cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2798
Views
0
Helpful
13
Replies

Cisco 2851 NAT Load Balancing Problem (is solved!)

Anton Pestov
Level 1
Level 1

How to configure NAT load-balancing over two ISPs on Cisco 2851.

System image file is "flash:c2800nm-adventerprisek9-mz.151-4.M.bin"

My config (users behind the router/PAT unable to acccess to Internet, I don't known why?!!):

 

interface FastEthernet0/1/0.1101
 description *** INET: ISP1 ***
 bandwidth 100000
 encapsulation dot1Q 1101
 ip address 1.1.1.2 255.255.252
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip flow egress
 ip nat outside
 ip virtual-reassembly in
 service-policy output POLICY-100M
 !
interface FastEthernet0/1/0.1103
 description *** INET: ISP2 ***
 bandwidth 50000
 encapsulation dot1Q 1103
 ip address 2.2.2.2 255.255.255.252
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip flow egress
 ip nat outside
 ip virtual-reassembly in
 service-policy output POLICY-50M
!

interface GigabitEthernet0/0.12
 description *** LAN ***
 encapsulation dot1Q 12
 ip address 172.18.253.233 255.255.255.252
 ip pim sparse-mode
 ip nat inside
 ip virtual-reassembly in
 no cdp enable

!

ip route 0.0.0.0 0.0.0.0 1.1.1.1

ip route 0.0.0.0 0.0.0.0 2.2.2.1

!

ip nat pool POOL-ISP1 1.1.1.2 1.1.1.2 prefix-length 30
ip nat pool POOL-ISP2 2.2.2.2 2.2.2.2 prefix-length 30
ip nat inside source route-map RMAP-NAT-ISP1 pool POOL-ISP1 overload
ip nat inside source route-map RMAP-NAT-ISP2 pool POOL-ISP2 overload

!

route-map RMAP-NAT-ISP1 permit 10
 match ip address ACL-NAT
 match interface FastEthernet0/1/0.1101

oute-map RMAP-NAT-ISP2 permit 10
 match ip address ACL-NAT
 match interface FastEthernet0/1/0.1103
!

ip access-list extended ACL-NAT
 deny   ip object-group OBJNET-PRIVATE object-group OBJNET-PRIVATE
 permit ip object-group OBJNET-SR any
!

 

If "no ip route 0.0.0.0 0.0.0.0 2.2.2.1" the situation doesn't change, there is no Internet access.

 

...and working config (only through one ISP only ):

 

!<interface config all the same, see above>

!

ip route 0.0.0.0 0.0.0.0 1.1.1.1

!

ip nat pool POOL-ISP1 1.1.1.2 1.1.1.2 prefix-length 30
ip nat pool POOL-ISP2 2.2.2.2 2.2.2.2 prefix-length 30

ip nat inside source list ACL-NAT pool POOL-ISP1 overload

!

ip access-list extended ACL-NAT
 deny   ip object-group OBJNET-PRIVATE object-group OBJNET-PRIVATE
 permit ip object-group OBJNET-SR any
!

 

If  add "ip route 0.0.0.0 0.0.0.0 2.2.2.1" the situation change, there is no Internet access!.

 

 

What is wrong in first config?! How to do:

- if both ISPs avail.., then use both ISP for NAT for all inside hosts

- if one of ISPs unavail.., then use second ISP for NAT for all inside hosts