Solved: DUAL NAT

Gilberto Machado Teodoro · ‎12-03-2013

Hello!

I have the following problem,

2 ISP connections.

ADSL Internet

Intranet via DHCP

Aas two connections need work,

ADSL access, WWW E-MAIL, FTP etc ...

Intranet access, specific applications, for example, allow 10.32.102.62 ip, port 1725.

Both connections are already working on my router, but in conflict.

following script

Building configuration...

Current configuration : 2295 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname ODIM

!

boot-start-marker

boot-end-marker

!

logging message-counter syslog

!

no aaa new-model

!

dot11 syslog

ip source-route

!

ip cef

no ipv6 cef

!

multilink bundle-name authenticated

!

archive

log config

hidekeys

!

interface ATM0

description //// A D S L - INTERNET \\\\

no ip address

load-interval 30

no atm ilmi-keepalive

pvc 0/35

pppoe-client dial-pool-number 1

!

interface FastEthernet0

description /// INTRANET \\\

ip address dhcp

ip nat outside

load-interval 30

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

!

interface FastEthernet5

!

interface FastEthernet6

!

interface FastEthernet7

!

interface FastEthernet8

!

interface Vlan1

description /// LAN \\\

ip address 172.10.1.254 255.255.255.0

ip nat inside

load-interval 30

ip virtual-reassembly

ip tcp adjust-mss 1452

!

interface Dialer1

ip address negotiated

ip mtu 1492

ip nat outside

ip virtual-reassembly

encapsulation ppp

ip tcp adjust-mss 1452

load-interval 30

dialer pool 1

dialer remote-name redback

dialer-group 1

ppp authentication pap chap callin

ppp chap hostname teste@teste

ppp chap password teste

ppp pap sent-username teste@teste password teste

ppp ipcp dns request

ppp ipcp wins request

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer1 track 123

no ip http server

no ip http secure-server

!

ip nat inside source route-map INTRANET interface FastEthernet0 overload

ip nat inside source route-map ADSL interface Dialer1 overload

!

access-list 110 permit ip 172.10.1.0 0.0.0.255 any

dialer-list 1 protocol ip permit

!

route-map ADSL permit 10

match ip address 110

match interface Dialer1

!

route-map INTRANET permit 10

match ip address 110

match interface FastEthernet0

!

control-plane

!

line con 0

line aux 0

line vty 0 4

login

!

end

lmediavilla · ‎12-04-2013

You want two active nats on two different isp but you want to have the same ACL for the nat, why don't you use two different acl

if one is for internet have an ACL that excludes private ip addresses and permit any at the and

and for the intranet traffic have an ACL that permits the private ip addresses and deny the rest.

INTRANET

access-list 110 permit ip any 10.0.0.0 0.255.255.255

access-list 110 permit ip any 172.16.0.0 0.15.255.255

access-list 110 permit ip any 192.168.0.0 0.0.255.255

access-list 110 deny ip any any

ADSL

access-list 111 deny ip any 10.0.0.0 0.255.255.255

access-list 111 deny ip any 172.16.0.0 0.15.255.255

access-list 111 deny ip any 192.168.0.0 0.0.255.255

access-list 111 permit ip any any

kind regards

View solution in original post

cadet alain · ‎12-04-2013

Hi,

I wonder how you can use both links as you only got 1 default route pointing out your Internet (the other one you get from DHCP has an AD of 254 and is only used as a backup route when the first one is deleted from the RIB)and furthermore you are tracking this route but we don't see any track object in the config.

If you want both links to be used as default routes then do this:

no ip route 0.0.0.0 0.0.0.0 Dialer1 track 123

ip route 0.0.0.0 0.0.0.0 Dialer1

ip route 0.0.0.0 0.0.0.0 dhcp

If you want specific traffic to go out one link and other type of traffic to go out other link then you'll have to use PBR on the vlan interface.

If traffic going out the Intranet is for specific IP subnet then you may use longest match feature by configuring static route with longest match going out the Intranet interface.

Regards

Alain

Don't forget to rate helpful posts.

View solution in original post

lmediavilla · ‎12-04-2013

You want two active nats on two different isp but you want to have the same ACL for the nat, why don't you use two different acl

if one is for internet have an ACL that excludes private ip addresses and permit any at the and

and for the intranet traffic have an ACL that permits the private ip addresses and deny the rest.

INTRANET

access-list 110 permit ip any 10.0.0.0 0.255.255.255

access-list 110 permit ip any 172.16.0.0 0.15.255.255

access-list 110 permit ip any 192.168.0.0 0.0.255.255

access-list 110 deny ip any any

ADSL

access-list 111 deny ip any 10.0.0.0 0.255.255.255

access-list 111 deny ip any 172.16.0.0 0.15.255.255

access-list 111 deny ip any 192.168.0.0 0.0.255.255

access-list 111 permit ip any any

kind regards

cadet alain · ‎12-04-2013

Hi,

if you need to route differently according to protocol/port you will have to apply a PBR policy to your inside NAT interface and use route-maps with match interface (outgoing interface) for NAT.

Regards

Alain

Don't forget to rate helpful posts.

Gilberto Machado Teodoro · ‎12-04-2013

The two links have to work together, the detail is that each has its work on the network.

ADSL will work with all external output.

For example, typing wwww.cisco.com, my output is ADSL

Intranet, working with internal applications.

For example, typing 10.32.102.62, my output is INTRANET.

In the current scenario only one link is working. When necessary to use external output, must overthrow the intranet. As I said my scenario is to run the two links together.

cadet alain · ‎12-04-2013

Hi,

I wonder how you can use both links as you only got 1 default route pointing out your Internet (the other one you get from DHCP has an AD of 254 and is only used as a backup route when the first one is deleted from the RIB)and furthermore you are tracking this route but we don't see any track object in the config.

If you want both links to be used as default routes then do this:

no ip route 0.0.0.0 0.0.0.0 Dialer1 track 123

ip route 0.0.0.0 0.0.0.0 Dialer1

ip route 0.0.0.0 0.0.0.0 dhcp

If you want specific traffic to go out one link and other type of traffic to go out other link then you'll have to use PBR on the vlan interface.

If traffic going out the Intranet is for specific IP subnet then you may use longest match feature by configuring static route with longest match going out the Intranet interface.

Regards

Alain

Don't forget to rate helpful posts.

Gilberto Machado Teodoro · ‎12-05-2013

Working 100%.

cadet alain, lmediavilla, thanks for the support.

Annex Script.

interface ATM0

description //// A D S L - INTERNET \\\\

no ip address

load-interval 30

no atm ilmi-keepalive

pvc 0/35

pppoe-client dial-pool-number 1

!

interface BRI0

no ip address

encapsulation hdlc

shutdown

!

interface FastEthernet0

description /// INTRANET \\\

ip address 10.48.50.214 255.255.255.0

ip nat outside

ip virtual-reassembly

load-interval 30

duplex auto

speed auto

!

interface Vlan1

description /// LAN \\\

ip address 172.10.1.254 255.255.255.0

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

ip policy route-map PBR

load-interval 30

!

interface Dialer1

description ** AUTENTICACAO COM RADIUS **

ip address negotiated

ip mtu 1492

ip nat outside

ip virtual-reassembly

encapsulation ppp

ip tcp adjust-mss 1452

load-interval 30

dialer pool 1

dialer remote-name redback

dialer-group 1

ppp authentication pap chap callin

ppp chap hostname teste@teste

ppp chap password 1234

ppp pap sent-username teste@teste password 1234

ppp ipcp dns request

ppp ipcp wins request

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer1 name ADSL

ip route 0.0.0.0 0.0.0.0 10.48.50.1 name INTRANET

no ip http server

no ip http secure-server

!

ip nat inside source route-map ADSL interface Dialer1 overload

ip nat inside source route-map INTRANET interface FastEthernet0 overload

!

access-list 110 permit ip 172.10.1.0 0.0.0.255 any

access-list 130 remark ADSL

access-list 130 deny ip any 10.0.0.0 0.255.255.255

access-list 130 permit ip any any

access-list 140 remark INTRANET

access-list 140 permit ip any 10.0.0.0 0.255.255.255

access-list 140 deny ip any any

dialer-list 1 protocol ip permit

!

route-map ADSL permit 10

match ip address 110

match interface Dialer1

!

route-map INTRANET permit 10

match ip address 110

match interface FastEthernet0

!

route-map PBR permit 10

match ip address 130

set interface Dialer1

!

route-map PBR permit 20

match ip address 140

set interface FastEthernet0

!

end

robardill · ‎12-05-2013

Failover doesn't work smoothly in my experience. If one link fails you need to clear the NAT table, else some egress traffic will have the wrong WAN IP.

You can get around this, but all connections get reset if one link fails.

track 10 interface FastEthernet0 ip routing

delay down 5 up 30

!

track 20 interface Dialer1 ip routing

delay down 5 up 30

!

event manager applet CLEAR-NAT-TABLE-DI0

event track 10 state any

action 1 cli command "enable"

action 2 cli command "clear ip nat translations *"

event manager applet CLEAR-NAT-TABLE-DI1

event track 20 state any

action 1 cli command "enable"

action 2 cli command "clear ip nat translations *"

lmediavilla · ‎12-05-2013

Cadet is right you should rotue private networks to one interface (or gateway) and public to the other. And I would use also a different NAT acl for each service, one that allows public ip addresses and deny private and the other ACL opposite

kind regards