Dual NATting for 2 ISP Link

saxenanitesh8522 · ‎02-23-2012

Hi,

I have two ISP link

|--------------------------ISP 1

LAN--- Router

|--------------------------ISP 2

I have configured IP SLA and both links are active active right now.

If i have a server 10.1.1.100 which is natted to ISP 1 IP pool and if the ISP 1 link goes down it should get NATTed to ISP 2 IP Pool and work. But its not working I have tried all the methods. Can some1 please help me to troubleshoot or configure this..

Please find the configuration of NAT

ip sla monitor 1

type echo protocol ipIcmpEcho XX.XX.XX.XX

threshold 3

frequency 5

ip sla monitor schedule 1 life forever start-time now

ip sla monitor 2

type echo protocol ipIcmpEcho YY.YY.YY.YY

threshold 3

frequency 5

ip sla monitor schedule 2 life forever start-time now

track 101 rtr 1 reachability

!

track 102 rtr 2 reachability

interface FastEthernet0/0.800

encapsulation dot1Q 800

ip address XX.XX.XX.XX 255.255.255.248

no ip redirects

no ip unreachables

ip accounting output-packets

ip nat outside

ip virtual-reassembly

no ip route-cache same-interface

no ip route-cache

ip tcp adjust-mss 1420

no cdp enable

interface FastEthernet0/1

ip address YY.YY.YY.YY 255.255.255.248

ip nat outside

ip virtual-reassembly

no ip route-cache cef

no ip route-cache

interface FastEthernet1/0

ip address zz.zz.zz.zz 255.255.255.240

ip nat inside

ip virtual-reassembly

ip policy route-map ISP

duplex auto

speed auto

ip route 0.0.0.0 0.0.0.0 xx.xx.xx.xx(NH) track 101

ip route 0.0.0.0 0.0.0.0 yy.yy.yy.yy(NH) track 102

ip access-list standard ISP1

permit 10.1.1.100

!

route-map ISP permit 10

match ip address ISP1

set ip next-hop verify-availability xx.xx.xx.xx(NH) 10 track 101

set ip next-hop verify-availability yy.yy.yy.yy(NH) 20 track 101

ip nat inside source static 10.1.1.100 xx.xx.xx.x1 route-map ISP1 extendable

ip nat inside source static 10.1.1.100 yy.yy.yy.y1 route-map ISP2 extendable

route-map ISP2 permit 10

match ip address ISP1

set ip next-hop verify-availability yy.yy.yy.yy(NH) 10 track 102

!

route-map ISP1 permit 10

match ip address ISP1

set ip next-hop verify-availability xx.xx.xx.xx(NH) 10 track 101

Please help...

Nitesh

Latchum Naidu · ‎02-24-2012

Hi Nitesh,

Please refer the below config may help you.

This is what I have at one of my customer router and working as expected.

interface FastEthernet0/0

Description Primary link ISP1

ip address 12.x.x.x 255.255.255.240

ip nat outside

interface FastEthernet1/0

Description Secondary link ISP2

ip address 76.x.x.x. 255.255.255.0

ip nat outside

interface FastEthernet1/1

Description Inside LAN segment

ip address 172.168.60.1 255.255.255.0

ip nat inside

access-list 100 permit ip 172.168.60.0 0.0.0.255 any

route-map isp1 permit 10

match ip address 100

match interface FastEthernet0/0

route-map isp2 permit 10

match ip address 100

match interface FastEthernet1/0

ip nat inside source route-map isp1 interface FastEthernet0/0 overload

ip nat inside source route-map isp2 interface FastEthernet1/0 overload

ip route 0.0.0.0 0.0.0.0 12.y.y.y -----> Primary Default route pointing towards Next hop ip of ISP1

ip route 0.0.0.0 0.0.0.0 76.y.y.y 10 -----> Backup Default route with higher AD (10) pointing towards Next hop ip of ISP2

the above example shows how we can perform Failover for PAT (Port Address Translation) for the traffic going out to Internet. By using route-maps and "match interface" option, we can achieve failover for Static NAT translation as well which is generally configured when services are hosted out to the internet like webserver or exchange server hosted inside accessible from Internet

route-map isp1static permit 10

match interface FastEthernet0/0

route-map isp2static permit 10

match interface FastEthernet1/0

ip nat inside source static 172.168.60.2 12.x.x.x route-map isp1static

ip nat inside source static 172.168.60.2 76.x.x.x route-map isp2static

Please rate all the helpfull posts.

Regards,

Naidu.