Solved: NAT for Dual WAN Interfaces Using ACLs

austin.lechelt · ‎01-20-2017

I have two questions regarding this subject; first, why doesn’t it work when referencing ACL’s in two different NAT statements on a Cisco ISR router?

!---Routing and interface configurations omitted---

!
ip nat inside source list NAT_172.16 interface Dialer0 overload
ip nat inside source list NAT_Alt_172 interface GigabitEthernet0 overload
!
ip access-list standard NAT_172.16
remark NAT 430 Traffic to Internet
permit 172.16.0.0 0.0.255.255
deny any
ip access-list standard NAT_Alt_172
remark NAT 430 Traffic to Alt Internet
permit 172.16.0.0 0.0.255.255
deny any

Second, how do the route-maps work without a “set” statement?

access-list 100 permit ip 172.168.60.0 0.0.0.255 any
!
route-map isp1 permit 10
match ip address 100
match interface FastEthernet0/0
!
route-map isp2 permit 10
match ip address 100
match interface FastEthernet1/0
!
ip nat inside source route-map isp1 interface FastEthernet0/0 overload
ip nat inside source route-map isp2 interface FastEthernet1/0 overload

Just trying to wrap my head around this.

Philip D'Ath · ‎01-20-2017

In both cases, only "match" criteria are considered.

In the below case, the only match being specified is an access-list, and both access-lists are the same. So this wont work at all well.

ip nat inside source list NAT_172.16 interface Dialer0 overload
ip nat inside source list NAT_Alt_172 interface GigabitEthernet0 overload

In the next case, the route-map is saying both an access-list and the outbound interface must match - which will be unique.

route-map isp1 permit 10 
match ip address 100 
match interface FastEthernet0/0 
!
route-map isp2 permit 10 
match ip address 100 
match interface FastEthernet1/0

No "set" is required because you are already matching the outbound interface - it is already going out the interface required.

View solution in original post

Philip D'Ath · ‎01-20-2017

In both cases, only "match" criteria are considered.

In the below case, the only match being specified is an access-list, and both access-lists are the same. So this wont work at all well.

ip nat inside source list NAT_172.16 interface Dialer0 overload
ip nat inside source list NAT_Alt_172 interface GigabitEthernet0 overload

In the next case, the route-map is saying both an access-list and the outbound interface must match - which will be unique.

route-map isp1 permit 10 
match ip address 100 
match interface FastEthernet0/0 
!
route-map isp2 permit 10 
match ip address 100 
match interface FastEthernet1/0

No "set" is required because you are already matching the outbound interface - it is already going out the interface required.

austin.lechelt · ‎01-21-2017

Thank you! I have one additional question; I tried the route-map:

route-map isp1 permit 10 
match interface FastEthernet0/0 
!
route-map isp2 permit 10 
match interface FastEthernet1/0

...and it works!

From my understanding the statement:

route-map isp1 permit 10
match interface FastEthernet0/0

!

ip nat inside source route-map isp1 interface FastEthernet0/0 overload

!

Is worded like this:

NAT inside to outside source (Fa0/0) destination: (Fa0/0)

How then is the following to be true:

NAT inside to outside source Fa0 to Fa0...where is the source specified? I see where the destination is specified (in the NAT statement: Fa0/0)...but the source matches the destination???