10-30-2015 01:22 AM - edited 03-05-2019 02:37 AM
Hi Gurus,
The client decided to go for backup connectivity to branches and contacted a private service provider who has set up the backup connectivity for all the branches having ADSL links + his own manufactured modems.
Please go through the attachment.
The branch Routers [B, C, and D] have been configured with IP NAT INSIDE and IP NAT OUTSIDE command.
These commands have been configured by the Private_Standby_link_provider for users to get internet access and also head office(H.O) connectivity in case the Primay link fails through his own network.
The issue:-
When the primary link is UP users from branches [B, C and D]are not able to access internet from the H.O.
But as soon as i disable/delete the NAT commands, branch users start getting Internet access from H.O.
Tried solution:-
Tried to do NAT 0 or nonat on ASA 5510 , but its no help.
P1)
The ADSL router in H.O. is performing NAT/PAT for LAN users.
Please advise.
Thanks in advance.
AM
10-30-2015 12:38 PM
So do all users use the ADSL router at the main site for internet ?
If the backup link connects to a different interface on the branch routers are you saying traffic is still being translated even if it uses the primary link or are you just not getting any traffic from the remote sites ?
If it is a different connection the IPs should not be translated.
How is the failover routing setup on the branch routers ?
If the traffic is being translated then you say you have done a NAT exemption on the firewalls so it is either the ADSL router not being setup to NAT those IPs or the firewall rules could be blocking it
Basically going to need a lot more information as you can see from the above, especially one of the remote router configurations to understand what is going on.
Jon
10-30-2015 11:49 PM
Hello Jon,
Thanks for replying,
1)So do all users use the ADSL router at the main site for internet ?
Ans:-YES..
2)If the backup link connects to a different interface on the branch routers are you saying traffic is still being translated even if it uses the primary link or are you just not getting any traffic from the remote sites ?
Ans:- I am getting all the traffic from branches, but when it comes to internet access then only i have issue ...that the users do not get internet access.
Following configuration of Backup link:-
interface FastEthernet0/0
ip address 192.168.2.254 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/0.11
description "Private ISP"
encapsulation dot1Q 11
ip address 2.2.2.1 255.255.255.252
ip nat outside
ip virtual-reassembly
3)If it is a different connection the IPs should not be translated.
Ans:- I guess Private ISP has directly inserted his modem connectivity into the LAN switch....thats what i can make out from above config.
4)How is the failover routing setup on the branch routers ?
Ans:-
ip route 0.0.0.0 0.0.0.0 Serial0/1/0
ip route 0.0.0.0 0.0.0.0 2.2.2.2 100
5)If the traffic is being translated then you say you have done a NAT exemption on the firewalls so it is either the ADSL router not being setup to NAT those IPs or the firewall rules could be blocking it.
Ans:-ADSl router has been set up to do NAT because the main branch(H.O) are accessing internet 24/7 ... also when i remove the NAT commands from the branch routers ... branch users get Internet access via main branch(H.O.). And the natting / patting is done by the ADSL router at main branch(H.O)
6)Basically going to need a lot more information as you can see from the above, especially one of the remote router configurations to understand what is going on.
Ans:- Please find the attachment for one of the branch configuration.
10-31-2015 07:19 AM
Thanks for the detailed answers.
So the NAT setup is translating all the 192.168.2.0/24 IPs to a pool using 172.30.1.4 - 7.
This NAT is applied to both the fa0/0.11 subinterface which I am assuming is for the backup link but also to your main serial interface.
What this means is you will not see the 192.168.2.x IPs at the main site.
If you removed "ip nat outside" from your serial interface I suspect it would then work on the main connection.
It may be worth testing this for connecitvity via the main link but that wouldn't necessarily mean backup would work.
What we need to do is work out whether it is your firewall or ADSL router that has a problem with the 172.30.1.x IPs.
If it is then you can fix it quite easily and you could either remove the "ip nat outside" from the serial interface or not, up to you as far as I can see.
If it is not your firewall or router then I suspect what may be happening is when the main connection is up traffic comes to your main office and the source IPs are 172.30.1.x.
The return traffic though may be being sent via the backup link and depending on how the backup link is setup that may not work.
Is the backup link over the internet using a VPN tunnel or is it a private connection ?
What is really unclear is why the provider has to do NAT on your router because 172.30.1.x IPs are still private IPs so I can't see the logic of why they are doing that.
When they did this did you or they have to make any changes at the main office ie. on the main office router ?
Can you explain a bit more about the provider backup link if you can ?
It may just be the NAT configuration needs modifying or it may be a routing issue etc. but I have to assume at the moment that all the configuration is there for a reason.
Sorry for all the questions but I want to be sure what is happening before suggesting changes.
Jon
11-02-2015 10:53 PM
Hello Jon,
Q)So the NAT setup is translating all the 192.168.2.0/24 IPs to a pool using 172.30.1.4 - 7.
Ans:- No. Not all the 192.168.2.0 is translated to 172.30.1.4 -7.
Only few of the 192.168.2.0 , like .200 , .201 and .105 is translated to 172.30.1.4 - 7.
Q)This NAT is applied to both the fa0/0.11 subinterface which I am assuming is for the backup link but also to your main serial interface.
Ans:- Yes. Fa0/0.11 is backup to serial link.
ip route 0.0.0.0 0.0.0.0 Serial0/1/0
ip route 0.0.0.0 0.0.0.0 2.2.2.2 100
Fast Ethernet 0/0 is LAN interface.
Q)What this means is you will not see the 192.168.2.x IPs at the main site?
Ans:- When the primary link is up,I can see all the branches accessing servers to main site(H.O) via Cisco 2811 router and Cisco 5510 firewall.
As I said earlier everything is working fine except the internet.
Q)What we need to do is work out whether it is your firewall or ADSL router that has a problem with the 172.30.1.x IPs.
Ans:-As my branches are reaching the servers at H.O and are not able to access internet via ASA, there's issue with ASA ,but how do i fix it? I even tried to solve it by NAT 0 or nonat...but its not working.... what am i missing?is what i am trying to understand.
Bcoz as soon as i remove NAT commands on branch routers ,branch users start getting the Internet access but they loose connectivity to servers.
Q)If it is not your firewall or router then I suspect what may be happening is when the main connection is up traffic comes to your main office and the source IPs are 172.30.1.x.?
Ans:- When primary link is up and i do a traceroute from branch router to global DNS IP e.g. 8.8.8.8, i get reachablity till my router and then it drops...may be because reverse ICMP access list is not defined.
but as i said earlier IPs are not in the range of 172.30.x.x but are real 192.168.2.0/24 series.
Q)Is the backup link over the internet using a VPN tunnel or is it a private connection ?
I am not sure on this, but as i can see through the router config, i dont see any VPN config. Also since that is his own private network setup...my query is since the route is defined with AD 100 ... all the packets are any ways going through the primay link.
will soon resolve to all other queries...
Thanks again for giving your time.
AM
11-03-2015 05:37 AM
Can you post a "sh ip nat translations" from the remote router ?
Jon
11-03-2015 05:48 AM
Looking at the configuration on the router you sent all 192.168.2.x IPs should be getting translated to 172.30.x.x ie. whether they go out via the serial interface which is the primary link or the backup link ie. from your configuration -
"ip nat pool BCD 172.30.1.4 172.30.1.7 netmask 255.255.255.252"
"ip nat inside source list 102 pool BCD overload"
"access-list 102 permit ip 192.168.2.0 0.0.0.255 any"
the above says match any 192.168.2.x IP and translate it to one of the 172.30.1.x IPs.
So if you are seeing 192.168.2.x IPs at the main office something isn't right.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide