10-25-2012 08:33 AM - edited 03-04-2019 05:57 PM
I'm hoping someone can shed some light on getting this to work
We've got a Cisco 877W (Test) & 1841(prod) with two PPPOE/Dialer interfaces to two different ISP (NAT overloaded). We've tried the examples on both platforms and with 12.4 and 15.1. We have spoken to TAC at length who weren't able to shed any light on what the issue was. Admittly it was difficult due to limited downtime.
Looking through the many examples, it seems pretty straight forward, but I've now grown a full beard in the time I've spent trying to get it to work.
The crux of the problem that NAT appears to be appling the wrong WAN IP for PBR traffic and thus the provider is dropping the traffic as expected.
Debugging the NAT translations confirms that the wrong IP is applied and only removing the ip nat inside source route-map NAT-ADSL2 interface Dialer0 overload seems to get it to switch to the correct IP and traffic flows as expected. But upon applying the command back, it breaks again.
As a last ditch attempt, we've stripped down the config to the basics hoping to identify some culpurit command/setting, but still hitting brick wall. If someone can identify the issue, there in for a treat.
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Cisco877W
!
boot-start-marker
boot system flash c870-advipservicesk9-mz.124-24.T6.bin
boot-end-marker
!
logging message-counter syslog
enable secret xxxx
!
no aaa new-model
!
dot11 syslog
ip source-route
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
username admin privilege 15 password xxxxxx
!
archive
log config
hidekeys
!
ip ssh version 1
!
interface ATM0
description (ATM0) ADSL2+
no ip address
load-interval 30
no atm ilmi-keepalive
hold-queue 4096 in
!
interface ATM0.1 point-to-point
description (ATM0.1) ADSL2+
no ip redirects
no ip proxy-arp
pvc 8/35
encapsulation aal5snap
protocol ppp dialer
dialer pool-member 1
!
interface FastEthernet0
description (FastEthernet0) VLAN1 LAN
!
interface FastEthernet1
description (FastEthernet1) VLAN1 LAN
!
interface FastEthernet2
description (FastEthernet2) VLAN1 LAN
!
interface FastEthernet3
description (FastEthernet3) VLAN4 WiMax (ISP2)
switchport access vlan 4
!
interface Vlan1
description (VLAN1) LAN
ip address zz.xx.yy.1 255.255.255.0
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip policy route-map PBR
!
interface Vlan4
description WiMax
no ip address
pppoe enable group global
pppoe-client dial-pool-number 2
!
interface Dialer0
description (Dialer0) ADSL
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname xxxxx
ppp chap password xxxxx
!
interface Dialer1
description (Dialer1) WiMax
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 2
dialer-group 2
ppp authentication chap callin
ppp chap hostname xxxxx
ppp chap password xxxxxx
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
no ip http secure-server
!
ip nat inside source route-map NAT-ADSL2 interface Dialer0 overload
ip nat inside source route-map NAT-WIMAX interface Dialer1 overload
!
ip access-list extended LOCAL-LAN
permit ip zz.xx.yy.0 0.0.1.255 any
ip access-list extended WIMAX-TRAFFIC
permit tcp any any eq www
permit tcp any any eq 443
permit tcp any any eq ftp
!
access-list 5 remark Secure Admin Hosts
access-list 5 permit zz.xx.yy.0 0.0.1.255
access-list 5 deny any log
access-list 100 permit ip zz.xx.yy.0 0.0.1.255 any
dialer-list 1 protocol ip permit
dialer-list 2 protocol ip permit
!
route-map NAT-WIMAX permit 10
match ip address LOCAL-LAN
!
route-map PBR permit 10
match ip address WIMAX-TRAFFIC
set interface Dialer1
!
route-map PBR permit 20
match ip address LOCAL-LAN
set interface Dialer0
!
route-map NAT-ADSL2 permit 10
match ip address LOCAL-LAN
set interface Dialer0
!
!
control-plane
!
!
line con 0
no modem enable
escape-character 3
line aux 0
access-class 5 in
line vty 0 4
session-timeout 60
access-class 5 in
exec-timeout 60 0
privilege level 15
login local
transport input ssh
escape-character 3
!
scheduler max-task-time 5000
end
10-25-2012 08:54 AM
Hi,
Can you try with these modifications:
route-map NAT-WIMAX permit 10
match ip address LOCAL-LAN
match interface dialer1
!
route-map PBR permit 10
match ip address WIMAX-TRAFFIC
set interface Dialer1
route-map PBR permit 20
match ip address LOCAL-LAN
set interface Dialer0
!
route-map NAT-ADSL2 permit 10
match ip address LOCAL-LAN
match interface Dialer0
Regards.
Alain
Don't forget to rate helpful posts.
10-25-2012 04:42 PM
Okay tried adding the set interface. Still no go.
interface Vlan1
description (VLAN1) LAN
ip address xx.yy.zz.1 255.255.255.0
no ip proxy-arp
ip nat inside
ip virtual-reassembly
!
interface Vlan4
description WiMax
no ip address
pppoe enable group global
pppoe-client dial-pool-number 2
!
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname xxx
ppp chap password xxxx
!
interface Dialer1
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 2
dialer-group 2
ppp authentication chap callin
ppp chap hostname xxxx
ppp chap password xxxx
!
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
ip nat inside source route-map NAT-ADSL2 interface Dialer0 overload
ip nat inside source route-map NAT-WIMAX interface Dialer1 overload
!
ip access-list extended LOCAL-LAN
permit ip xx.yy.zz.0 0.0.1.255 any
ip access-list extended WIMAX-TRAFFIC
permit tcp any any eq www
permit tcp any any eq 443
permit tcp any any eq ftp
permit ip any host 8.8.8.8
permit ip host 8.8.8.8 any
!
access-list 7 permit 8.8.8.8
access-list 100 permit ip xx.yy.zz.0 0.0.1.255 any
dialer-list 1 protocol ip permit
dialer-list 2 protocol ip permit
!
!
!
!
route-map NAT-WIMAX permit 10
match ip address LOCAL-LAN
set interface Dialer1
!
route-map PBR permit 10
match ip address WIMAX-TRAFFIC
set interface Dialer1
!
route-map PBR permit 20
match ip address LOCAL-LAN
set interface Dialer0
!
route-map NAT-ADSL2 permit 10
match ip address LOCAL-LAN
set interface Dialer0
!
Here is what I see in the nat debug with and without ip policy route-map PBR on vlan1
a.b.c.d = Dialer0 IP
zz.xx.yy.1 = vlan1 IP
As you can see the same IP is being applied regardless of PBR. I'm at a loss what is going on. there must be a simple answer.
*Oct 25 23:22:55.271: NAT*: s=8.8.8.8, d=a.b.c.d->zz.xx.yy.47 [16025]
*Oct 25 23:22:56.219: NAT*: s=zz.xx.yy.47->a.b.c.d, d=8.8.8.8 [13741]
*Oct 25 23:22:56.271: NAT*: s=8.8.8.8, d=a.b.c.d->zz.xx.yy.47 [16026]
*Oct 25 23:22:57.219: NAT*: s=zz.xx.yy.47->a.b.c.d, d=8.8.8.8 [13745]
*Oct 25 23:22:57.267: NAT*: s=8.8.8.8, d=a.b.c.d->zz.xx.yy.47 [16027]
*Oct 25 23:22:58.215: NAT*: s=zz.xx.yy.47->a.b.c.d, d=8.8.8.8 [13750]
*Oct 25 23:22:58.267: NAT*: s=8.8.8.8, d=a.b.c.d->zz.xx.yy.47 [16028]
*Oct 25 23:22:59.215: NAT*: s=zz.xx.yy.47->a.b.c.d, d=8.8.8.8 [13753]
*Oct 25 23:22:59.263: NAT*: s=8.8.8.8, d=a.b.c.d->zz.xx.yy.47 [16029]
*Oct 25 23:23:39.040: %SYS-5-CONFIG_I: Configured from console by admin on vty0 (zz.xx.yy.47)
*Oct 25 23:23:46.590: NAT*: s=zz.xx.yy.47->a.b.c.d, d=8.8.8.8 [14049]
*Oct 25 23:23:51.455: NAT*: s=zz.xx.yy.47->a.b.c.d, d=8.8.8.8 [14089]
*Oct 25 23:23:56.444: NAT*: s=zz.xx.yy.47->a.b.c.d, d=8.8.8.8 [14104]
*Oct 25 23:24:01.454: NAT*: s=zz.xx.yy.47->a.b.c.d, d=8.8.8.8 [14112]
*Oct 25 23:24:06.447: NAT*: s=zz.xx.yy.47->a.b.c.d, d=8.8.8.8 [14126]
*Oct 25 23:24:11.452: NAT*: s=zz.xx.yy.47->a.b.c.d, d=8.8.8.8 [14143]
*Oct 25 23:24:16.445: NAT*: s=zz.xx.yy.47->a.b.c.d, d=8.8.8.8 [14162]
*Oct 25 23:24:21.454: NAT*: s=zz.xx.yy.47->a.b.c.d, d=8.8.8.8 [14174]
*Oct 25 23:24:47.184: %SYS-5-CONFIG_I: Configured from console by admin on vty0 (zz.xx.yy.47)
*Oct 25 23:24:49.897: NAT*: s=zz.xx.yy.47->a.b.c.d, d=8.8.8.8 [14368]
*Oct 25 23:24:49.945: NAT*: s=8.8.8.8, d=a.b.c.d->zz.xx.yy.47 [16030]
*Oct 25 23:24:50.885: NAT*: s=zz.xx.yy.47->a.b.c.d, d=8.8.8.8 [14371]
*Oct 25 23:24:50.933: NAT*: s=8.8.8.8, d=a.b.c.d->zz.xx.yy.47 [16031]
*Oct 25 23:24:51.885: NAT*: s=zz.xx.yy.47->a.b.c.d, d=8.8.8.8 [14374]
10-25-2012 10:41 AM
Hello
In addition to what has been pointed out, is it enough to have a single unconditional default route?
If ADSL is down, according to me your default route should point toward Dialer1:
for instance you could use ip sla/tracking
ip sla 15
icmp-echo 8.8.8.8 source-interface Dialer0
timeout 2000
frequency 5
ip sla schedule 15 life forever start-time now
track 17 rtr 15 reachability
delay down 10 up 20
ip route 0.0.0.0 0.0.0.0 Dialer0 track 17
ip route 0.0.0.0 0.0.0.0 Dialer1 200
Kind regards
Francesco
10-25-2012 04:47 PM
I don't think this has anything to do with the route table as putting in a static route to 8.8.8.8 via dailer1 doesn't change the results from above. packets still egress dailer1 with the IP of dialer0.
ip route 8.8.8.8 255.255.255.255 dialer1
*Oct 25 23:42:47.457: NAT*: s=zz.xx.yy.47->a.b.c.d, d=8.8.8.8 [19822]
*Oct 25 23:42:52.454: NAT*: s=zz.xx.yy.47->a.b.c.d, d=8.8.8.8 [19871]
10-26-2012 08:57 PM
Perhaps someone knowledge about can shed some light on how Cisco's NAT implimentation chooses the source IP and what might be done to fix this behaviour.
Other point worth noting, most examples use route-map's with set ip next hop rather than set interface (P2P interfaces only). Perhaps the two work differently.
I really don't want to use a second router to use set ip next hop, will for a test to see if I can get this to work.
10-27-2012 01:24 AM
Hi Rob,
I had added a match interface statement in your NAT route-maps not a set interface because routing is always done before NAT.
So try with what i had proposed and debug it and send results here.
Regards.
Alain
Don't forget to rate helpful posts.
10-28-2012 08:13 PM
Hi Alain,
Thanks for pointing that out. Think I've been looking at this too long and totall missed the Match/Set thing.
Will give this a go and let you know.
Rob
10-28-2012 11:05 PM
I think that's done the trick Alain. Just going to test it a bit further and will let you know. In the past it has work then after a reload or one of the interfaces flapping/bouncing, it stopped working.
Will advised.
Once again, thanks for the help and your eye for detail.
Rob
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide