12-09-2011 04:41 AM - edited 03-04-2019 02:34 PM
Dear all,
I'm at my wits end, perhaps someone can take a moment to look into this.
I want to NAT one ( ! ) single inside host on a different WAN/ ISP interface ( of which I have two ) .
The first one is a /29 - adressed static SDSL 2,3 MBit link, the 2nd one a 16MBit ADSL line with one static IP. Both interfaces are DIFFERENT carriers ( Versatel = ifname outside and Ecotel =ifname ecotel ).
( The SDSL line is used to NAT/PAT all other hosts except the one in question. )
( Inside Userland is 172.16.0.0/24 and 192.168.20.0/24. )
Both lines are firing on all cylinders, but I can't get any traffic through the ecotel ADSL interface from the client in question.
The SDSL line works as expected.
Routing is:
C 172.16.0.0 255.255.0.0 is directly connected, inside
S 192.168.20.0 255.255.255.0 [1/0] via 172.16.1.1, inside
C 213.138.48.24 255.255.255.252 is directly connected, outside
S* 0.0.0.0 0.0.0.0 [1/0] via 213.138.48.1, outside ( -> Versatel )
I added a 2nd default route with metric 2 pointing to the 2nd ISP, resulting in:
out 0.0.0.0 0.0.0.0 via [pppOE ServerIP according to debug output] , ecotel
interface Ethernet0/2
description Uplink Ecotel
nameif ecotel
security-level 0
pppoe client vpdn group ecotel
ip address pppoe
object network SC
host 192.168.20.4
description SC
object network SC
nat (inside,ecotel) dynamic interface dns
The packet tracer routes a simulated packet from the SC Object via inside to outside....
Can someone shed some light on this ?
Solved! Go to Solution.
12-09-2011 08:12 AM
Well, if you set the next-hop to the next hop on the eoctel line, the ASA should have a specific route for that network, and
should arp for the default-gateway on the other end, I would think...
12-12-2011 06:08 AM
Hi John,
the scenario is as follows, the above picture was not complete because I thought things to be..ehm, easier.
192.168.20.0./24 -->[e.0/0] @ C2611XM [e0.1] 172.16.1.0/16 -> {---DMZ---} -> 172.16.1.111 [e0/0] ASA
[e0/1] ASA -> SDSL (versatel)
[e0/2] ASA -> ADSL (ecotel)
I've been toying around /w PBR a fair bit; before I put this live I'd like to confirm you that the following IOS code
on the 2611 will most probably work. It's production time right now and I cannot touch the interface config without users complaining.
ip access-list extended ecotel permit ip host 192.168.20.4 any ( defines which host is subject to PBR )
route-map ecotel permit 10
match ip address ecotel
set interface [e0/1] ( this is the one pointing inwards into the DMZ 172.16.... )
set ip next-hop A.A.A.A ( this is our fixed IP on the e0/2 on the ASA, not the default Gate, correct ? )
interface [e.0/0] ( to which the 192.168.20.4 host is directly connected ) finally runs this policy with ip policy route-map ecotel.
12-12-2011 08:34 AM
Is the vlan interface for 192.168.20.0/24 on the 2611XM?
12-12-2011 08:47 AM
The 2611XM is in turn connected to a stack of 2950 switches, on one of them is a VLAN port group forming the DMZ. The 172.16... leg of the router is connected to this group while the 192.168.20.0/24 leg of the router is connected to a port which does not belong to this VLAN.
12-12-2011 09:05 AM
The above config seems fine Dan, I would put it on the vlan interface of the 192.168.20.0/24 network. Where ever it's
default gateway is, I would put the policy route on that router. Just make sure to do this off hours/maintenance window. Also, always keep backups that way you can easily revert back if it doesn't work or other problems appear.
12-12-2011 09:34 AM
Thanks John,
I will try as soon as possible. From what I have read, the PBR ingress interface ( the one with the policy statement ) is ( mostly ) the default gate of the segment from where I want to reroute certain packets. Because the gate of 192.168.20.0 is .2 ( which is the 2611XM ) - let's see what the upshot is.....
12-12-2011 09:25 AM
I have not read every single post but here is my opinion.
Somewhere you have in the config the following or something similar.
nat (inside,outside) dynamic interface
It is likely in section one of the nat table. If it is under the object nat section, I don't think you can reorder this section but I am not sure. Do some research on this. I think the basic problem is that the above is coming before the one you want to go to the ecotel interface. There is a section 3 of the nat table to force the above to come after the object nat.
PBR will not work from any device which is behind the device that is connected to the next hop you want to use. Don't waste your time with this. PBR only works when the next hop you want to use is directly connected to the device you are configuring PBR on.
Another way to do it might be to use PBR but direct the traffic to another inside interface on the ASA. Then nat from that interface to ecotel.
Cheers.
12-12-2011 09:39 AM
Garry,
thanks for sharing your thoughts here. I've considered bringing another interface ( dedicated ecotel nat ) on the ASA to live as an option, too. From what I've experienced I really cannot order the NAT statements. The PBR device in question is located before the ASA, meaning that the ASA is directly connected to the 2611 because both live in the 172.16.... range.
12-12-2011 09:56 AM
Section 1 can be ordered. They are order by the order in the config.
Section 2 is ordered by the ASA
Section 3 is ordered similar to section 1 but when adding a rule you can spedify a line #.
One more thing, In 8.4(2) and later they changed a bunch of stuff as well with regard to all this.
With PBR, on the 2611, your next hop can only ever be the ASA. I am not sure if you can even specify a non direct connected next hop. If you can it will look it up and route it to the correct next hop by using recursive lookup and resolve to the ASA and you will be no further ahead.
When I read the following in the 8.4/5 command reference it implies that the ASA by default uses the interface specified by the nat command as the egress interface. You can use route-lookup to overide this behavior. I really believe your problem is with the order of processing of your nat rules.
route-lookup
(Optional) For identity NAT in routed mode, determines the egress interface using a route lookup instead of using the interface specified in the NAT command. If you do not specify interfaces in the NAT command, a route lookup is used by default.
12-12-2011 10:11 AM
Thanks for the clarification on pbr garry.
12-12-2011 10:39 AM
Thanks Garry.
What is your suggestion on what to do next ?
Try the PBR anyway or rearrange the NAT statement in working order ?
Upgrade to 8.4(n) ?
Use a dedicated interface for the 2nd line ?
12-12-2011 10:58 AM
My immediate suggestion is for you to give us a show run nat and a show nat for completness.
If you need to hide anything just overwrite with x.x.x.x any ip's or service ports on the outside you don't want to publish.
12-12-2011 11:04 AM
Garry,
I will post the config tomorrow morning ASAP.
12-12-2011 11:42 PM
Morning Guys,
sho nat:
1 (inside) to (outside) source static LX0 [PUBLIC_IP] dns
translate_hits = 2691154, untranslate_hits = 570806
2 (inside) to (outside) source static MTA1 [PUBLIC_IP] dns
translate_hits = 286601, untranslate_hits = 787384
3 (inside) to (outside) source static SMB0 [PUBLIC_IP]dns
translate_hits = 53374, untranslate_hits = 1088
4 (inside) to (outside) source static Thermograph [PUBLIC_IP]dns
translate_hits = 18, untranslate_hits = 862
5 (inside) to (ecotel) source dynamic SC interface dns
translate_hits = 0, untranslate_hits = 0
6 (inside) to (outside) source dynamic MOBIL19 interface dns
translate_hits = 15060, untranslate_hits = 2514
7 (inside) to (outside) source dynamic MOBIL5 interface dns
translate_hits = 22920, untranslate_hits = 3088
8 (inside) to (outside) source dynamic MOBIL16 interface dns
translate_hits = 4954, untranslate_hits = 440
9 (inside) to (outside) source dynamic PB_300c interface dns
translate_hits = 49, untranslate_hits = 0
10 (inside) to (outside) source dynamic SMB2 interface dns
translate_hits = 10405, untranslate_hits = 6
11 (inside) to (outside) source dynamic test interface dns
translate_hits = 343558, untranslate_hits = 39562
12 (inside) to (outside) source dynamic PBX0 interface
translate_hits = 342224, untranslate_hits = 482
13 (any) to (outside) source dynamic Wireless interface
translate_hits = 22543, untranslate_hits = 1423
sho run nat:
object network test
nat (inside,outside) dynamic interface dns
object network MTA1
nat (inside,outside) static [PUBLIC_IP] dns
object network LX0
nat (inside,outside) static [PUBLIC_IP] dns
object network Thermograph
nat (inside,outside) static [PUBLIC_IP] dns
object network PBX0
nat (inside,outside) dynamic interface
object network Wireless
nat (any,outside) dynamic interface
object network SMB0
nat (inside,outside) static [PUBLIC_IP] dns
object network PB_300c
nat (inside,outside) dynamic interface dns
object network SC
nat (inside,ecotel) dynamic interface dns
object network SMB2
nat (inside,outside) dynamic interface dns
object network MOBIL5
nat (inside,outside) dynamic interface dns
object network MOBIL16
nat (inside,outside) dynamic interface dns
object network MOBIL19
nat (inside,outside) dynamic interface dns
12-13-2011 05:33 AM
Gary, please correct me if I'm wrong, but I'm assuming that the ASA will match the first NAT statement that certain traffic are matched for, and take that one, kinda like an ACL so to speak? As well as taking a more specific NAT entry over a more generic one?
object network test
nat (inside,outside) dynamic interface dns
From looking at this, it's first in the list, and is running dynamic PAT.
So I guess if you did a
object network ecotel
nat (intside,ecotel) dynamic interface dns (If you want DNS rewrite as well)
object network test
nat (inside,outside) dynamic interface dns
???
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide