cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Join Customer Connection to register!
191
Views
5
Helpful
3
Replies
TL64
Beginner

Dual NAT, One works, One Doesn't.

Hey everyone, I'm having some troubling figuring out what's wrong with my router configuration.

First things first, this is in a lab environment.

I have one client(192.168.1.10/24) connected to a switch (default config, no ip routing), which is connected to a router. The router is supposed to have one inside NAT interface(192.168.1.0/24), and two outside NAT interfaces. (First gets it's IP via DHCP, Second's IP is 1.1.1.1/24

The NAT interface that uses DHCP works great, no issues at all. The second interface is where the issues are. The router is connected to a single server (1.1.1.10/24).

 

Any advice or insight would be greatly appreciated. Thanks in advance.

 

Current configuration : 3639 bytes
!
! Last configuration change at 10:23:52 UTC Fri Jan 15 2021
!
version 15.6
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SRVxx-R
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
ethernet lmi ce
!
!
!
no process cpu autoprofile hog
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
!
!
!
no ip icmp rate-limit unreachable
!
!
!
!
!
!
ip domain lookup source-interface GigabitEthernet0/0
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
redundancy
!
no cdp log mismatch duplex
no cdp run
!
ip tcp synwait-time 5
!
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
media-type rj45
no cdp enable
!
interface GigabitEthernet0/1
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
media-type rj45
no cdp enable
!
interface GigabitEthernet0/2
ip address 1.1.1.1 255.255.255.0
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
media-type rj45
no cdp enable
!
interface GigabitEthernet0/3
no ip address
shutdown
duplex auto
speed auto
media-type rj45
no cdp enable
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip nat inside source list 2 interface GigabitEthernet0/2 overload
!
!
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 permit 192.168.1.0 0.0.0.255
!
control-plane
!
banner exec ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
banner incoming ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
banner login ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
transport input none
!
no scheduler allocate
!
end

1 ACCEPTED SOLUTION

Accepted Solutions
paul driver
VIP Mentor

Hello
I would first question whats your expectation with the dual isp links - do you want traffic to traverse the dhcp link first and failover to the 2nd ISP link if the primary fails or just send some traffic via the 2nd ISP whilst all other traffic goes via ISP1, depending on your answer will depend on what failover feature is used?

The nat solution provided by @Georg Pauwen should work however the default static routes he has stated will incurr per destination load balancing between the two isp links which is something you may not want to happen?.
no ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
no ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/ 1 1.1.X

Example
host 192.168.1.1 to 8.8.8.8 isp1 link
host 192.168.1.1 to 8.8.4.4 isp2 link
host 192.168.1.1 to 8.8.7.7 isp1 link
host 192.168.1.1 to 8.8.3.3 isp2 link

etc...

So please confirm how you wish to use these two ISP links?

 



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future

View solution in original post

3 REPLIES 3
balaji.bandi
VIP Expert

as per my understand you have 2 ISP connection, are you looking to Loadbalance between those ISP with LAN IP address, that may have difficulties, you can not do that, but you can split the load between ISP or Fail over ISP

 

if this is what you looking then let us know so we can tweak the config.

 

or follow below guide :

 

https://binaryglobal.com/blog/?p=129



BB


*** Rate All Helpful Responses ***

Georg Pauwen
VIP Expert

Hello,

 

you have no routing ? Make the changes/additons marked in bold:

 

Current configuration : 3639 bytes
!
! Last configuration change at 10:23:52 UTC Fri Jan 15 2021
!
version 15.6
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SRVxx-R
!
boot-start-marker
boot-end-marker
!
no aaa new-model
ethernet lmi ce
!
no process cpu autoprofile hog
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
no ip icmp rate-limit unreachable
!
ip domain lookup source-interface GigabitEthernet0/0
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
redundancy
!
no cdp log mismatch duplex
no cdp run
!
ip tcp synwait-time 5
!
interface GigabitEthernet0/0
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
media-type rj45
no cdp enable
!
interface GigabitEthernet0/1
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
media-type rj45
no cdp enable
!
interface GigabitEthernet0/2
ip address 1.1.1.1 255.255.255.0
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
media-type rj45
no cdp enable
!
interface GigabitEthernet0/3
no ip address
shutdown
duplex auto
speed auto
media-type rj45
no cdp enable
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
--> ip nat inside source route-map ISP_1 interface GigabitEthernet0/0 overload
--> ip nat inside source route-map ISP_2 interface GigabitEthernet0/2 overload
!
--> ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
--> ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1
!
--> access-list 1 permit 192.168.1.0 0.0.0.255
!
--> route-map ISP_1 permit 10
--> match ip address 1
--> match interface GigabitEthernet0/0
!
--> route-map ISP_2 permit 10
--> match ip address 1
--> match interface GigabitEthernet0/2
!
control-plane
!
banner exec ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
banner incoming ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
banner login ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
transport input none
!
no scheduler allocate
!
end

paul driver
VIP Mentor

Hello
I would first question whats your expectation with the dual isp links - do you want traffic to traverse the dhcp link first and failover to the 2nd ISP link if the primary fails or just send some traffic via the 2nd ISP whilst all other traffic goes via ISP1, depending on your answer will depend on what failover feature is used?

The nat solution provided by @Georg Pauwen should work however the default static routes he has stated will incurr per destination load balancing between the two isp links which is something you may not want to happen?.
no ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
no ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/ 1 1.1.X

Example
host 192.168.1.1 to 8.8.8.8 isp1 link
host 192.168.1.1 to 8.8.4.4 isp2 link
host 192.168.1.1 to 8.8.7.7 isp1 link
host 192.168.1.1 to 8.8.3.3 isp2 link

etc...

So please confirm how you wish to use these two ISP links?

 



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future

View solution in original post