Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3241
Views
0
Helpful
3
Replies

Dual WAN Load-balancing with Static NAT

KUNAL HANS
Level 1
Level 1

‎10-09-2012 05:44 AM - edited ‎03-04-2019 05:48 PM

Hi,

My scenario is similar to what has been discussed here: https://supportforums.cisco.com/thread/2067691

  • Two WAN interfaces of Cisco 2921 router connected to 2 ISP leased lines
  • Static NAT entries on router mapped to web/mail/ftp servers
  • Need to load-balance outbound traffic
  • ASA behind router with no services running as of now, default route towards router.
  • Catalyst 3560 L3 switch behind ASA with servers directly connected

This was my earlier config. Problem was with both WAN links active, inbound connections to mapped servers used to be intermittent at best. If I shut the AIRTEL link everything used to work as expected.

interface GigabitEthernet0/0

description "AIRTEL WAN LINK"

ip address 185.74.201.66 255.255.255.240

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

!

interface GigabitEthernet0/1

description "TATA WAN LINK"

ip address 62.17.239.179 255.255.255.240

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly in

duplex full

speed 100

!

interface GigabitEthernet0/2

description "LAN INTERFACE"

ip address 192.168.100.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

no ip virtual-reassembly in

duplex auto

speed auto

!

!

ip forward-protocol nd

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat inside source route-map AIRTEL interface GigabitEthernet0/0 overload

ip nat inside source route-map TATA interface GigabitEthernet0/1 overload

ip nat inside source static 192.168.100.2 62.17.239.178

ip nat inside source static 192.168.0.44 62.17.239.180

ip nat inside source static 192.168.0.176 62.17.239.184

ip nat inside source static 192.168.0.5 62.17.239.185

ip route 0.0.0.0 0.0.0.0 185.74.201.65

ip route 0.0.0.0 0.0.0.0 66.17.239.177

ip route 10.11.1.0 255.255.255.0 62.17.239.177

ip route 192.168.0.0 255.255.255.0 192.168.100.2          -- ASA outside IP

!

access-list 110 deny   ip 192.168.0.0 0.0.0.255 10.11.1.0 0.0.0.255

access-list 110 permit ip 192.168.0.0 0.0.0.255 any

access-list 110 permit ip 192.168.100.0 0.0.0.255 any

access-list 110 permit ip 192.168.1.0 0.0.0.255 any

!

no cdp run

route-map TATA permit 10

match ip address 110

match interface GigabitEthernet0/1

!

route-map AIRTEL permit 10

match ip address 110

match interface GigabitEthernet0/0

This is the new config, after referencing the above thread and making necessary changes. Now, the inbound connectivity is completely down and I'm unable to ping the Global inside addresses of the servers. What am i missing?

interface Loopback100

description Used for static NAT services

ip address 192.168.101.1 255.255.255.252

ip nat outside

ip virtual-reassembly in

ip policy route-map STATIC-NAT-LOOP

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

description "AIRTEL WAN LINK"

ip address 185.74.201.66 255.255.255.240

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

!

interface GigabitEthernet0/1

description "TATA WAN LINK"

ip address 62.17.239.179 255.255.255.240

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly in

duplex full

speed 100

!

interface GigabitEthernet0/2

description "LAN INTERFACE"

ip address 192.168.100.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip policy route-map STATIC-NAT-LAN

no ip virtual-reassembly in

duplex auto

speed auto

!

!

ip forward-protocol nd

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat inside source route-map AIRTEL interface GigabitEthernet0/0 overload

ip nat inside source route-map TATA interface GigabitEthernet0/1 overload

ip nat inside source static 192.168.100.2 62.17.239.178 extendable

ip nat inside source static 192.168.0.44 62.17.239.180 extendable

ip nat inside source static 192.168.0.176 62.17.239.184 extendable

ip nat inside source static 192.168.0.5 62.17.239.185 extendable

ip nat inside source static 192.168.0.44 185.74.201.70 extendable

ip route 0.0.0.0 0.0.0.0 185.74.201.65

ip route 0.0.0.0 0.0.0.0 62.17.239.177

ip route 10.11.1.0 255.255.255.0 62.17.239.177

ip route 192.168.0.0 255.255.255.0 192.168.100.2

!

ip access-list extended STATIC-NAT-AIRTEL

permit ip host 185.74.201.70 any

ip access-list extended STATIC-NAT-SERVICES

permit ip host 192.168.0.44 any

permit ip host 192.168.0.176 any

permit ip host 192.168.0.5 any

permit ip host 192.168.100.2 any

ip access-list extended STATIC-NAT-TATA

permit ip host 62.17.239.180 any

permit ip host 62.17.239.184 any

permit ip host 62.17.239.185 any

permit ip host 62.17.239.178 any

!

access-list 110 deny   ip 192.168.0.0 0.0.0.255 10.11.1.0 0.0.0.255

access-list 110 permit ip 192.168.0.0 0.0.0.255 any

access-list 110 permit ip 192.168.100.0 0.0.0.255 any

access-list 110 permit ip 192.168.1.0 0.0.0.255 any

!

no cdp run

route-map TATA permit 10

match ip address 110

match interface GigabitEthernet0/1

!

route-map STATIC-NAT-LAN permit 10

match ip address STATIC-NAT-SERVICES

set ip next-hop 192.168.101.2

!

route-map AIRTEL permit 10

match ip address 110

match interface GigabitEthernet0/0

!

route-map STATIC-NAT-LOOP permit 10

match ip address STATIC-NAT-TATA

set ip next-hop 62.17.239.177

!

route-map STATIC-NAT-LOOP permit 20

match ip address STATIC-NAT-AIRTEL

set ip next-hop 185.74.201.65

Labels:
0 Helpful
3 Replies 3

KUNAL HANS
Level 1
Level 1

‎10-09-2012 11:37 PM

Would appreciate it if someone can take a look...badly stuck...thx!

0 Helpful

MUKUL JOSHI
Level 1
Level 1

‎10-10-2012 07:39 AM

Hi Kunal,

Remove this PBR and confirm back.

!

interface GigabitEthernet0/2

description "LAN INTERFACE"

ip address 192.168.100.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip policy route-map STATIC-NAT-LAN  <<<<<

no ip virtual-reassembly in

duplex auto

speed auto

!

HTH

MJ

0 Helpful

KUNAL HANS
Level 1
Level 1
In response to MUKUL JOSHI

‎10-10-2012 01:24 PM

Yep, i did that already since I lost all inbound connectivity. I meant for someone to point out any mistakes in my config which was causing this to happen. It seems like a tried and tested config template since it worked for the OP in the thread I referenced.

Currently I just have a simple route-map applied on the LAN interface to force all traffic originating from the servers to go out from Gig0/1 and removed the static nat mapping of the other ISP as a temporary workaround. But ultimately I want each server to be mapped with public ip's of both ISP's.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card