Solved: Re: Dual WAN Interfaces and NAT issues...

ivicav007 · ‎11-20-2011

Hi everybody.

I have similar configuration as mister here https://supportforums.cisco.com/message/3494977#3494977 but slighlty different problem.

Let's start.

I have CISCO 2911 device. It has 3 GigabitEthernet interfaces and we bougt one more FastEthernet interface for DMZ.

One GE is LAN interface and other two are WAN interfaces (with one of them is assigned DMZ interface set on FastEthernet). So here is the problem. Everything worked just fine until last week. Idea of this configuration is that most traffic is flowing through one WAN interface and some of critical traffic must go through another (mostly some of VPN connections), and eventually that other link need to work as backup link if first one fails.

Now is the problem. I cannot go out through backup link. EXEPT. We set some of services through nat and everybody can access to them from outside?! I debugged some nat translations and saw that there is translation from our side to wan but nothing is returning back?!

Here is config :

Current configuration : 47956 bytes

!

! Last configuration change at 15:58:50 Prague Wed Nov 16 2011 by belit_adm

!

version 15.0

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname Gateway

!

boot-start-marker

boot-end-marker

!

security authentication failure rate 3 log

security passwords min-length 6

logging buffered 51200

logging console critical

enable secret 5 $1$..gV$.hcKrK27/A4SHnV9Nyo6N0

enable password 7 11044B5C54515E0E576E6F

!

aaa new-model

!

aaa authentication login local_authen local

aaa authorization exec local_author local

!

aaa session-id common

!

clock timezone Prague 1

clock summer-time Prague date Mar 30 2003 2:00 Oct 26 2003 3:00

!

no ipv6 cef

no ip source-route

no ip cef

!

no ip bootp server

ip domain name domain.local

ip name-server 21.16.2.1

!

multilink bundle-name authenticated

!

parameter-map type ooo global

tcp reassembly queue length 64

tcp reassembly memory limit 4096

!

license udi pid CISCO2911/K9 sn FHK1431F2Y0

!

username admin privilege 15 secret 5 $1$miqR$D2cXHh21ml8adQahjRj/g/

!

redundancy

!

ip tcp synwait-time 10

ip ssh authentication-retries 5

ip ssh version 1

!

interface Null0

no ip unreachables

!

interface GigabitEthernet0/0

description LAN$FW_INSIDE$

ip address 172.28.42.5 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

ip policy route-map MWOut

duplex auto

speed auto

no mop enabled

!

interface GigabitEthernet0/1

description WAN 1

mac-address 000c.29e3.c57f

ip address 1.2.3.4 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

no mop enabled

!

interface GigabitEthernet0/2

description WAN 2

ip address 5.6.7.8 255.255.255.252

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

no mop enabled

!

interface FastEthernet0/0/0

description DMZ$FW_OUTSIDE$

ip address 12.12.12.12 255.255.255.248 secondary

ip address 23.23.23.23 255.255.255.248

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip policy route-map DMZOut

duplex auto

speed auto

no mop enabled

!

ip forward-protocol nd

!

ip http server

ip http access-class 1

ip http authentication local

no ip http secure-server

ip flow-top-talkers

top 25

sort-by bytes

cache-timeout 2500

!

ip nat inside source static tcp 172.28.42.183 1723 interface GigabitEthernet0/1 1723

ip nat inside source static tcp 172.28.42.233 1723 interface GigabitEthernet0/2 1723

ip nat inside source static tcp 172.28.42.4 443 interface GigabitEthernet0/2 443

ip nat inside source static tcp 172.28.42.4 25 interface GigabitEthernet0/2 25

ip nat inside source static tcp 172.28.42.185 80 interface GigabitEthernet0/2 80

ip nat inside source static tcp 172.28.42.143 80 interface GigabitEthernet0/1 80

ip nat inside source route-map WAN2-NAT interface GigabitEthernet0/2 overload

ip nat inside source route-map WAN1-NAT interface GigabitEthernet0/1 overload

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1 15

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/2 16

ip route 9.15.6.11 255.255.255.255 GigabitEthernet0/2 4

!

logging trap debugging

access-list 1 permit 172.28.42.0 0.0.0.255

access-list 1 deny any

access-list 2 remark CCP_ACL Category=18

access-list 2 deny 172.28.42.183

access-list 2 deny 172.28.42.192 0.0.0.63

access-list 2 permit 172.28.42.0 0.0.0.255

access-list 3 remark CCP_ACL Category=18

access-list 3 deny 172.28.42.183

access-list 3 deny 172.28.42.192 0.0.0.63

access-list 3 permit 172.28.42.0 0.0.0.255

access-list 101 remark Auto generated by SDM Management Access feature

access-list 101 remark CCP_ACL Category=1

access-list 101 permit ip 172.28.42.0 0.0.0.255 any

access-list 130 permit ip 12.12.12.1 0.0.0.7 any

access-list 130 permit ip 23.23.23.1 0.0.0.7 any

access-list 131 permit ip 172.28.42.192 0.0.0.63 any

access-list 131 permit ip host 172.28.42.4 any

access-list 131 permit ip host 172.28.42.185 any

!

no cdp run

!

route-map DMZOut permit 30

match ip address 130

set ip next-hop 1.2.3.3

!

route-map WAN2-NAT permit 10

match ip address 2

match interface GigabitEthernet0/2

!

route-map WAN1-NAT permit 10

match ip address 3

match interface GigabitEthernet0/1

!

route-map MWOut permit 20

match ip address 131

set ip next-hop 1.2.3.3

When I try to connect ot VPN server at 9.15.6.11 I cannot connect until route is set over interface GE0/1. Is there any idea how to solve the problem?

NOTE:

All interfaces on router are OK. I double check all of them. On provider side everything is OK exept they had some problem on the night when my config stopped to work. BUT. When I connect laptop to interface belongs to WAN2 ISP everything is working just fine, so I suppose that only problem here is my configuration.

cadet alain · ‎11-23-2011

Hi,

a route-map used for NAT overloading on 2 different WAN interfaces must have a match interface command or match ip next-hop but not a set ip next-hop command.

I still don't understand why you want this AD of 4 for the static host route, you can leave the default of AD 1 as there are no equal longest match static routes for this destination.

Regards.

Alain

Don't forget to rate helpful posts.

View solution in original post

Craig_Baum_2 · ‎11-20-2011

You say you have moved some routes to the other link but has your service provider also moved the appropriate return routes.

Sounds like asymmetric routing where it's going out one link but being sent back via the other original link hence you'd only see nat translations in one direction. Anything stateful in between such as firewalls are not going to like that either.

Get a copy of your routes from your ISP to see where they are sending traffic to your outside translated addresses, it could be they are all pointing still on your original link!

Sent from Cisco Technical Support iPad App

ivicav007 · ‎11-23-2011

Well, I called my ISP ad they did something with their layer3 switch so we are now on diffrent VLAN. That's their explanation so I'm not able to tell if they are wrong or not. Anyway problem is solved when I changed in my route from "GigabitEthernet0/2" to ip address of my next hop for my isp. That is fine but now I have another problem. Now I cannot access to anything on WAN 1 link. When I remove static route ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1 15 everything goes through WAN 2 link and when I bring that route back Internet doesn't work at all. I tried to set my next hop address from another ISP as I did for WAN 2 link but no luck so far. I'm starting to pull my hair off... There is new configuration:

interface GigabitEthernet0/0

description LAN

ip address 172.28.42.5 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

ip policy route-map MWOut

duplex auto

speed auto

no mop enabled

!

interface GigabitEthernet0/1

description WAN 1

ip address 1.2.3.4 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

no mop enabled

!

interface GigabitEthernet0/2

description WAN 2

ip address 5.6.7.8 255.255.255.252

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

no mop enabled

!

interface FastEthernet0/0/0

description DMZ

ip address 2.3.4.5 255.255.255.248 secondary

ip address 4.5.6.7 255.255.255.248

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip policy route-map DMZOut

duplex auto

speed auto

no mop enabled

!

ip forward-protocol nd

!

ip http server

ip http access-class 1

ip http authentication local

no ip http secure-server

ip flow-top-talkers

top 25

sort-by bytes

cache-timeout 2500

!

ip nat inside source static tcp 172.28.42.233 1723 interface GigabitEthernet0/2 1723

ip nat inside source static tcp 172.28.42.203 1723 interface GigabitEthernet0/1 1723

ip nat inside source route-map WAN2-NAT interface GigabitEthernet0/2 overload

ip nat inside source route-map WAN1-NAT interface GigabitEthernet0/1 overload

ip route 0.0.0.0 0.0.0.0 1.2.3.1 15

ip route 0.0.0.0 0.0.0.0 5.6.7.1 16

ip route 91.150.67.11 255.255.255.255 5.6.7.1 4

!

logging trap debugging

access-list 1 permit 172.28.42.0 0.0.0.255

access-list 1 deny any

!

access-list 2 deny 172.28.42.192 0.0.0.63

access-list 2 permit 172.28.42.0 0.0.0.255

!

access-list 3 deny 172.28.42.192 0.0.0.63

access-list 3 permit 172.28.42.0 0.0.0.255

!

access-list 101 permit ip 172.28.42.0 0.0.0.255 any

!

access-list 130 permit ip 2.3.4.0 0.0.0.7 any

access-list 130 permit ip 4.5.6.0 0.0.0.7 any

!

access-list 131 permit ip 172.28.42.192 0.0.0.63 any

access-list 131 permit ip host 172.28.42.4 any

access-list 131 permit ip host 172.28.42.185 any

!

access-list 132 permit ip host 172.28.42.203 any

!

route-map DMZOut permit 10

match ip address 130

set ip next-hop 5.6.7.1

!

route-map WAN2-NAT permit 10

match ip address 2

set ip next-hop 5.6.7.1

!

route-map WAN1-NAT permit 10

match ip address 3

match interface 1.2.3.1

!

route-map MWOut permit 5

match ip address 132

set ip next-hop 1.2.3.1

!

route-map MWOut permit 10

match ip address 131

set ip next-hop 5.6.7.1

!

end

Note that yet again everything from outside to inside is going through NAT to both interfaces as it should.

Message was edited by: Ivica Vujovic

cadet alain · ‎11-23-2011

Hi,

1)you're referencing 2 route-maps in your NAT overload config but I don't see them anywhere else in the config?

EDIT: I need new pair of glasses EDIT2: No no I can keep this one

2) why are you changing AD of this static route, it isn't necessary. EDIT: just a remark not correcting the behaviour, forget about it.

ip route 91.150.67.11 255.255.255.255 5.6.7.1 4

Regards.

Alain

Don't forget to rate helpful posts.

ivicav007 · ‎11-23-2011

Sorry, I forgot to change also in nat overload. I edited configuration to match actual.

Regarding route

ip route 91.150.67.11 255.255.255.255 5.6.7.1 4

I added lower AD so I can prioritize traffic to go through WAN 2 link and not through WAN 1.

Idea is to put almost all traffic through WAN 1 and some critical traffic through WAN 2. And WAN 2 link i s also backup link if route to WAN 1 fails.

cadet alain · ‎11-23-2011

Hi,

route-map WAN2-NAT permit 10

match ip address 2

set ip next-hop 5.6.7.1 ----> it should be match interface

route-map WAN1-NAT permit 10

match ip address 3

match interface 1.2.3.1 ----> this isn't an interface id

ip route 0.0.0.0 0.0.0.0 1.2.3.1 15 ---> WAN1

ip route 0.0.0.0 0.0.0.0 5.6.7.1 16 ---->WAN2

These are both longest match routes and the second one having a higher AD will not get installed in the routing table unless first one fails, is this what you want? Now the NAT to WAN2 won't work then because there is no route for forwarding traffic to this interface.

Regards.

Alain

Don't forget to rate helpful posts.

cadet alain · ‎11-23-2011

Hi,

it's not a lower AD but higher as the default is 1 and when there is only one static route that is the longest match , AD is not taken into account.

Regards.

Alain

Don't forget to rate helpful posts.

ivicav007 · ‎11-23-2011

That's right. Second one is not active untill first one fails. Also there is third ip route as it's traffic witch should go through WAN 2, hense AD is 4.

Regarding

route-map WAN2-NAT permit 10

route-map WAN1-NAT permit 10

you suggest I should use match interface GigabitEthernet0/x instead set ip next-hop x.x.x.x?

EDIT: WAN 2 link is OK, but at the moment WAN 1 is not translating as it should. I will try with match interface to see if there is any result.

cadet alain · ‎11-23-2011

Hi,

a route-map used for NAT overloading on 2 different WAN interfaces must have a match interface command or match ip next-hop but not a set ip next-hop command.

I still don't understand why you want this AD of 4 for the static host route, you can leave the default of AD 1 as there are no equal longest match static routes for this destination.

Regards.

Alain

Don't forget to rate helpful posts.

ivicav007 · ‎11-23-2011

You're right. There is no need for setting AD, I actually don't know why I put it there. Probably was to tired to think about that.

Also you were right about match interface. That solved my problem. I hate when I can't see forest because of one tree. Thank's.