Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2242
Views
0
Helpful
9
Replies

NAT and two ISP

Go to solution
cisco
Level 1
Level 1

‎09-30-2011 01:03 AM - edited ‎03-04-2019 01:46 PM

Hi

I have some problem. I have two internet link from two ISP. One link is primary, second link is backup. I want to configure this, but i have problem. When first link work NAT translation table have a entry. After this I shutdown first link and second link work, but not exactly. I test this by ping public_address and after i shutdown first link - ping stops until i execute manually "clear ip nat translation *". After this I bring on first link ang ping stop  until i execute manually "clear ip nat translation *".

I suppose that is not a very serious problem - it just a lack of knowlege.

Could You please help me to resolve this ?

Config:

!

interface FastEthernet0/0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

duplex auto

speed auto

pppoe enable group global

pppoe-client dial-pool-number 99

no mop enabled

!

interface FastEthernet0/1

description $ETH-WAN$

!

! x.x.x.x WAN public address

!

ip address x.x.x.x 255.255.255.248

ip access-group WAN-IN in

no ip redirects

no ip unreachables

no ip proxy-arp

ip mtu 1420

ip nbar protocol-discovery

ip flow ingress

ip flow egress

ip nat outside

ip inspect DEFAULT100 in

ip ips sdm_ips_rule in

ip virtual-reassembly

ip route-cache flow

ip tcp adjust-mss 1000

duplex auto

speed auto

no cdp enable

no mop enabled

crypto map SDM_CMAP_1

service-policy input sdmappfwp2p_DEFAULT100

service-policy output sdmappfwp2p_DEFAULT100

!

interface FastEthernet0/3/0

switchport mode trunk

no cdp enable

!

!

interface Vlan1

!

! a.a.a.a LAN Private address

!

ip address a.a.a.a 255.255.255.0

ip access-group LAN-IN in

no ip redirects

no ip unreachables

no ip proxy-arp

ip mtu 1420

ip flow ingress

ip flow egress

ip nat inside

ip inspect DEFAULT100 in

ip virtual-reassembly

ip route-cache flow

ip tcp adjust-mss 1000

no mop enabled

service-policy input sdmappfwp2p_DEFAULT100

service-policy output sdmappfwp2p_DEFAULT100

!

!

interface Dialer99

ip address negotiated

ip access-group WAN2-IN in

no ip redirects

no ip unreachables

no ip proxy-arp

ip mtu 1420

ip flow ingress

ip flow egress

ip nat outside

ip virtual-reassembly

encapsulation ppp

ip route-cache flow

ip tcp adjust-mss 1000

dialer pool 99

dialer-group 99

no cdp enable

ppp chap hostname username

ppp chap password 0 password

crypto map SDM_CMAP_1

!

ip route static adjust-time 5

!

! x.x.x.y WAN gateway

!

ip route 0.0.0.0 0.0.0.0 x.x.x.y

ip route 0.0.0.0 0.0.0.0 Dialer99 200

!

!

! b.b.b.b private nat via tunnel

! c.c.c.c private nat via tunnel

!

ip nat pool NAT-PRIV b.b.b.b b.b.b.b netmask 255.255.255.252

ip nat pool NAT-PRIV2 c.c.c.c c.c.c.c netmask 255.255.255.0

ip nat inside source list NAT-PRIV pool NAT-PRIV overload

ip nat inside source list NAT-PRIV2 pool NAT-PRIV2 overload

ip nat inside source route-map NAT interface FastEthernet0/1 overload

ip nat inside source route-map NAT2 interface Dialer99 overload

!

dialer-list 99 protocol ip permit

!

!

!

route-map NAT permit 10

match ip address NAT

match interface FastEthernet0/1

!

route-map NAT2 permit 20

match ip address NAT2

match interface Dialer99

!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Latchum Naidu
VIP Alumni
VIP Alumni
In response to cisco

‎09-30-2011 04:49 AM

Hi,

I would suggest you to configure EEM to have a NAT failover between two ISP's
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6555/ps6815/config_guide_eem_configuration_for_cisco_integrated_services_router_platforms.html


Please rate the helpful posts.
Regards,
Naidu.

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee

‎09-30-2011 01:41 AM

Hello,

Your NAT configuration seems to be somewhat mixed up - you are using both ACLs and route-maps to control the NAT process. In your case, using the route-maps will be the correct way to do the NAT.

Before making any changes, however, please be so kind to post the contents of the ACLs NAT and NAT2 that are referenced by the route-maps NAT and NAT2. It is necessary to verify them before suggesting any modifications.

Thank you!

Best regards,

Peter

0 Helpful

Go to solution
cisco
Level 1
Level 1
In response to Peter Paluch

‎09-30-2011 02:32 AM

There is one more interface and two more routing. NAT ACL look like this:

interface Vlan500

ip address d.d.d.d 255.255.255.0

ip nat outside

ip virtual-reassembly

!

!

ip route b.b.0.0 255.255.0.0 d.d.d.x

ip route c.c.0.0 255.255.0.0 d.d.d.x

!

!

ip access-list extended NAT

deny   ip any b.b.0.0 0.0.255.255

deny   ip any c.c.0.0 0.0.255.255

permit ip a.a.a.0 0.0.0.255 any

deny   ip any any

!

ip access-list extended NAT2

deny   ip any b.b.0.0 0.0.255.255

deny   ip any c.c.0.0 0.0.255.255

permit ip a.a.a.0 0.0.0.255 any

deny   ip any any

!

ip access-list extended NAT-PRIV

deny   ip any c.c.0.0 0.0.255.255

permit ip a.a.a.0 0.0.0.255 any

deny   ip any any

!

ip access-list extended NAT-PRIV2

deny   ip any b.b.0.0 0.0.255.255

permit ip a.a.a.0 0.0.0.255 any

deny   ip any any

0 Helpful

Go to solution
Latchum Naidu
VIP Alumni
VIP Alumni
In response to cisco

‎09-30-2011 04:49 AM

Hi,

I would suggest you to configure EEM to have a NAT failover between two ISP's
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6555/ps6815/config_guide_eem_configuration_for_cisco_integrated_services_router_platforms.html


Please rate the helpful posts.
Regards,
Naidu.

0 Helpful

Go to solution
cisco
Level 1
Level 1
In response to Latchum Naidu

‎10-01-2011 01:41 AM

THX - I read this and this looks like suitable solution. I must test this and I let You know about results.

0 Helpful

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee
In response to Latchum Naidu

‎10-01-2011 06:53 AM

Naidu,

Thank you for your input. Still, the NAT configuration as present here is in my opinion incorrect, and needs to be corrected - assume that a stream from a.a.a.0/24 is directed to IP address X.X.X.X different from b.b.b.b or c.c.c.c. Now, both ip nat inside source list and  ip nat inside source route-map commands apply to it, and in the order of configuration, the ip nat inside source list command will be used to NAT that stream, not allowing the egress interface to be verified.

The configuration needs to be streamlined in the sense that this overlapping of commands is not possible. In other words, the ACLs must be written so that they create a partitioning of all streams to non-overlapping subsets and therefore make the NAT commands unambiguous.

Best regards,

Peter

0 Helpful

Go to solution
Latchum Naidu
VIP Alumni
VIP Alumni
In response to Peter Paluch

‎10-02-2011 11:56 PM

Hi Peter,


I would suggest him to use only one route-map apply to both nat's. Event hat is what EEM tells.
Becuase he want the NAT failover between two links thats it.
The traffic from LAN to go internet in any way so in this case there will be only one accesslist and one route-amp.


Please rate the helpful posts.
Regards,
Naidu.

0 Helpful

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee
In response to Latchum Naidu

‎10-03-2011 12:41 AM

Hi Naidu,

Well, the OP needs to use two distinct NAT pools and two distinct egress interfaces, according to his original configuration. As a single route-map can be used in the ip nat inside source command with only one pool/interface, he will need up to 4 route-maps to accomplish his goal.

It would be perfect if the NAT configuration allowed us to use some set command in the route-map so that different blocks of a single route-map could refer to distinct pools/interfaces, but sadly, this option is not available.

Best regards,

Peter

0 Helpful

Go to solution
Latchum Naidu
VIP Alumni
VIP Alumni
In response to Peter Paluch

‎10-03-2011 01:11 AM

Hi Peter,

He need to have two different static NAT statements with two different interfaces (two isp's) which does the job.
This is what I have at one of my site and NAT failover is successfull.
cisco@chodrom.pl, Follow the below config and let us know if you face any troubles.


ip nat inside source route-map nat2cell interface Cellular0 overload
ip nat inside source static 10.10.10..2 217.8.291.191 route-map nat2dsl extendable


access-list 101 permit ip 10.10.10..0 0.0.0.255 any
access-list 102 permit ip 10.10.10..0 0.0.0.255 any


route-map nat2dsl permit 10
match ip address 101
match interface FastEthernet4
!
route-map nat2cell permit 10
match ip address 102
match interface Cellular0


Please rate the helpful posts.
Regards,
Naidu.

0 Helpful

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee
In response to Latchum Naidu

‎10-03-2011 07:18 AM

Naidu,

I have a feeling we are not reaching each other. The OP has these lines in his config:

ip nat pool NAT-PRIV b.b.b.b b.b.b.b netmask 255.255.255.252

ip nat pool NAT-PRIV2 c.c.c.c c.c.c.c netmask 255.255.255.0

ip nat inside source list NAT-PRIV pool NAT-PRIV overload

ip nat inside source list NAT-PRIV2 pool NAT-PRIV2 overload

ip nat inside source route-map NAT interface FastEthernet0/1 overload

ip nat inside source route-map NAT2 interface Dialer99 overload

He is using both NAT pools and egress interfaces. If this configuration is to be maintained, i.e. some translations go through the NAT pools and some other are using the interfaces' addresses, then the count of route-maps may go up to 4.

Best regards,

Peter

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card