Solved: IP NAT Inside multiple ISP

felix.reyner · ‎01-17-2016

Hi,

I would like to ask if I have 2 block IP address from ISP 1 and ISP 2, then I would like to make 2 inside NAT map to 1 one web server, lets say :

100.0.0.10 (ip ISP 1) and 200.0.0.10 (ip ISP 2) to map to my web server.

My question is, lets say I have 2 default route (0.0.0.0/0) to both my ISPs. How do I make route map so if client comes from ISP 1 and access the NAT of my web server (100.0.0.10), then the response from my web server will back to ISP1 and not using ISP2?

Masoud Pourshabanian · ‎01-19-2016

Hello,

As far as I understood, the OP is concern about the HTTP response. The OP needs that traffic coming from ISP1 goes back to ISP1 and traffic coming from ISP2 goes back to ISP2. Richard's idea about having the second IP and a route-map is the solution.

Server IP addresses

192.168.1.2

192.168.1.3

Router config

interface FastEthernet0/0/0
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip policy route-map WEB

interface FastEthernet0/0
ip address 100.0.0.2 255.255.255.0
ip nat outside

interface FastEthernet1/0
ip address 200.0.0.2 255.255.255.0
ip nat outside

ip nat inside source static 192.168.1.2 100.0.0.2
ip nat inside source static 192.168.1.3 200.0.0.2

access-list 20 permit 192.168.1.2
access-list 30 permit 192.168.1.3

route-map WAN permit 10
match ip address 20
set ip next-hop 100.0.0.1

route-map WAN permit 20
match ip address 30
set ip next-hop 200.0.0.1

**************************************

Hope it helps,

Masoud

View solution in original post

e.ciollaro · ‎01-17-2016

Hi,

let me understand: you want to avoid that traffic in response to requests from ISP1 use link to ISP2 or you are just worried that traffic has a "wrong nat" if goes out using link to ISP2 ?

enrico

Richard Burts · ‎01-17-2016

I believe that the original post was reasonably clear that there is a single server inside with a single private IP address, and that he wants that server to be accessible from outside using either of the two ISP, and that he wants to be sure that response traffic from the server goes out over the same ISP that originated the traffic. Unfortunately I do not believe that there is a way to accomplish this.

When there is a server inside that you want to be accessible from outside then the solution is to create a static NAT which associates the private IP of the server with a Public IP. This works quite well when there is a single server address and a single Public address. But when we attempt to add a second Public IP then it becomes problematic. We would need to create a second static NAT. And I believe that IOS will reject the configuration command that attempts to create a second static NAT using the same inside IP address.

Is there any possibility of creating a second IP address for the server? (perhaps a second NIC) If there were a second address on the server then it seems possible to create a second NAT. And then it might be possible to use something like PBR to make sure that responses from the first server IP use ISP1 wile responses from the second server IP use ISP2.

HTH

Rick

HTH

Rick

e.ciollaro · ‎01-19-2016

Hi Richard,

I was just wondering why Felix want two IP address, it seems me that it could be just a way to avoid asymmetric routing; in any case if he need to NAT with two different it address it could be better to have the ISP's connected to two router (this could help to improve availability).

Bye,

enrico

Richard Burts · ‎01-19-2016

Enrico

It would be best if Felix provides clarification. But it would appear to be a fairly common situation where an enterprise chooses to have two ISP for Internet connectivity and each ISP provides a block of IP addresses.

Two address blocks works pretty well as long as we are doing dynamic address translation. But what Felix describes is a single server inside which needs to be accessible to Internet resources. That requires static address translation. And in my experience static address translation with a single address works fine but attempts to do two static translations for the same inside address does not work.

While the idea of having two routers would improve the redundancy and availability with 2 ISP I do not see that it provides any solution for trying to do two static address translations for the same inside IP address.

HTH

Rick

HTH

Rick

Masoud Pourshabanian · ‎01-19-2016

Hello,

As far as I understood, the OP is concern about the HTTP response. The OP needs that traffic coming from ISP1 goes back to ISP1 and traffic coming from ISP2 goes back to ISP2. Richard's idea about having the second IP and a route-map is the solution.

Server IP addresses

192.168.1.2

192.168.1.3

Router config

interface FastEthernet0/0/0
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip policy route-map WEB

interface FastEthernet0/0
ip address 100.0.0.2 255.255.255.0
ip nat outside

interface FastEthernet1/0
ip address 200.0.0.2 255.255.255.0
ip nat outside

ip nat inside source static 192.168.1.2 100.0.0.2
ip nat inside source static 192.168.1.3 200.0.0.2

access-list 20 permit 192.168.1.2
access-list 30 permit 192.168.1.3

route-map WAN permit 10
match ip address 20
set ip next-hop 100.0.0.1

route-map WAN permit 20
match ip address 30
set ip next-hop 200.0.0.1

**************************************

Hope it helps,

Masoud

felix.reyner · ‎01-20-2016

Hi,

Thank you, I think that is the best solution I could think. thanks masoud :)

Masoud Pourshabanian · ‎01-20-2016

I am glad the answer was helpful.

Masoud