Re: Dual ISP NAT Port forwarding to same internal IP and port

Vengant · ‎12-01-2020

Hi dear community,

I need a little help with port forwarding on Cisco ISR in dual WAN configuration.

I have 2 ISPs with public IP addresses (no BGP). ISP1 (IP 1.2.3.4, GW 1.2.3.1) is the main channel, ISP2 (PPP interface with IP 5.6.7.8) is the backup channel. I also have an internal network at interface GigabitEthernet0/1 (10.0.0.0/24). I have configured channel switching via IP SLA, NAT and route maps, so that both public IPs from ISP1 and ISP2 are always available from outside.

Now, I need to make TCP port 443 forwarded to the local host 10.0.0.10, and it should be available on both public IPs 1.2.3.4 and 5.6.7.8 independent of what channel is the active one. However, it only works for active channel. I remember that there was a trick regarding dual WAN and I have to play with route maps somehow, but last time I touched Cisco router was 6 years ago... Could anybody please help me?

Here is my config:
!
interface GigabitEthernet0/0
description ISP1
ip address 1.2.3.4 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
no cdp enable
no mop enabled
!
interface GigabitEthernet0/1
description LAN
ip address 10.0.0.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Dialer0
description ISP2
mtu 1488
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
load-interval 30
dialer pool 1
dialer-group 1
no cdp enable
!
ip local policy route-map Local
ip forward-protocol nd
!
ip nat inside source route-map ISP2 interface Dialer0 overload
ip nat inside source route-map ISP1 interface GigabitEthernet0/0 overload
ip nat inside source static tcp 10.0.0.10 443 1.2.3.4 443 route-map ISP1 extendable
ip nat inside source static tcp 10.0.0.10 443 5.6.7.8 443 route-map ISP2 extendable
ip route 0.0.0.0 0.0.0.0 1.2.3.1 10 track 10
ip route 0.0.0.0 0.0.0.0 Dialer0 30 track 30
!
ip access-list standard ISP2_IP
permit 5.6.7.8
deny any
ip access-list standard ISP1_ip
permit 1.2.3.4
deny any
!
ip sla 10
icmp-echo 8.8.8.8 source-interface GigabitEthernet0/0
threshold 40
timeout 1000
frequency 3
ip sla schedule 10 life forever start-time now
ip sla 30
icmp-echo 8.8.8.8 source-interface Dialer0
threshold 1000
timeout 1500
frequency 3
ip sla schedule 30 life forever start-time now
!
route-map ISP1 permit 10
match interface GigabitEthernet0/0
!
route-map Local permit 10
match ip address ISP1_ip
set ip next-hop 1.2.3.1
!
route-map Local permit 20
match ip address ISP2_IP
set interface Dialer0
!
route-map ISP2 permit 10
match interface Dialer0
!
!

Many thanks in advance.

paul driver · ‎12-01-2020

Hello

@Vengant wrote:
I need to make TCP port 443 forwarded to the local host 10.0.0.10, and it should be available on both public IPs 1.2.3.4 and 5.6.7.8 independent of what channel is the active one

Could try the following:

no ip nat inside source static tcp 10.0.0.10 443 1.2.3.4 443 route-map ISP1 extendable
no ip nat inside source static tcp 10.0.0.10 443 5.6.7.8 443 route-map ISP2 extendable
access-list 10 permit 10.0.0.0 0.0.0.255

route-map ISP1 permit 10
match ip address 10

route-map ISP2 permit 10
match ip address 10

ip nat inside source static tcp 10.0.0.10 443 1.2.3.4 443 extendable
ip nat inside source static tcp 10.0.0.10 443 5.6.7.8 443 extendable

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Vengant · ‎12-02-2020

Hi @paul driver

Unfortunately it didn't work - port forwarding is still work only for ISP1 which is the default gateway. For ISP2 it does not work - as far as I can see, when I try to connect to 5.6.7.8, the NAT translation appears in the table, but the replies are being sent through ISP1 due to default gateway.

Any other ideas to make the port forwarding work on both IPs at the same time?

Georg Pauwen · ‎12-02-2020

Hello,

you could add the EEM scripts below, to simply add or remove the respective static NAT translation based on the availability of the ISP:

event manager applet ISP_1_DOWN
event track 10 down
action 1.0 cli command "enable"
action 2.0 cli command "conf t"
action 3.0 cli command "no ip nat inside source static tcp 10.0.0.10 443 1.2.3.4 443 route-map ISP1 extendable"
action 4.0 cli command "ip nat inside source static tcp 10.0.0.10 443 5.6.7.8 443 route-map ISP2 extendable
action 5.0 cli command "do clear ip nat translation *"
action 6.0 cli command "end"
!
event manager applet ISP_1_UP
event track 10 up
action 1.0 cli command "enable"
action 2.0 cli command "conf t"
action 3.0 cli command "no ip nat inside source static tcp 10.0.0.10 443 1.2.3.4 443 route-map ISP2 extendable"
action 4.0 cli command "ip nat inside source static tcp 10.0.0.10 443 5.6.7.8 443 route-map ISP1 extendable
action 5.0 cli command "do clear ip nat translation *"
action 6.0 cli command "end"

Vengant · ‎12-02-2020

No, this is not what I need. I need to access internal host 10.0.0.10 over both IPs 1.2.3.4 and 5.6.7.8 at the same time, regardless of which channel is the default gateway at the moment.