cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
16579
Views
10
Helpful
26
Replies

Dual WAN for Inside Server by Static NAT and PBR.

tanveer2005
Level 1
Level 1

Please see the attached to understend. (tanh123@hotmail.com)

My goel is to access inside Server from outside with two public IP from 2 ISPs at same time. by static NST or PBR.
Please help me.

I can Ping to webserver by both public ips at same time ,but i can browes by using only
first default route bublic IP from outside internet. Can some one solved my problem or any change
required.

This is runn conf.

interface FastEthernet0/0.1
encapsulation dot1Q 9-----------LAN
ip address 10.10.5.70 255.255.255.0
ip nat inside
!
interface FastEthernet0/0.3
encapsulation dot1Q 3---------- ISP-1
ip address 82.128.161.50 255.255.255.224
ip nat outside
!
interface FastEthernet0/0.4
encapsulation dot1Q 4--------------ISP-2
ip address 77.192.187.250 255.255.255.248
ip nat outside
!
ip nat inside source static 10.10.5.60 82.128.161.51 route-map isp1
ip nat inside source static 10.10.5.60 77.192.187.251 route-map isp2
ip classless
ip route 0.0.0.0 0.0.0.0 77.192.187.254
ip route 0.0.0.0 0.0.0.0 82.128.161.33 20
no ip http server
!
route-map isp2 permit 10
match interface FastEthernet0/0.4
!
route-map isp1 permit 10
match interface FastEthernet0/0.3

26 Replies 26

Hi Tanveer,

You need to add 'extendable' keyword at the end of the static NAT

command to use same Inside local address :

ip nat inside source static 10.10.5.60 77.192.187.251 extendable

ip nat inside source static 10.10.5.60 82.128.161.51 extendable

Thx,

Fabrice

Dear Fabric,

Every Thing is working good and Thanks a lots.

Just Explain me again , why we make look interface, can we do by any otheway.

Please give me explain , thank you.

Hello Tanveer,

Thanks for feedback. Using a loopback as we did is the only way when the

servers are directly connected to the NAT router.

When there is a NAT capable device (Firewall for ex.) in between the NAT

router and server, we can do an extra NAT operation on that box which

eliminates the need for the loopback on NAT router.

Thx,

Fabrice

ip access-list extended STATIC-NAT-ISP1

permit ip host 82.128.161.51 any
ip access-list extended STATIC-NAT-ISP2
permit ip host 77.192.187.251 any

Could someone explain why are we using this ACL.. If the traffic is generated from one of these devices its fine.. What if traffic is sourced from some public IP.

These acl are used with PBR done on the loopback interface. The goal is to match packets back from internal server after the NAT translation, so we can forward the packet to the right ISP, depending on source IP (inside global addresses).

Thx,

Fabrice

Hi Fabrice,

Thanks a lot for your support and information,

can you explain it , If i have any PIX so server will connect to PIX and PIX will connect to NAT-Router , what will the configuration at PIX and NAT router,

My quactions blews?

I need the nating at PIX also or no.

Server Gateway will be PIX inside IP.

PIX gateway will be ip of NAT-Router ( we need gefault routing at pix or no)

We need one differtent network between PIX and NAT-Router or no need (exemple 192.168.100.0/30 )

please give me config , Thank you again.

Hi,

Forwarding traffic through a loopback interface is not officially supported, this solution doesn't work in all IOS releases.

Which release are you running ?

You can run 'debug ip policy' to see if packets are dropped for any reason when sent over the loopback.

Thx,


Fabrice

Ah I see,

maybe that's the problem. The router is 2921 IOS:

Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.2(4)M2, RELEASE SOFTWARE (fc2)

I will try later on with the debug.

BTW, prior to finding your solution i had another idea that would also work. But i am not able to figure out how to implement it on a Cisco router.

If i configure both destination and static NAT for the traffic it will work. Meaning:

Outside client with IP address 9.8.7.6 is connecting to our public IP of the ISP2 5.6.7.129 port 443.

Router is translating the destination to the internal server IP 10.10.1.12 AND at the same time is translating the client source IP to it's own LAN interface IP

So our internal server is seeing HTTPS request with source IP 10.10.148.2 which is internally routable. Ofcoure we loose the real client source IP in the https server logs, but that's not needed anyways. Almost as the router is terminating the conversation on Layer4 like a proxy server. So is this achievable on IOS? Does anybody has an idea?

I vaguely remember having tried such a config couple of years back without sucess. There are couple of limitations with outside NAT in IOS (no overload option) that makes such config hard to implement...

Hello Fabrice,

Thank you for your very helpful solution!

As you pointed out in another post, routing traffic through a loopback interface doesn't work on all IOS version. I have been doing it on 12.4T without problems, but on 15.1M it doesn't work. On 12.4T, the packets are punted from CEF to process switching, and everything works as intended. On 15.1M however, the traffic is discarded by CEF, and never gets egressed on a physical interface at all.

I did find another way of doing it though, which may be of help to others. I replaced the loopback interface with a tunnel interface! As an added bonus, this solution works using CEF, nothing's punted to process switching. Here are the corresponding config lines:

!

interface Tunnel100

ip address 192.168.1.1 255.255.255.252

ip nat outside

ip policy route-map PBR-LOOP

tunnel source 10.10.5.70      !---- any address that the router receives on should work here

tunnel destination 10.10.5.70 !---- ditto

end

Hello Marius,

Nice, let's hope all IOS accept tunnel with same tunnel src and dst ;-)

Fabrice

Review Cisco Networking for a $25 gift card