11-12-2013 12:36 PM - edited 03-04-2019 09:33 PM
I'm having issues trying to do dual NAT with PBR and was hoping for some insight. Our network has a Barracuda as well (not inline) that may be complicating things.
As it stands, things mostly work but VLAN2 is unable to access certain hosts (cisco.com, msn.com, etc.). Any help would be greatly appreciated!
interface GigabitEthernet0/2/0
description LAN
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
negotiation auto
!
interface GigabitEthernet0/2/0.1
description Native Vlan for ProCurve Management
encapsulation dot1Q 1 native
ip address 172.20.1.100 255.255.0.0
ip nat inside
ip virtual-reassembly
ip policy route-map ISP_MAP
no cdp enable
!
interface GigabitEthernet0/2/0.2
encapsulation dot1Q 2
ip address 10.78.17.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip policy route-map ISP2_MAP
interface GigabitEthernet0/3/0.554
description ICN Internet
encapsulation dot1Q 554
ip address 1.1.1.206 255.255.255.252
ip access-group INPUT_ACL in
ip nat outside
ip inspect firewall out
ip virtual-reassembly
no cdp enable
!
interface GigabitEthernet0/3/0.555
description OPT-E-MAN
encapsulation dot1Q 555
ip address 10.100.20.1 255.255.0.0
ip nat inside
ip virtual-reassembly
ip policy route-map barracuda-redirect
no cdp enable
!
interface GigabitEthernet0/3/0.1528
description AT&T Internet
encapsulation dot1Q 1528
ip address 2.2.2.2.54 255.255.255.252
ip access-group INPUT_ACL in
ip nat outside
ip inspect firewall out
ip virtual-reassembly
no cdp enable
!
ip route 0.0.0.0 0.0.0.0 1.1.1.205
ip route 0.0.0.0 0.0.0.0 2.2.2.53 10
!
ip nat inside source route-map ATT_MAP interface GigabitEthernet0/3/0.1528 overload
ip nat inside source route-map ICN_MAP interface GigabitEthernet0/3/0.554 overload
!
route-map ICN_MAP permit 10
match ip address LOCAL-LAN
set interface GigabitEthernet0/3/0.554
!
route-map ATT_MAP permit 10
match ip address LOCAL-LAN
set interface GigabitEthernet0/3/0.1528
!
route-map barracuda_in permit 10
match ip address filter_acl_in
set ip next-hop 10.78.17.254
!
route-map barracuda-redirect permit 10
match ip address traffic filter_acl
set ip next-hop 10.78.17.254
!
route-map ISP_MAP permit 10
match ip address filter_acl
set ip next-hop 10.78.17.254
!
route-map ISP_MAP permit 11
match ip address NAT_ACL
match interface GigabitEthernet0/3/0.554
!
route-map ISP2_MAP permit 10
match ip address ATT_NAT
match interface GigabitEthernet0/3/0.1528
!
ip access-list extended ATT_NAT
permit ip 10.78.17.0 0.0.0.255 any
deny ip any any
!
ip access-list extended NAT_ACL
permit ip 172.0.0.0 0.0.0.255 any
deny ip any any
!
ip access-list extended filter_acl
deny ip host barracuda-host any
permit tcp any any eq 80
permit tcp any any eq 443
!
ip access-list extended LOCAL-LAN
permit ip 172.20.0.0 0.0.255.255 any
permit ip 10.78.17.0 0.0.0.255 any
!
!ip access-list extended INPUT_ACL
deny ip any any
ip inspect name firewall http java-list 10
ip inspect name firewall https
ip inspect name firewall ftp
ip inspect name firewall icmp
ip inspect name firewall dns
ip inspect name firewall ntp
ip inspect name firewall tftp
ip inspect name firewall realaudio
ip inspect name firewall pptp
!
access-list 10 permit any any
!
!
When I debug policy, I do see several of these:
092166: *Nov 12 14:46:28.024 CST: CEF-IP-POLICY: fib for addr 2.2.2.53 is default; Nexthop rejected
11-12-2013 03:36 PM
I see a couple of things, though I can not say for sure that they cause your symptoms.
First is that you are using the same route map on the interface for Policy Based Routing and on the address translation statements. It is much better to have separate route maps for the two functions.
Second when you use route maps to do address translation for two interfaces (and two ISP) you should have two match statements one that matches the interface and one that matches the address and you do not need set statements in the route map for address translation.
Also your interfaces to the ISP both use the same inbound access list INPUT_ACL but you do not show us what is in that ACL.
HTH
Rick
11-12-2013 03:50 PM
Thanks for replying.
I have since created a 2nd set of route-maps for the nat overload statements; no change.
So to understand you, I should change it to this?
route-map ISP_MAP permit 11
match ip address NAT_ACL
match interface GigabitEthernet0/3/0.554
!
route-map ISP2_MAP permit 10
match ip address ATT_NAT
match interface GigabitEthernet0/3/0.1528
Thanks for taking a look and any insight you have
Also, quick question: If I try to ping a not-working host from the router and specify the 2nd ISP (either IP or interface name) I'm not able to ping certain hosts, although others work. The route-maps should not affect this, correct? I'm wondering if I'm dealing with an ISP issue here.
EDIT: I was mistaken, I have now applied the above and things remain the same. Will leave it the way you recommend.
EDIT2: Added ip inspect firewall entries to above. INPUT_ACL shouldn't matter, only allowing some ports for servers external access. Updated config in first post.
11-12-2013 06:54 PM
I am glad that you took my advice about separate route maps for PBR and for address translation. But apparently my explanation about how to do it was not clear. Assuming that the config in the original post has been updated and is current then I will ask you to change it.
You are still using ISP_MAP and ISP2_MAP for PBR. For this purpose each route map should have a single match clause which matches addresses for a particular subnet and a single set statement which sets the next hop to be the appropriate ISP. What you have done is to remove the set next hop and inserted a second match on interface. To fix this remove the match interface from these two route maps and re-apply the set ip next-hop.
You created new route maps for address translation ICN_MAP and ATT_MAP, which is a good start. Both route maps use the same access list ( LOCAL-LAN )to match addresses. But each of these route maps should have its own unique access list that matches only the traffic for that interface. And it should have a second match statement that matches its appropriate interface. But you have configured them with set statements that set the interfaces. To fix these route maps change the match address so that each route map has its own unique access list that matches its subnet and change the set address clause to match clauses that match the interface.
HTH
Rick
11-12-2013 07:19 PM
The below unfortunately breaks internet access for LAN clients, which is restored if I set ICN_MAP and ATT_MAP back to using set instead of match.
route-map ISP_MAP permit 11
match ip address NAT_ACL
set ip next-hop 1.1.1.205
!
route-map ISP2_MAP permit 10
match ip address ATT_NAT
set ip next-hop 2.2.2.53
!
route-map ATT_MAP permit 10
match ip address LOCAL-LAN-ATT
match interface GigabitEthernet0/3/0.1528
!
route-map ICN_MAP permit 10
match ip address LOCAL-LAN-ICN
match interface GigabitEthernet0/3/0.554
!
ip access-list extended LOCAL-LAN-ATT
permit ip 10.0.0.0 0.255.255.255 any
!
ip access-list extended LOCAL-LAN-ICN
permit ip 172.20.0.0 0.0.255.255 any
11-12-2013 07:45 PM
I am surprised that doing what I suggested breaks internet access. I wonder if the issue in in your LOCAL_LAN_ATT which matches any source address in network 10. I see that you have at least two interfaces with subnet in network 10. Do you mean for both of them to be included here for address translation?
Are you saying that hosts in the 172.20.0.0 subnet were also impacted by this?
Thinking about that question made me go back to the original post to see what was in NAT_ACL and I found this
ip access-list extended NAT_ACL
permit ip 172.0.0.0 0.0.0.255 any
deny ip any any
which will match 172.0.0 but the configured address of the interface is 172.20.1
So maybe that explains part of the issue for that subnet.
HTH
Rick
11-12-2013 07:52 PM
Interestingly, the 172.20.0.0 network works fine. (The one ACL is for a point to point connection not shown here that goes to this router for NAT. 172.16.0.0 for example). It's only that 2.2.2.53 connection having the issues.
10.78.17.0 255.255.255.0 is our VLAN2 LAN we want the new connection being used on (Which is having the problem where not all hosts are reachable)
10.100.0.0 255.255.0.0 is for that point to point where the 172.16.0.0 resides (Didn't include the static routes in this config for this since I'm only concerned with the local VLAN2/ATT connection at the moment)
I appreciate your help, thank you!
11-12-2013 08:02 PM
Thanks for the update. Given what I thought I was seeing I am surprised that 172.20.0 network works fine but if it is then I must have misunderstood something. Would it be possible to post an updated version of what is in the config and a description of what currently is working and not working?
As a side note - the things we are talking about here I would expect to have the effect that a subnet works or does not work. I am not convinced that these will explain the symptoms that some hosts are affected. But until we get these things resolved I am not sure how to get to the individual issues.
HTH
Rick
11-12-2013 11:47 PM
Hey Richard
I found part of the problem.
route-map ISP2_MAP permit 10
match ip address ATT_NAT
set ip next-hop 2.2.2.53
The above was pointing at the wrong default gateway. Now that I have it set to the correct default gateway for that network, internet access does not work in the original config or the above suggestions you made.
I'm going to re-post the config with less stripped out in the hopes something will pop out.
Thanks!
interface GigabitEthernet0/2/0
description LAN
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
negotiation auto
!
interface GigabitEthernet0/2/0.1
description Native Vlan for ProCurve Management
encapsulation dot1Q 1 native
ip address 172.20.1.100 255.255.0.0
ip access-group OUTPUT_ACL in
ip nat inside
ip virtual-reassembly
ip policy route-map ISP_MAP
no cdp enable
!
interface GigabitEthernet0/2/0.2
encapsulation dot1Q 2
ip address 10.78.17.1 255.255.255.0
ip access-group OUTPUT_ACL in
no ip redirects
no ip unreachables
ip nat inside
ip virtual-reassembly
ip policy route-map ISP2_MAP
!
interface GigabitEthernet0/2/0.666
encapsulation dot1Q 666
ip address 172.66.0.1 255.255.0.0
ip access-group GUEST_ACL out
ip nat inside
ip virtual-reassembly
no cdp enable
!
interface GigabitEthernet0/2/0.847
encapsulation dot1Q 847
ip address 172.30.1.1 255.255.0.0
ip nat inside
ip virtual-reassembly
no cdp enable
!
interface GigabitEthernet0/3/0
description Fibre to ATT
no ip address
negotiation auto
!
interface GigabitEthernet0/3/0.554
description ICN Internet
encapsulation dot1Q 554
ip address 1.1.1.206 255.255.255.252
ip access-group INPUT_ACL in
ip nat outside
ip inspect firewall out
ip virtual-reassembly
no cdp enable
!
interface GigabitEthernet0/3/0.555
description OPT-E-MAN
encapsulation dot1Q 555
ip address 10.100.20.1 255.255.0.0
ip nat inside
ip virtual-reassembly
ip policy route-map barracuda-redirect
no cdp enable
!
interface GigabitEthernet0/3/0.1528
description AT&T Internet
encapsulation dot1Q 1528
ip address 2.2.35.54 255.255.255.252
ip access-group INPUT_ACL in
ip nat outside
ip inspect firewall out
ip virtual-reassembly
no cdp enable
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 1.1.1.205
ip route 0.0.0.0 0.0.0.0 2.2.34.53
ip route 172.16.0.0 255.255.0.0 10.100.16.1
ip nat inside source route-map ATT_MAP interface GigabitEthernet0/3/0.1528 overload
ip nat inside source route-map ICN_MAP interface GigabitEthernet0/3/0.554 overload
ip access-list extended ATT_NAT
permit ip 10.78.17.0 0.0.0.255 any
deny ip any any
ip access-list extended LOCAL-LAN
permit ip 172.20.0.0 0.0.255.255 any
permit ip 10.78.17.0 0.0.0.255 any
ip access-list extended LOCAL-LAN-ATT
permit ip 10.0.0.0 0.255.255.255 any
ip access-list extended LOCAL-LAN-ICN
permit ip 172.20.0.0 0.0.255.255 any
ip access-list extended NAT_ACL
permit ip 172.20.0.0 0.0.255.255 any
permit ip 172.19.0.0 0.0.255.255 any
permit ip 172.18.0.0 0.0.255.255 any
permit ip 172.17.0.0 0.0.255.255 any
permit ip 172.16.0.0 0.0.255.255 any
permit ip 192.168.0.0 0.0.255.255 any
permit ip 172.26.0.0 0.0.255.255 any
permit ip 172.27.0.0 0.0.255.255 any
permit ip 172.28.0.0 0.0.255.255 any
permit ip 172.29.0.0 0.0.255.255 any
permit ip 172.30.0.0 0.0.255.255 any
permit ip 192.0.0.0 0.255.255.255 any
permit ip 10.100.0.0 0.0.255.255 any
deny ip any any
ip access-list extended OPT_ACL
permit ip any 172.30.0.0 0.0.255.255
permit ip any 172.16.0.0 0.0.255.255
permit ip any 172.26.0.0 0.0.255.255
permit ip any 172.17.0.0 0.0.255.255
permit ip any 172.27.0.0 0.0.255.255
permit ip any 172.18.0.0 0.0.255.255
permit ip any 172.28.0.0 0.0.255.255
permit ip any 172.19.0.0 0.0.255.255
permit ip any 172.29.0.0 0.0.255.255
deny ip any any
ip access-list extended OUTPUT_ACL
permit tcp host 172.20.4.1 any eq smtp
permit tcp host 172.20.6.3 any eq smtp
permit tcp host 172.20.3.11 any eq smtp
permit tcp host 172.170.1.1 any eq smtp
deny tcp any any eq smtp log
permit ip any any
ip access-list extended VLAN2_ACL
permit ip any 10.78.17.0 0.0.0.255
ip access-list extended filter_acl
deny ip host 172.20.6.5 any
deny ip host 10.78.17.254 any
permit tcp 172.0.0.0 0.255.255.255 any eq www
permit tcp 172.0.0.0 0.255.255.255 any eq 443
permit tcp 10.0.0.0 0.0.0.255 any eq 443
ip access-list extended filter_acl_in
permit udp any eq domain 172.20.0.0 0.0.255.255
permit tcp any eq 443 172.20.0.0 0.0.255.255
ip access-list extended filter_acl_out
permit tcp 172.20.0.0 0.0.255.255 any eq www
permit tcp 172.20.0.0 0.0.255.255 any eq 443
!
access-list 10 permit any
!
route-map barracuda_in permit 10
match ip address filter_acl_in
set ip next-hop 10.78.17.254
!
route-map ATT_MAP permit 10
match ip address LOCAL-LAN-ATT
set interface GigabitEthernet0/3/0.1528
!
route-map barracuda-redirect permit 10
match ip address traffic filter_acl
set ip next-hop 10.78.17.254
!
route-map ICN_MAP permit 10
match ip address LOCAL-LAN-ICN
set interface GigabitEthernet0/3/0.554
!
route-map ISP_MAP permit 8
match ip address VLAN2_ACL
match interface GigabitEthernet0/2/0.2
!
route-map ISP_MAP permit 9
match ip address OPT_ACL
match interface GigabitEthernet0/3/0.555
!
route-map ISP_MAP permit 10
match ip address filter_acl
set ip next-hop 10.78.17.254
!
route-map ISP_MAP permit 11
match ip address NAT_ACL
set ip next-hop 1.1.1.205
!
route-map ISP2_MAP permit 10
match ip address ATT_NAT
set ip next-hop 2.2.34.53
!
11-13-2013 01:57 AM
Hi,
1)
ip route 0.0.0.0 0.0.0.0 2.2.34.53
interface GigabitEthernet0/3/0.1528
description AT&T Internet
encapsulation dot1Q 1528
ip address 2.2.35.54 255.255.255.252
your second default route is pointing towards a recursive next-hop, is this a typo ? I even wonder if it is installed in the RIB.
2)
ip nat inside source route-map ATT_MAP interface GigabitEthernet0/3/0.1528 overload
ip nat inside source route-map ICN_MAP interface GigabitEthernet0/3/0.554 overload
route-map ATT_MAP permit 10
match ip address LOCAL-LAN-ATT
set interface GigabitEthernet0/3/0.1528 >>> this should be a match clause not a set
route-map ICN_MAP permit 10
match ip address LOCAL-LAN-ICN
set interface GigabitEthernet0/3/0.554 >>>>> same as above
3)
interface GigabitEthernet0/2/0.2
encapsulation dot1Q 2
ip address 10.78.17.1 255.255.255.0
ip access-group OUTPUT_ACL in
no ip redirects
no ip unreachables
ip nat inside
ip virtual-reassembly
ip policy route-map ISP2_MAP
route-map ISP2_MAP permit 10
match ip address ATT_NAT
set ip next-hop 2.2.34.53 >>> typo? recursive next-hop
Can you solve these points and post latest modified config as well as results.
Regards
Alain
Don't forget to rate helpful posts.
11-13-2013 05:40 AM
I agree with the points that Alain makes. In addition I question these
route-map ISP_MAP permit 8
match ip address VLAN2_ACL
match interface GigabitEthernet0/2/0.2
!
route-map ISP_MAP permit 9
match ip address OPT_ACL
match interface GigabitEthernet0/3/0.555
ISP_MAP is used for PBR and as such I would expect a match clause and a set clause. Having 2 match clauses is the logic used for address translation and is not effective in Policy Based Routing.
I am also somewhat confused about what you are doing in ISP_MAP. The route map is assigned to do PBR in only one interface. But the route map has 4 clauses and every clause uses a different access list (one of which has permits for 13 subnets) to select traffic.
I will offer one other suggestion. I like the names that you use for route maps because they are descriptive of what the route map is going to do. ISP_MAP and ISP2_MAP are for PBR while ATT_MAP and ICN_MAP are for address translation. I wish that the access lists had similar relationship between name and function. When ISP_MAP uses NAT_ACL and when ISP2_MAP uses ATT_NAT access list I tend to get confused.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide