchover
  translation  NAT translation entry configuration

ino · ‎09-18-2022

unless in this way:

route-map LTE-L permit 10
 match ip address 100
 match interface Cellular0/2/0
!
route-map LTE-M permit 10
 match ip address 101
 match interface GigabitEthernet0/0/0
!
ip nat inside source route-map LTE-L interface cellular 0/2/0

if the above is sort of correct i still dont know what to put in here

ip access extended 100
permit ip < > < >
!
ip access extended 101
permit ip < > < >

all external ip should be able to ping / anyconnect to it (at least for the moment)

and inside / local ip's i am not sure what i would put in there

the secondary connection (at leas for the moment) should not be used for any outgoing connection

MHM Cisco World · ‎09-18-2022

For now try make it any any,

And then Check the connection,

If success then later you can decide which traffic will use isp1 and which use isp2

But I must mention that the return path can be asymmetric.

ino · ‎09-18-2022

nop

not working

was connected with anyconnect

after putting the settings in for the build in interface i still could not ping the ip of it

and putting the settings in for the gi0/0/0 broke my vpn connection

will need to reboot / check locally tomorrow as for now i lost connection

not sure why my eem applet isnt working and reboots the route?!!