Dear Mr.Fabric,

Please Thank you very much, but just cleare some things as highlights in red color.

interface Loopback100

description Used for static NAT services

ip address 192.168.1.1 255.255.255.252

ip nat outside

ip policy route-map PBR-LOOP

!

interface FastEthernet0/0.1
encapsulation dot1Q 9-----------LAN
ip address 10.10.5.70 255.255.255.0
ip nat inside

ip policy route-map PBR-LAN

!

ip nat inside source static 10.10.5.60 82.128.161.51 route-map isp1-------- Where is this or we need
ip nat inside source static 10.10.5.60 77.192.187.251 route-map isp2-------Where is this or we need

!

route-map PBR-LAN permit 10

match ip address STATIC-NAT-SERVICES

set ip next-hop 192.168.1.2---------- what is this # or it is 1

!

ip access-list extended STATIC-NAT-SERVICES

permit ip host 10.10.5.60 any

!

route-map PBR-LOOP permit 10

match ip address STATIC-NAT-ISP1

set ip next-hop 82.128.161.33

!

route-map PBR-LOOP permit 20

match ip address STATIC-NAT-ISP2

set ip next-hop 77.192.187.254

!

ip access-list extended STATIC-NAT-ISP1

permit ip host 82.128.161.51 any

ip access-list extended STATIC-NAT-ISP2

permit ip host 77.192.187.251 any

Hello Fabrice

Awesome solution. But can you please explain what exactly happened with the orginal configuration and what was causing the web page to be not working for a particular IP.

My understanding is below and please tell me what happened next.

Traffic coming fom the internet first hits the below NAT entry and entered the server, and the server is responding with its own private IP as sourc and orginal source IP as the destination.

ip nat inside source static 10.10.5.60 82.128.161.51 route-map isp1
ip nat inside source static 10.10.5.60 77.192.187.251 route-map isp2

Now the packet hits the Fa0/0.1 and translating the private IP back to the public IP using the existing NAT entry in the table and sending out the traffic to the more preffered route with AD of 1. So are you trying to say that all the traffic uses the more preffered ISP path(77.192.187.254), even through orginally the packet received on different ISP side.

Please advice exactly what happened, Also tell me the order of NAT operation if possible.

Thanks,

Kasi

Now the packet hits the Fa0/0.1 and translating the private IP back  to the public IP using the existing NAT entry in the table and sending  out the traffic to the more preffered route with AD of 1. So are you  trying to say that all the traffic uses the more preffered ISP  path(77.192.187.254), even through orginally the packet received on  different ISP side.

-> when packet is received on inside interface, we first do the routing decision and then (assuming the egress interface is configured as NAT outside) we do the NAT translation. So when the forwarding decision is made, we don't know which ISPF the packet came from. That's why we need this trick with the loopback to force NAT operation before the forwarding decision.

I hope this helps,

Fabrice

Fabrice,

-> when packet is received on inside interface, we first do the  routing decision and then (assuming the egress interface is configured  as NAT outside) we do the NAT translation. So when the forwarding  decision is made, we don't know which ISPF the packet came from ---> Ok consider in that situation we are sending the packet to the more preffered ISP based on the routing table. Do you think Async path might be the issue or ISP is dropping the packet, because of not having their own allocated source IP.

Thanks

http://bestitshop.blogspot.com/2011/11/cisco-network-devices-for-sale.html#

All 100% ok and working Fine

Thanks, it is working but one problem with it , from server i can not reached to out side (no internet) , also i can not ping the server from out side. but i can browse the server from out side with any public IP.

This is my runn  config.

enable secret 5 $1$HS08$ibuEtGDSO7r7m3FH.d0bgjOZ/
enable password 7 1218011A1Bb055H0C2527203213D32
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
ip cef
!
!
!
no ftp-server write-enable
!
!
!
!
interface Loopback0
ip address 192.168.150.1 255.255.255.252
ip nat outside
ip policy route-map PBR-LOOP
!
interface ATM0/0
no ip address
shutdown
no atm ilmi-keepalive
dsl operating-mode auto
!
interface FastEthernet0/0
ip address 10.10.1.9 255.255.255.0
speed auto
full-duplex
!
interface FastEthernet0/0.1
encapsulation dot1Q 9
ip address 10.10.5.70 255.255.255.0
ip nat inside
ip policy route-map PBR-LAN
!
interface FastEthernet0/0.3
encapsulation dot1Q 3
ip address 82.128.161.50 255.255.255.224
ip nat outside
!
interface FastEthernet0/0.4
encapsulation dot1Q 4
ip address 77.192.187.250 255.255.255.248
ip nat outside
!
ip nat inside source static 10.10.5.60 82.128.161.51 route-map isp1
ip nat inside source static 10.10.5.60 77.192.187.251 route-map isp2
ip classless
ip route 0.0.0.0 0.0.0.0 77.192.187.254 10
ip route 0.0.0.0 0.0.0.0 82.128.161.33 20
no ip http server
!
ip access-list extended STATIC-NAT-ISP1
permit ip host 82.128.161.51 any
ip access-list extended STATIC-NAT-ISP2
permit ip host 77.192.187.251 any
ip access-list extended STATIC-NAT-SERVICES
permit ip host 10.10.5.60 any
!
route-map PBR-LAN permit 10
match ip address STATIC-NAT-SERVICES
set ip next-hop 192.168.150.2
!
route-map isp2 permit 10
match interface FastEthernet0/0.4
!
route-map isp1 permit 10
match interface FastEthernet0/0.3
!
route-map PBR-LOOP permit 10
match ip address STATIC-NAT-ISP1
set ip next-hop 82.118.161.33
!
route-map PBR-LOOP permit 20
match ip address STATIC-NAT-ISP2
set ip next-hop 77.92.187.254
!
snmp-server community public RO
snmp-server enable traps tty
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
password 7 1416160GH6050A7E232B24373C2CF1A453
login
!
!
end

Router#

Hello Fabrice,

This is really really neat solution! I like it very much!

Now i am trying to achieve exactly the same thing and i am using your approach, but for some reason it's not working for me.. I understand very well the idea behing it and i am struggling to understand why is it failing for me.

here's my config:

LAN interface:

interface Vlan648

description LAN

ip address 10.10.148.2 255.255.255.0

ip nat inside

ip virtual-reassembly in

standby 1 ip 10.10.148.1

standby 1 priority 10

standby 1 preempt

ip policy route-map rmap_pbr_lan

end

ISP1 interface:

interface Vlan802

description ISP1

bandwidth 4000

ip address 1.2.3.121 255.255.255.252 secondary

ip address 1.2.3.198 255.255.255.252

ip nat outside

ip virtual-reassembly in

load-interval 30

crypto map vpnmap_1

ISP2 interface:

interface Vlan605

description ISP2

bandwidth 4000

ip address 5.6.7.129 255.255.255.224

ip nat outside

ip virtual-reassembly in

load-interval 30

Loopback interface:

interface Loopback1

ip address 10.10.224.1 255.255.255.252

ip nat outside

ip virtual-reassembly in

ip policy route-map rmap_pbr_loopback

route-maps & ACLs:

ip access-list extended acl_nat_internet

deny   ip host 10.10.1.12 any

deny   ip any 10.0.0.0 0.255.255.255

deny   ip any 172.16.0.0 0.15.255.255

deny   ip any 192.168.0.0 0.0.255.255

permit ip 10.10.0.0 0.0.255.255 any

permit ip 10.100.0.0 0.0.255.255 any

ip access-list extended acl_pbr_lan_staticnathosts

permit ip host 10.10.148.10 any

permit ip host 10.10.1.13 any

permit ip host 10.10.1.16 any

permit ip host 10.10.1.100 any

permit ip host 10.10.1.12 any

ip access-list extended acl_pbr_isp_ispa

permit ip host 5.6.7.129 any

ip access-list extended acl_pbr_isp_mtn

permit ip host 1.2.3.121 any

permit ip host 1.2.3.198 any

route-map rmap_pbr_lan permit 10

match ip address acl_pbr_lan_staticnathosts

set ip next-hop 10.10.224.2

!

route-map rmap_nat_internet_ispa permit 10

match ip address acl_nat_internet

match interface Vlan605

!

route-map rmap_nat_internet permit 10

match ip address acl_nat_internet

match interface Vlan802

!

route-map rmap_pbr_loopback permit 10

match ip address acl_pbr_isp_mtn

set ip next-hop 1.2.3.197

!

route-map rmap_pbr_loopback permit 20

match ip address acl_pbr_isp_ispa

set ip next-hop 5.6.7.158

ip nat pool inet-pool 1.2.3.198 1.2.3.198 netmask 255.255.255.252

ip nat inside source route-map rmap_nat_internet pool inet-pool overload

ip nat inside source route-map rmap_nat_internet_ispa interface Vlan605 overload

ip nat inside source static tcp 10.10.1.12 443 1.2.3.121 443 extendable

ip nat inside source static tcp 10.10.1.12 3092 1.2.3.121 3092 extendable

ip nat inside source static tcp 10.10.1.12 443 5.6.7.129 443 extendable

ip nat inside source static tcp 10.10.1.12 3092 5.6.7.129 3092 extendable

Static routes:

ip route 0.0.0.0 0.0.0.0 1.2.3.197 track 4

ip route 0.0.0.0 0.0.0.0 5.6.7.158 10

What happens is when i apply the route-map on the LAN interface i see matches.

But no matches on the route-map on the loopback interface

I see the translations in show ip nat translations as they should be.

InternetRTR1#sh ip nat translations | i 10.10.1.12

tcp 5.6.7.129:443   10.10.1.12:443        78.130.143.36:1329    78.130.143.36:1329

tcp 5.6.7.129:443   10.10.1.12:443        78.130.143.36:5548    78.130.143.36:5548

tcp 5.6.7.129:443   10.10.1.12:443        78.130.143.36:35791   78.130.143.36:35791

tcp 5.6.7.129:443   10.10.1.12:443        78.130.143.36:53634   78.130.143.36:53634

tcp 1.2.3.121:443     10.10.1.12:443        78.130.143.36:50799   78.130.143.36:50799

tcp 1.2.3.121:443     10.10.1.12:443        78.130.143.36:16218   78.130.143.36:16218

InternetRTR1#sh route-map rmap_pbr_lan

route-map rmap_pbr_lan, permit, sequence 10

  Match clauses:

    ip address (access-lists): acl_pbr_lan_staticnathosts

  Set clauses:

    ip next-hop 10.10.224.2

  Policy routing matches: 2749 packets, 419906 bytes

InternetRTR1#sh route-map rmap_pbr_loopback

route-map rmap_pbr_loopback, permit, sequence 10

  Match clauses:

    ip address (access-lists): acl_pbr_isp_mtn

  Set clauses:

    ip next-hop 1.2.3.197

  Policy routing matches: 0 packets, 0 bytes

route-map rmap_pbr_loopback, permit, sequence 20

  Match clauses:

    ip address (access-lists): acl_pbr_isp_ispa

  Set clauses:

    ip next-hop 5.6.7.158

  Policy routing matches: 0 packets, 0 bytes

Please Help!

Dear Fabric,

It is giving netting error with the same IP.

NAT already exict with 10.10.5.60 82.128.161.51

ip nat inside source static 10.10.5.60 82.128.161.51
ip nat inside source static 10.10.5.60 77.192.187.251------------------ Error when I enter this command.

I Try with two IPs, (Assing two ips to Server.) it is working but not with sing IP, Please see It.

ip nat inside source static 10.10.5.60 82.128.161.51
ip nat inside source static 10.10.5.61 77.192.187.251

Thnak you.