06-06-2017 09:22 AM - edited 03-05-2019 08:39 AM
Hello.
We have been using NAT load-balnacing for 2 ISP interfaces at our client for some time but we still have issues with FTP destinations.
What I would like to achieve is, while there is still NAT load-Balancing, to send traffic toward a specific destination on a specific interface.
I have tried to define a new ACL in order to filter traffic to the specific destination and created a new route-map with a fixed next hop specified. But unfortunately I cannot access the said site and I cannot figure out the reason why (is it even possible to have 2 routing behaviour at the same time ?).
Could you please help ?
Thank you in advance for your answers !
Here are the specifics of my conf :
interface GigabitEthernet0
description WAN2 vers Free
switchport access vlan 345
no ip address
!
interface GigabitEthernet1
description WAN1
ip address 192.168.47.250 255.255.255.0
ip nat outside
ip virtual-reassembly in
ip policy route-map QUADRA
duplex auto
speed auto
!
interface Vlan1
description Inside
ip address 192.168.0.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
interface Vlan345
ip address 192.168.48.250 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
!
ip nat inside source route-map WAN1 interface GigabitEthernet1 overload
ip nat inside source route-map WAN2 interface Vlan345 overload
ip route 0.0.0.0 0.0.0.0 192.168.47.254 track 123
ip route 0.0.0.0 0.0.0.0 192.168.48.254 track 456
ip route 4.2.2.1 255.255.255.255 192.168.48.254
ip route 4.2.2.2 255.255.255.255 192.168.47.254
ip sla auto discovery
ip sla 1
icmp-echo 4.2.2.2
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo 4.2.2.1
ip sla schedule 2 life forever start-time now
!
route-map QUADRA permit 10
match ip address 110
set ip next-hop 192.168.47.254
!
route-map WAN1 permit 20
match ip address 100
match interface GigabitEthernet1
!
route-map WAN2 permit 20
match ip address 100
match interface Vlan345
!
access-list 100 deny ip 192.168.0.0 0.0.0.255 host 213.186.33.204
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
access-list 110 permit ip 192.0.0.0 0.0.0.255 host 213.186.33.204
Solved! Go to Solution.
06-07-2017 07:17 AM
Thanks for that.
Why do you have this line in acl 110 -
"access-list 110 deny ip 192.168.0.0 0.0.0.255 host 213.186.33.204"
because what that is doing is saying do not NAT the 192.168.0.x source IPs when going to that host but surely you need to don't you ?
This is probably why you are not getting return packets.
Jon
06-06-2017 09:59 AM
I may be misunderstanding your setup but it looks like you have applied the route map to the wrong interface.
You need to apply it to the interface where the traffic arrives at the router from the clients, presumably the vlan 1 interface.
Jon
06-07-2017 04:07 AM
Hi Jon,
Thank you for this answer. I had indeed the wrong interface configured, thank you for noticing that mistake (two sets of eyes are always welcome !). Unfortunately, this does not solve the problem.
I can see that the access-lists are matched (please note that the access-list # has been switched) :
rCompCo01#sh access-lists
Standard IP access list 23
10 permit 192.168.0.0, wildcard bits 0.0.0.255
Extended IP access list 100
10 permit ip 192.168.0.0 0.0.0.255 host 213.186.33.204 (6 matches)
Extended IP access list 110
10 deny ip 192.168.0.0 0.0.0.255 host 213.186.33.204 (25 matches)
20 permit ip 192.168.0.0 0.0.0.255 any (1186 matches)
Packets are going out on the rigth interface but it seems that there is another problem (It seems that the packets are not coming back ?)
rCompCo01#show monitor capture buffer holdpackets
08:57:27.946 UTC Jun 7 2017 : IPv4 LES CEF : Vl1 None
08:57:27.946 UTC Jun 7 2017 : IPv4 LES CEF : Vl1 Gi1
08:57:30.958 UTC Jun 7 2017 : IPv4 LES CEF : Vl1 None
08:57:30.958 UTC Jun 7 2017 : IPv4 LES CEF : Vl1 Gi1
08:57:36.962 UTC Jun 7 2017 : IPv4 LES CEF : Vl1 None
08:57:36.962 UTC Jun 7 2017 : IPv4 LES CEF : Vl1 Gi1
08:57:53.054 UTC Jun 7 2017 : IPv4 LES CEF : Vl1 None
08:57:53.054 UTC Jun 7 2017 : IPv4 LES CEF : Vl1 Gi1
08:57:56.062 UTC Jun 7 2017 : IPv4 LES CEF : Vl1 None
08:57:56.062 UTC Jun 7 2017 : IPv4 LES CEF : Vl1 Gi1
08:58:02.062 UTC Jun 7 2017 : IPv4 LES CEF : Vl1 None
08:58:02.062 UTC Jun 7 2017 : IPv4 LES CEF : Vl1 Gi1
06-07-2017 07:10 AM
Not sure what you mean by acls have been switched.
Can you repost the relevant configuration ?
Jon
06-07-2017 07:13 AM
Of course, here it is :
track 123 ip sla 1 reachability
delay down 15 up 10
!
track 456 ip sla 2 reachability
delay down 15 up 10
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
!
interface Ethernet0
no ip address
shutdown
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface GigabitEthernet0
description WAN2 vers Free
switchport access vlan 345
no ip address
!
interface GigabitEthernet1
description WAN1 vers Orange
ip address 192.168.47.250 255.255.255.0
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface Vlan1
description Inside
ip address 192.168.0.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
ip policy route-map QUADRA
!
interface Vlan345
ip address 192.168.48.250 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
ip nat inside source static tcp 192.168.0.5 3389 interface GigabitEthernet1 11478
ip nat inside source static udp 192.168.0.5 3389 interface GigabitEthernet1 11478
ip nat inside source route-map WAN1 interface GigabitEthernet1 overload
ip nat inside source route-map WAN2 interface Vlan345 overload
ip route 0.0.0.0 0.0.0.0 192.168.47.254 track 123
ip route 0.0.0.0 0.0.0.0 192.168.48.254 track 456
ip route 4.2.2.1 255.255.255.255 192.168.48.254
ip route 4.2.2.2 255.255.255.255 192.168.47.254
!
ip sla auto discovery
ip sla 1
icmp-echo 4.2.2.2
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo 4.2.2.1
ip sla schedule 2 life forever start-time now
!
route-map QUADRA permit 10
match ip address 100
set ip next-hop 192.168.47.254
!
route-map WAN1 permit 20
match ip address 110
match interface GigabitEthernet1
!
route-map WAN2 permit 20
match ip address 110
match interface Vlan345
!
access-list 23 permit 192.168.0.0 0.0.0.255
access-list 100 permit ip 192.168.0.0 0.0.0.255 host 213.186.33.204
access-list 110 deny ip 192.168.0.0 0.0.0.255 host 213.186.33.204
access-list 110 permit ip 192.168.0.0 0.0.0.255 any
06-07-2017 07:17 AM
Thanks for that.
Why do you have this line in acl 110 -
"access-list 110 deny ip 192.168.0.0 0.0.0.255 host 213.186.33.204"
because what that is doing is saying do not NAT the 192.168.0.x source IPs when going to that host but surely you need to don't you ?
This is probably why you are not getting return packets.
Jon
06-07-2017 07:26 AM
Thank you Jon :)
I've made so many updates for testing purposes that I missed it.
06-07-2017 07:27 AM
No problem, glad to have helped.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide