cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3442
Views
12
Helpful
8
Replies

Dual WAN with NAT/PBR

robardill
Level 1
Level 1

I'm hoping someone can shed some light on getting this to work

We've got a Cisco 877W (Test) & 1841(prod) with two PPPOE/Dialer interfaces to two different ISP (NAT overloaded). We've tried the examples on both platforms and with 12.4 and 15.1. We have spoken to TAC at length who weren't able to shed any light on what the issue was. Admittly it was difficult due to limited downtime.

Looking through the many examples, it seems pretty straight forward, but I've now grown a full beard in the time I've spent trying to get it to work.

The crux of the problem that NAT appears to be appling the wrong WAN IP for PBR traffic and thus the provider is dropping the traffic as expected.

Debugging the NAT translations confirms that the wrong IP is applied and only removing the  ip nat inside source route-map NAT-ADSL2 interface Dialer0 overload  seems to get it to switch to the correct IP and traffic flows as expected. But upon applying the command back, it breaks again.

As a last ditch attempt, we've stripped down the config to the basics hoping to identify some culpurit command/setting, but still hitting brick wall. If someone can identify the issue, there in for a treat.

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Cisco877W

!

boot-start-marker

boot system flash c870-advipservicesk9-mz.124-24.T6.bin

boot-end-marker

!

logging message-counter syslog

enable secret xxxx

!

no aaa new-model

!

dot11 syslog

ip source-route

!

ip cef

no ipv6 cef

!

multilink bundle-name authenticated

!

username admin privilege 15 password xxxxxx

!

archive

log config

  hidekeys

!

ip ssh version 1

!

interface ATM0

description (ATM0) ADSL2+

no ip address

load-interval 30

no atm ilmi-keepalive

hold-queue 4096 in

!

interface ATM0.1 point-to-point

description (ATM0.1) ADSL2+

no ip redirects

no ip proxy-arp

pvc 8/35

  encapsulation aal5snap

  protocol ppp dialer

  dialer pool-member 1

!

interface FastEthernet0

description (FastEthernet0) VLAN1 LAN

!

interface FastEthernet1

description (FastEthernet1) VLAN1 LAN

!

interface FastEthernet2

description (FastEthernet2) VLAN1 LAN

!

interface FastEthernet3

description (FastEthernet3) VLAN4 WiMax (ISP2)

switchport access vlan 4

!

interface Vlan1

description (VLAN1) LAN

ip address zz.xx.yy.1 255.255.255.0

no ip proxy-arp

ip nat inside

ip virtual-reassembly

ip policy route-map PBR

!

interface Vlan4

description WiMax

no ip address

pppoe enable group global

pppoe-client dial-pool-number 2

!

interface Dialer0

description (Dialer0) ADSL

ip address negotiated

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication chap callin

ppp chap hostname xxxxx

ppp chap password xxxxx

!

interface Dialer1

description (Dialer1) WiMax

ip address negotiated

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 2

dialer-group 2

ppp authentication chap callin

ppp chap hostname xxxxx

ppp chap password xxxxxx

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer0

no ip http server

no ip http secure-server

!

ip nat inside source route-map NAT-ADSL2 interface Dialer0 overload

ip nat inside source route-map NAT-WIMAX interface Dialer1 overload

!

ip access-list extended LOCAL-LAN

permit ip zz.xx.yy.0 0.0.1.255 any

ip access-list extended WIMAX-TRAFFIC

permit tcp any any eq www

permit tcp any any eq 443

permit tcp any any eq ftp

!

access-list 5 remark Secure Admin Hosts

access-list 5 permit zz.xx.yy.0 0.0.1.255

access-list 5 deny   any log

access-list 100 permit ip zz.xx.yy.0 0.0.1.255 any

dialer-list 1 protocol ip permit

dialer-list 2 protocol ip permit

!

route-map NAT-WIMAX permit 10

match ip address LOCAL-LAN

!

route-map PBR permit 10

match ip address WIMAX-TRAFFIC

set interface Dialer1

!

route-map PBR permit 20

match ip address LOCAL-LAN

set interface Dialer0

!

route-map NAT-ADSL2 permit 10

match ip address LOCAL-LAN

set interface Dialer0

!

!

control-plane

!

!

line con 0

no modem enable

escape-character 3

line aux 0

access-class 5 in

line vty 0 4

session-timeout 60

access-class 5 in

exec-timeout 60 0

privilege level 15

login local

transport input ssh

escape-character 3

!

scheduler max-task-time 5000

end

8 Replies 8

cadet alain
VIP Alumni
VIP Alumni

Hi,

Can you try with these modifications:

route-map NAT-WIMAX permit 10

match ip address LOCAL-LAN

match interface dialer1

!

route-map PBR permit 10

match ip address WIMAX-TRAFFIC

set interface Dialer1

route-map PBR permit 20

match ip address LOCAL-LAN

set interface Dialer0

!

route-map NAT-ADSL2 permit 10

match ip address LOCAL-LAN

match  interface Dialer0

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Okay tried adding the set interface. Still no go.

interface Vlan1

description (VLAN1) LAN

ip address xx.yy.zz.1 255.255.255.0

no ip proxy-arp

ip nat inside

ip virtual-reassembly

!

interface Vlan4

description WiMax

no ip address

pppoe enable group global

pppoe-client dial-pool-number 2

!

interface Dialer0

ip address negotiated

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication chap callin

ppp chap hostname xxx

ppp chap password xxxx

!

interface Dialer1

ip address negotiated

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 2

dialer-group 2

ppp authentication chap callin

ppp chap hostname xxxx

ppp chap password xxxx

!

ip route 0.0.0.0 0.0.0.0 Dialer0

!

!

ip nat inside source route-map NAT-ADSL2 interface Dialer0 overload

ip nat inside source route-map NAT-WIMAX interface Dialer1 overload

!

ip access-list extended LOCAL-LAN

permit ip xx.yy.zz.0 0.0.1.255 any

ip access-list extended WIMAX-TRAFFIC

permit tcp any any eq www

permit tcp any any eq 443

permit tcp any any eq ftp

permit ip any host 8.8.8.8

permit ip host 8.8.8.8 any

!

access-list 7 permit 8.8.8.8

access-list 100 permit ip xx.yy.zz.0 0.0.1.255 any

dialer-list 1 protocol ip permit

dialer-list 2 protocol ip permit

!

!

!

!

route-map NAT-WIMAX permit 10

match ip address LOCAL-LAN

set interface Dialer1

!

route-map PBR permit 10

match ip address WIMAX-TRAFFIC

set interface Dialer1

!

route-map PBR permit 20

match ip address LOCAL-LAN

set interface Dialer0

!

route-map NAT-ADSL2 permit 10

match ip address LOCAL-LAN

set interface Dialer0

!

Here is what I see in the nat debug with and without ip policy route-map PBR on vlan1

a.b.c.d = Dialer0 IP

zz.xx.yy.1 = vlan1 IP

As you can see the same IP is being applied regardless of PBR. I'm at a loss what is going on. there must be a simple answer.

*Oct 25 23:22:55.271: NAT*: s=8.8.8.8, d=a.b.c.d->zz.xx.yy.47 [16025]

*Oct 25 23:22:56.219: NAT*: s=zz.xx.yy.47->a.b.c.d, d=8.8.8.8 [13741]

*Oct 25 23:22:56.271: NAT*: s=8.8.8.8, d=a.b.c.d->zz.xx.yy.47 [16026]

*Oct 25 23:22:57.219: NAT*: s=zz.xx.yy.47->a.b.c.d, d=8.8.8.8 [13745]

*Oct 25 23:22:57.267: NAT*: s=8.8.8.8, d=a.b.c.d->zz.xx.yy.47 [16027]

*Oct 25 23:22:58.215: NAT*: s=zz.xx.yy.47->a.b.c.d, d=8.8.8.8 [13750]

*Oct 25 23:22:58.267: NAT*: s=8.8.8.8, d=a.b.c.d->zz.xx.yy.47 [16028]

*Oct 25 23:22:59.215: NAT*: s=zz.xx.yy.47->a.b.c.d, d=8.8.8.8 [13753]

*Oct 25 23:22:59.263: NAT*: s=8.8.8.8, d=a.b.c.d->zz.xx.yy.47 [16029]

*Oct 25 23:23:39.040: %SYS-5-CONFIG_I: Configured from console by admin on vty0 (zz.xx.yy.47)

*Oct 25 23:23:46.590: NAT*: s=zz.xx.yy.47->a.b.c.d, d=8.8.8.8 [14049]

*Oct 25 23:23:51.455: NAT*: s=zz.xx.yy.47->a.b.c.d, d=8.8.8.8 [14089]

*Oct 25 23:23:56.444: NAT*: s=zz.xx.yy.47->a.b.c.d, d=8.8.8.8 [14104]

*Oct 25 23:24:01.454: NAT*: s=zz.xx.yy.47->a.b.c.d, d=8.8.8.8 [14112]

*Oct 25 23:24:06.447: NAT*: s=zz.xx.yy.47->a.b.c.d, d=8.8.8.8 [14126]

*Oct 25 23:24:11.452: NAT*: s=zz.xx.yy.47->a.b.c.d, d=8.8.8.8 [14143]

*Oct 25 23:24:16.445: NAT*: s=zz.xx.yy.47->a.b.c.d, d=8.8.8.8 [14162]

*Oct 25 23:24:21.454: NAT*: s=zz.xx.yy.47->a.b.c.d, d=8.8.8.8 [14174]

*Oct 25 23:24:47.184: %SYS-5-CONFIG_I: Configured from console by admin on vty0 (zz.xx.yy.47)

*Oct 25 23:24:49.897: NAT*: s=zz.xx.yy.47->a.b.c.d, d=8.8.8.8 [14368]

*Oct 25 23:24:49.945: NAT*: s=8.8.8.8, d=a.b.c.d->zz.xx.yy.47 [16030]

*Oct 25 23:24:50.885: NAT*: s=zz.xx.yy.47->a.b.c.d, d=8.8.8.8 [14371]

*Oct 25 23:24:50.933: NAT*: s=8.8.8.8, d=a.b.c.d->zz.xx.yy.47 [16031]

*Oct 25 23:24:51.885: NAT*: s=zz.xx.yy.47->a.b.c.d, d=8.8.8.8 [14374]


Hello

In addition to what has been pointed out, is it enough to have a single unconditional default route?

If ADSL is down, according to me your default route should point toward Dialer1:

for instance you could use ip sla/tracking

ip sla 15

icmp-echo 8.8.8.8 source-interface Dialer0

timeout 2000

frequency 5

ip sla schedule 15 life forever start-time now

track 17 rtr 15 reachability

delay down 10 up 20

ip route 0.0.0.0 0.0.0.0 Dialer0 track 17

ip route 0.0.0.0 0.0.0.0 Dialer1 200

Kind regards

Francesco

I don't think this has anything to do with the route table as putting in a static route to 8.8.8.8 via dailer1 doesn't change the results from above. packets still egress dailer1 with the IP of dialer0.

ip route 8.8.8.8 255.255.255.255 dialer1

*Oct 25 23:42:47.457: NAT*: s=zz.xx.yy.47->a.b.c.d, d=8.8.8.8 [19822]

*Oct 25 23:42:52.454: NAT*: s=zz.xx.yy.47->a.b.c.d, d=8.8.8.8 [19871]

robardill
Level 1
Level 1

Perhaps someone knowledge about can shed some light on how Cisco's NAT implimentation chooses the source IP and what might be done to fix this behaviour.

Other point worth noting, most examples use route-map's with set ip next hop rather than set interface (P2P interfaces only). Perhaps the two work differently.

I really don't want to use a second router to use set ip next hop, will for a test to see if I can get this to work.

Hi Rob,

I had added a match interface statement in your NAT route-maps not a set interface because routing is always done before NAT.

So try with what i had proposed and debug it and send results here.

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Hi Alain,

Thanks for pointing that out. Think I've been looking at this too long and totall missed the Match/Set thing.

Will give this a go and let you know.

Rob

I think that's done the trick Alain. Just going to test it a bit further and will let you know. In the past it has work then after a reload or one of the interfaces flapping/bouncing, it stopped working.

Will advised.

Once again, thanks for the help and your eye for detail.

Rob

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco