Well I am not sure I am convinced about this.

This is because I tried a simple configuration without load balancing and routemaps and still dont work (even I have successfully used something similar in the past).

I tried with

ip nat inside source list 1 interface Dialer0 overload

ip nat inside source static tcp 192.168.100.10 21 interface Dialer0 21

access-list 1 permit 192.168.100.0 0.0.0.255

with no success (by the way the

http://www.cisco.com/en/US/docs/ios/12_2t/12_2t13/feature/guide/ftnatis.html is similar to the

ip nat inside source static tcp 192.168.100.10 21 interface Dialer0 21

which I've already used)

Let's assume that the Dialer0 IP address remains the same let's say 85.72.88.43. In what way you will use it to achieve my goal ?

I will appreciate your detailed apporach with CLI because I am not high skilled with CISCO IOS

Best regards

As far as i can see, this won't work in a load-sharing mode (so both ISPs are used at the same time), only backup mode will work.

but i see you are doing backup  mode:

ip route 0.0.0.0 0.0.0.0 Dialer0 track 123

ip route 0.0.0.0 0.0.0.0 192.168.93.2 2 track 456

so to get this to work i recommend this:

ip nat inside source static tcp 192.168.100.10 21 85.72.88.43 21 route-map ISP1 reversible extendable
ip nat inside source static tcp 192.168.100.10 443 85.72.88.43 443 route-map ISP1 reversible extendable
ip nat inside source static tcp 192.168.100.10 21 192.168.100.10 21 route-map ISP2 reversible extendable
ip nat inside source static tcp 192.168.100.10 443 192.168.100.10 443 route-map ISP2 reversible extendable

route-map ISP1 permit 10
    match interface Dialer0
route-map ISP2 permit 10
    match interface vlan3

so when packet comes from inside to outside, the nat will check which output interface is selected after routing decision, if interface is dialer0, we'll use first route-map, if matching vlan3, we'll use second route-map. the reverse is also true.

since only backup mode will work, you can't come in on both interfaces at the same time. only the current default route  outbound interface will work. once that interface is down or reachability fails, rtr will remove the route. we'll move to the backup default route and then you can use the ip address of the other interface to connect inbound to your server.

I hope this helps.

Regards,

Fadi.

At first I want to thank you helping me in my case

I did what you have proposed but no luck.

What we are trying here to do is accessing from outside an internal server. Dynamic DNS is supported by Cisco IOS for giving the option to access internal servers when dynamic IP is used. So by design we shouldn't have any kind of restrictions in this case.

But lets change a little bit our case.

1) We keep our dynamic IP in dialer0 with dynamic DNS support (supported by design)

2) We keep the option of a backup ISP provider when dialer0 loses connection for inside to outside traffic (simple internet office use)

3) We wish the access to an internal server (FTP) to be active only through dialer0.

Now is more simple.

So besides

<

ip nat inside source route-map nat-dialer0 interface dialer0 overload

ip nat inside source route-map nat-vlan3 interface vlan3 overload

route-map nat-dialer0

match ip address 1

match interface dialer0

route-map nat-vlan3

match ip address 1

match interface vlan3

access-list 1 permit 192.168.100.0 0.0.0.255

>

which give us the option for a backup provider (through vlan3 192.168.93.1 by a simple adsl router at 192.168.93.2),

we need an additional command that will give us access to the ftp server (192.168.100.10) from outside whatever IP is on dialer0 (otherwise what's the use of having dynDNS support).

What it will be ?

CP professional proposes

<

ip nat inside soursce static 192.168.100.10 21 interface dialer0 21

>

in these cases, but it doesnt work either for a reason I cant understand.

Or else is there any kind of restriction when using backup ISP and what is that? If not why our simple version doesn't work ?

Regards

Hi.

the problem here is with the port forwarding statement, since there is no route-map, it will always apply. so when traffic is leaving out of vlan3, the return traffic from the ftp server will be PATed to the dialer0 but will still leave via the vlan3 and dropped by the ISP.

if there is a possibility to do port-forwarding when using route-maps this woudl work. but ios doesn't allow this as far as i could see.

So i'm afraid i can't find a way to achieve all what you want without using some other device to help with the nat.

hopefully someone else can find a solution which i can't see.

Regards,

Fadi.

Thanks again

Let's say that we are satisfied with the FTP operation as long as dialer0 is up and running and we don’t care what will happen when it's out of order (and when vlan3 give internet access to this site).

Shouldn't it work (with )?

If it shouldn’t, why id doesn’t ?

If it should, are we sure that the issue is with NAT ?

Regards

I might have misunderstood your requirement. i thought vlan3 is primary and dialer0 is backup.

If dialer0 is primary and forwarding,then indeed it should work.

but it depends on what is created in your NAT table. for example if your connect first via vlan3 to the ftp server, the translation will be built using vlan3, then if you try on dialer, you will use the nat built via vlan3 and the problem i explained earlier will happen.

to troubleshoot if it's a nat issue check your nat translation table:

show ip nat detail

Regards,

Fadi.

Hi again

The reason that NAT fails in this case is that static NAT fails anyway in this certain device I am testing.

What I mean is that I tried to setup a simple configuration (dialer0 outside, vlan1 inside, with or without firewall) by using CPexpress to avoid typing mistakes (after resetting this 876 router) and even if the "ip nat inside source list 1 interface Dialer0 overload  access-list 1 permit 192.168.100.0 0.0.0.255 "

works (so the internet access from inside to outside works) the " ip nat inside source static tcp 192.168.100.10 21 interface Dialer0 21 "

doesn’t (the static NAT is not working).

I changed IOS (I have used the c870-adventerprisek9-mz.124-15.T9.bin (it came with device), the c870-adventerprisek9-mz.124-15.T7.bin, the c870-advsecurityk9-mz.124-15.T12.bin, and the c870-advipservicesk9-mz.124-24.T3.bin) but still it doesn’t work.

Same code and same IOSes same ADSL to another 876 and 877 (I have 4 of them) works fine.

The very strange thing is that all other operations of this device seems normal (so I can't believe that it's a faulty device). That's why I didn't suspected that it was not an issue of load balancing as this post stated.

Any idea what can cause this behavior?

Maybe I will make a post to another thread for this case.

Regards