09-30-2011 01:03 AM - edited 03-04-2019 01:46 PM
Hi
I have some problem. I have two internet link from two ISP. One link is primary, second link is backup. I want to configure this, but i have problem. When first link work NAT translation table have a entry. After this I shutdown first link and second link work, but not exactly. I test this by ping public_address and after i shutdown first link - ping stops until i execute manually "clear ip nat translation *". After this I bring on first link ang ping stop until i execute manually "clear ip nat translation *".
I suppose that is not a very serious problem - it just a lack of knowlege.
Could You please help me to resolve this ?
Config:
!
interface FastEthernet0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 99
no mop enabled
!
interface FastEthernet0/1
description $ETH-WAN$
!
! x.x.x.x WAN public address
!
ip address x.x.x.x 255.255.255.248
ip access-group WAN-IN in
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1420
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip inspect DEFAULT100 in
ip ips sdm_ips_rule in
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1000
duplex auto
speed auto
no cdp enable
no mop enabled
crypto map SDM_CMAP_1
service-policy input sdmappfwp2p_DEFAULT100
service-policy output sdmappfwp2p_DEFAULT100
!
interface FastEthernet0/3/0
switchport mode trunk
no cdp enable
!
!
interface Vlan1
!
! a.a.a.a LAN Private address
!
ip address a.a.a.a 255.255.255.0
ip access-group LAN-IN in
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1420
ip flow ingress
ip flow egress
ip nat inside
ip inspect DEFAULT100 in
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1000
no mop enabled
service-policy input sdmappfwp2p_DEFAULT100
service-policy output sdmappfwp2p_DEFAULT100
!
!
interface Dialer99
ip address negotiated
ip access-group WAN2-IN in
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1420
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
ip tcp adjust-mss 1000
dialer pool 99
dialer-group 99
no cdp enable
ppp chap hostname username
ppp chap password 0 password
crypto map SDM_CMAP_1
!
ip route static adjust-time 5
!
! x.x.x.y WAN gateway
!
ip route 0.0.0.0 0.0.0.0 x.x.x.y
ip route 0.0.0.0 0.0.0.0 Dialer99 200
!
!
! b.b.b.b private nat via tunnel
! c.c.c.c private nat via tunnel
!
ip nat pool NAT-PRIV b.b.b.b b.b.b.b netmask 255.255.255.252
ip nat pool NAT-PRIV2 c.c.c.c c.c.c.c netmask 255.255.255.0
ip nat inside source list NAT-PRIV pool NAT-PRIV overload
ip nat inside source list NAT-PRIV2 pool NAT-PRIV2 overload
ip nat inside source route-map NAT interface FastEthernet0/1 overload
ip nat inside source route-map NAT2 interface Dialer99 overload
!
dialer-list 99 protocol ip permit
!
!
!
route-map NAT permit 10
match ip address NAT
match interface FastEthernet0/1
!
route-map NAT2 permit 20
match ip address NAT2
match interface Dialer99
!
Solved! Go to Solution.
09-30-2011 04:49 AM
Hi,
I would suggest you to configure EEM to have a NAT failover between two ISP's
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6555/ps6815/config_guide_eem_configuration_for_cisco_integrated_services_router_platforms.html
Please rate the helpful posts.
Regards,
Naidu.
09-30-2011 01:41 AM
Hello,
Your NAT configuration seems to be somewhat mixed up - you are using both ACLs and route-maps to control the NAT process. In your case, using the route-maps will be the correct way to do the NAT.
Before making any changes, however, please be so kind to post the contents of the ACLs NAT and NAT2 that are referenced by the route-maps NAT and NAT2. It is necessary to verify them before suggesting any modifications.
Thank you!
Best regards,
Peter
09-30-2011 02:32 AM
There is one more interface and two more routing. NAT ACL look like this:
interface Vlan500
ip address d.d.d.d 255.255.255.0
ip nat outside
ip virtual-reassembly
!
!
ip route b.b.0.0 255.255.0.0 d.d.d.x
ip route c.c.0.0 255.255.0.0 d.d.d.x
!
!
ip access-list extended NAT
deny ip any b.b.0.0 0.0.255.255
deny ip any c.c.0.0 0.0.255.255
permit ip a.a.a.0 0.0.0.255 any
deny ip any any
!
ip access-list extended NAT2
deny ip any b.b.0.0 0.0.255.255
deny ip any c.c.0.0 0.0.255.255
permit ip a.a.a.0 0.0.0.255 any
deny ip any any
!
ip access-list extended NAT-PRIV
deny ip any c.c.0.0 0.0.255.255
permit ip a.a.a.0 0.0.0.255 any
deny ip any any
!
ip access-list extended NAT-PRIV2
deny ip any b.b.0.0 0.0.255.255
permit ip a.a.a.0 0.0.0.255 any
deny ip any any
09-30-2011 04:49 AM
Hi,
I would suggest you to configure EEM to have a NAT failover between two ISP's
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6555/ps6815/config_guide_eem_configuration_for_cisco_integrated_services_router_platforms.html
Please rate the helpful posts.
Regards,
Naidu.
10-01-2011 01:41 AM
THX - I read this and this looks like suitable solution. I must test this and I let You know about results.
10-01-2011 06:53 AM
Naidu,
Thank you for your input. Still, the NAT configuration as present here is in my opinion incorrect, and needs to be corrected - assume that a stream from a.a.a.0/24 is directed to IP address X.X.X.X different from b.b.b.b or c.c.c.c. Now, both ip nat inside source list and ip nat inside source route-map commands apply to it, and in the order of configuration, the ip nat inside source list command will be used to NAT that stream, not allowing the egress interface to be verified.
The configuration needs to be streamlined in the sense that this overlapping of commands is not possible. In other words, the ACLs must be written so that they create a partitioning of all streams to non-overlapping subsets and therefore make the NAT commands unambiguous.
Best regards,
Peter
10-02-2011 11:56 PM
Hi Peter,
I would suggest him to use only one route-map apply to both nat's. Event hat is what EEM tells.
Becuase he want the NAT failover between two links thats it.
The traffic from LAN to go internet in any way so in this case there will be only one accesslist and one route-amp.
Please rate the helpful posts.
Regards,
Naidu.
10-03-2011 12:41 AM
Hi Naidu,
Well, the OP needs to use two distinct NAT pools and two distinct egress interfaces, according to his original configuration. As a single route-map can be used in the ip nat inside source command with only one pool/interface, he will need up to 4 route-maps to accomplish his goal.
It would be perfect if the NAT configuration allowed us to use some set command in the route-map so that different blocks of a single route-map could refer to distinct pools/interfaces, but sadly, this option is not available.
Best regards,
Peter
10-03-2011 01:11 AM
Hi Peter,
He need to have two different static NAT statements with two different interfaces (two isp's) which does the job.
This is what I have at one of my site and NAT failover is successfull.
cisco@chodrom.pl, Follow the below config and let us know if you face any troubles.
ip nat inside source route-map nat2cell interface Cellular0 overload
ip nat inside source static 10.10.10..2 217.8.291.191 route-map nat2dsl extendable
access-list 101 permit ip 10.10.10..0 0.0.0.255 any
access-list 102 permit ip 10.10.10..0 0.0.0.255 any
route-map nat2dsl permit 10
match ip address 101
match interface FastEthernet4
!
route-map nat2cell permit 10
match ip address 102
match interface Cellular0
Please rate the helpful posts.
Regards,
Naidu.
10-03-2011 07:18 AM
Naidu,
I have a feeling we are not reaching each other. The OP has these lines in his config:
ip nat pool NAT-PRIV b.b.b.b b.b.b.b netmask 255.255.255.252
ip nat pool NAT-PRIV2 c.c.c.c c.c.c.c netmask 255.255.255.0
ip nat inside source list NAT-PRIV pool NAT-PRIV overload
ip nat inside source list NAT-PRIV2 pool NAT-PRIV2 overload
ip nat inside source route-map NAT interface FastEthernet0/1 overload
ip nat inside source route-map NAT2 interface Dialer99 overload
He is using both NAT pools and egress interfaces. If this configuration is to be maintained, i.e. some translations go through the NAT pools and some other are using the interfaces' addresses, then the count of route-maps may go up to 4.
Best regards,
Peter
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide