Dail backup with NAT

wchew · ‎04-03-2005

I have a router (1720) with serial (nat outside) and isdn (nat outside) as backup. This router is to connect to internet. The router also perform NAT to translate all inside private users to internet.

In normal condition, the serial is up all users are able to gain access to internet. During the serial failure, the isdn kicks in and get connected.

The problem is the isdn get connected and I was able to PING to internet, but was not able to PING source from inside network !

I am using the 'ip nat pool' to translate which is a public ip address and is not the ip address of serial and isdn.

During the serial is up, the translation works but when the isdn ip up I received 'translation failed' when I use 'debug ip nat'. When I manually removed the 'ip nat outside' from the serial interface, the config works ! I could now PING source from inside network !

Can IOS perform likes auto timeout on the NAT in order for the backup NAT to take over gracefully. I also adjusted the keepalive timer on the serial interface still doesn't help !!

My current IOS is c1700-sy56i-mz.121-17.bin

spremkumar · ‎04-04-2005

Hi

do clarify the following points

1. r u using PAT or Nat with pool configed in ur network ?

2. r u getting static ip for ur isdn conenctivity if yes is it the same of ur serial interface ip ?

i assume ur overloading the nat over the serial and when the serial line goes down ur natting is not working..

to avoid this better get the same ip of serial framed for ur uid in the SP radius server or else config a pub ip in ur loopback and overload them on ur loopback ip which will work regardless of ur serial or isdn is up.

so do throw some light on ur current setup/scenario ..

regds

wchew · ‎04-04-2005

Hi,

1. I am using PAT with a public IP address only.

2. I am having static public IP for serial and dynamic for isdn, and both the IP are not the same.

In Malaysia, it is not possible to have both IP assigned for both serial and isdn.

Please elaborate further on the loopback. Probably if possible, you could draft a config for this.

Thanks,

Lawrence

dbellaze · ‎04-04-2005

The best way to configure this is to use route maps for NAT.

This link shows an example, there was a better one but I don't have it book marked.

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080093fca.shtml#routemap

Daniel

wchew · ‎04-04-2005

Hi Daniel,

I tried using the example but still don't work ! My scenario is an inside and 2 outside interfaces. I tried using multiple pools with route-maps but still not working.

I hope you could dig out as you have said there was a better way of do this. It will be greatly appreciated !!

Best regards,

Lawrence

dbellaze · ‎04-05-2005

Lawrence,

Here is a configuration example of what I have set up in the past.

!

interface ethernet 0

ip address 10.0.0.1 255.0.0.0

ip nat inside

!

interface serial 0

ip address x.x.x.x 255.255.255.252

ip nat outside

!

interface dialer 1

ip address negotiated

ip nat outside

dialer-group 1

!

ip route 0.0.0.0 0.0.0.0 serial 0

ip route 0.0.0.0 0.0.0.0 dialer 1 100

!

ip nat inside source route-map primary interface serial 0 overload

ip nat inside source route-map backup interface dialer 1 overload

!

access-list 101 permit ip 10.0.0.0 0.255.255.255 any

access-list 102 permit ip 10.0.0.0 0.255.255.255 any

!

dialer-list 1 protocol ip permit

!

route-map primary

match ip address 101

set interface serial 0

router-map backup

match ip address 102

set interface dialer 1

!

There is a problem with NAT in configurations similar to this where you cannot route to the secondary interface unless you clear the NAT translations table. Otherwise the router thinks there is already translations in place and will prevent the second interface to be used.

After you apply the sample config I provided, if you have the same issue try doing clear ip nat trans * when the ISDN is up and see if that corrects the problem. If it does than its the old entries that are causing the issue and the only way to get around that is to clear the translations, or create some kind of script that can do it for you. There could be another method of fixing this, but I haven't done this type of configuration for a while so I'm not so up to date :).

Daniel

wchew · ‎04-05-2005

Hi Daniel,

Thanks for the reply. Will try it out and let you know.

Best regards,

Lawrence