02-18-2018 06:08 AM - edited 03-05-2019 09:56 AM
My setup is on gns3, dynamips.
What I'm trying to do is a load balancing between two identical servers using NAT.
The server addresses are 192.168.48.74 and .75. With one public address, I'd like my clients on the internet to access those servers. So if my clients on the internet try to connect to the server through the public address, the router R1 should translate it to one of the local addresses.
This should be done with 'ip nat inside destination list' command according to some articles[1]. But in my setting it doesn't work at all. Can anyone help me?
R1 configuration is as follows:
!
version 12.4
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
no aaa new-model
memory-size iomem 5
!
ip cef
no ip domain lookup
!
interface Loopback0
ip address 10.10.11.1 255.255.255.248
!
interface Loopback1
ip address 192.168.48.1 255.255.255.224
ip ospf network point-to-point
!
interface Loopback2
ip address 192.168.48.33 255.255.255.224
ip ospf network point-to-point
!
interface Loopback3
ip address 192.168.64.1 255.255.255.224
ip ospf network point-to-point
!
interface Loopback4
ip address 192.168.64.33 255.255.255.224
ip ospf network point-to-point
!
interface Loopback5
ip address 192.168.80.97 255.255.255.224
ip ospf network point-to-point
!
interface Loopback6
ip address 192.168.80.193 255.255.255.224
ip ospf network point-to-point
!
interface Serial0/0
no ip address
encapsulation frame-relay
serial restart-delay 0
no frame-relay inverse-arp
frame-relay lmi-type ansi
!
interface Serial0/0.13 multipoint
ip address 200.200.17.5 255.255.255.252
ip ospf network point-to-point
frame-relay map ip 200.200.17.6 103 broadcast
!
interface Serial0/1
ip address 200.200.17.13 255.255.255.252
serial restart-delay 0
!
interface Serial0/2
no ip address
serial restart-delay 0
!
interface Serial0/3
no ip address
shutdown
serial restart-delay 0
!
interface Ethernet1/0
ip address 200.200.17.18 255.255.255.252
ip nat outside
ip virtual-reassembly
full-duplex
!
interface Ethernet1/1
no ip address
full-duplex
!
interface Ethernet1/1.15
encapsulation dot1Q 600
ip address 166.15.13.1 255.255.255.252
!
interface Ethernet1/1.17
encapsulation dot1Q 107
ip address 192.168.32.1 255.255.255.240
ip nat inside
ip virtual-reassembly
!
interface Ethernet1/1.18
encapsulation dot1Q 108
ip address 192.168.32.17 255.255.255.240
ip nat inside
ip virtual-reassembly
!
interface Ethernet1/2
no ip address
shutdown
half-duplex
!
interface Ethernet1/3
no ip address
shutdown
half-duplex
!
router ospf 1
router-id 10.10.11.1
log-adjacency-changes
area 0 authentication message-digest
area 192 virtual-link 10.10.13.3 message-digest-key 53 md5 sj79aqj2dn0js
passive-interface default
no passive-interface Serial0/0.13
no passive-interface Serial0/1
no passive-interface Ethernet1/1.17
no passive-interface Ethernet1/1.18
network 192.168.32.1 0.0.0.0 area 1003
network 192.168.32.17 0.0.0.0 area 1003
network 192.168.48.0 0.0.0.63 area 1003
network 192.168.64.0 0.0.0.63 area 1003
network 192.168.80.96 0.0.0.31 area 1003
network 192.168.80.192 0.0.0.31 area 1003
network 200.200.17.5 0.0.0.0 area 192
network 200.200.17.13 0.0.0.0 area 192
default-information originate always
!
ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 200.200.17.17
!
!
ip nat pool RETAIL-WEB-LOCAL 192.168.48.74 192.168.48.75 prefix-length 29 type rotary
ip nat inside source list NAT-GRP interface Ethernet1/0 overload
ip nat inside destination list RETAIL-WEB-GLOBAL pool RETAIL-WEB-LOCAL
!
!
ip access-list standard NAT-GRP
permit 192.168.48.0 0.0.0.63
permit 192.168.64.0 0.0.16.255
ip access-list standard RETAIL-WEB-GLOBAL
permit 200.200.17.34
!
control-plane
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
login
!
end
SW3 config is as follows:
no service password-encryption
!
hostname SW3
!
boot-start-marker
boot-end-marker
!
no aaa new-model
memory-size iomem 5
ip cef
!
no ip domain lookup
!
interface Loopback1
ip address 192.168.48.65 255.255.255.248
ip ospf network point-to-point
!
interface Loopback2
ip address 192.168.48.73 255.255.255.248
ip ospf network point-to-point
!
interface Loopback3
ip address 192.168.48.81 255.255.255.248
ip ospf network point-to-point
!
interface Loopback4
ip address 192.168.80.1 255.255.255.224
ip ospf network point-to-point
!
interface Loopback5
ip address 192.168.80.33 255.255.255.224
ip ospf network point-to-point
!
interface Loopback6
ip address 192.168.48.137 255.255.255.248
ip ospf network point-to-point
!
interface Port-channel1
switchport mode trunk
!
interface Port-channel2
switchport mode trunk
!
interface Port-channel3
switchport mode trunk
!
interface FastEthernet1/0
switchport access vlan 210
!
!
interface FastEthernet1/9
switchport mode trunk
channel-group 2 mode on
!
interface FastEthernet1/10
switchport mode trunk
channel-group 2 mode on
!
interface FastEthernet1/11
switchport mode trunk
channel-group 3 mode on
!
interface FastEthernet1/12
switchport mode trunk
channel-group 3 mode on
!
interface FastEthernet1/13
switchport mode trunk
channel-group 1 mode on
!
interface FastEthernet1/14
switchport mode trunk
channel-group 1 mode on
!
interface FastEthernet1/15
!
interface Vlan1
no ip address
!
interface Vlan108
ip address 192.168.32.18 255.255.255.240
ip access-group CTRL-RETAIL-TELLER in
!
interface Vlan708
ip address 192.168.32.34 255.255.255.240
ip access-group CTRL-RETAIL-TELLER in
!
router ospf 1
router-id 10.10.11.3
log-adjacency-changes
passive-interface default
no passive-interface Vlan108
no passive-interface Vlan708
network 192.168.32.18 0.0.0.0 area 1003
network 192.168.32.34 0.0.0.0 area 1003
network 192.168.48.64 0.0.0.31 area 1003
network 192.168.80.0 0.0.0.7 area 1003
network 192.168.80.32 0.0.0.7 area 1003
!
ip http server
no ip http secure-server
!
ip access-list extended CTRL-RETAIL-TELLER
permit ip 192.168.48.0 0.0.0.15 192.168.48.68 0.0.0.1
permit ip 192.168.48.32 0.0.0.7 192.168.48.68 0.0.0.1
deny ip any 192.168.48.64 0.0.0.7
permit ip any any
!
control-plane
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
login
!
end
ip nat statistics on R1 shows the following:
R1#sh ip nat stat
Total active translations: 0 (0 static, 0 dynamic; 0 extended)
Outside interfaces:
Ethernet1/0
Inside interfaces:
Ethernet1/1.17, Ethernet1/1.18
Hits: 0 Misses: 0
CEF Translated packets: 0, CEF Punted packets: 0
Expired translations: 0
Dynamic mappings:
-- Inside Source
[Id: 1] access-list NAT-GRP interface Ethernet1/0 refcount 0
-- Inside Destination
[Id: 2] access-list RETAIL-WEB-GLOBAL pool RETAIL-WEB-LOCAL refcount 0
pool RETAIL-WEB-LOCAL: netmask 255.255.255.248
start 192.168.48.74 end 192.168.48.75
type rotary, total addresses 2, allocated 0 (0%), misses 0
Queued Packets: 0
When I tried to ping 200.200.17.34 from ISP, it fails. It doesn't even create any "ip nat translation" entry. It tries to route the address without going through nat at all.
02-18-2018 12:12 PM
Hello,
where is 200.200.17.34 configured ? I don't see an ip nat outside interface in your configuration with that IP address...
02-18-2018 04:55 PM
02-19-2018 12:53 AM
Hello,
you are right, my bad, the interface address does not have to match the public address.
Looking through your config, check your inside NAT access list, it doesn't include the addresses for your servers:
ip access-list standard NAT-GRP
permit 192.168.48.0 0.0.0.63 --> includes only hosts 1 - 62, change the wildcard to 0.0.0.127
permit 192.168.64.0 0.0.16.255
Also, can you ping 192.168.48.74 from the router ? I cannot fully figure out what your network looks like, since you have a virtual llink (to where ?) and your switch, is supposed to be a layer 3 switch ?
02-20-2018 02:32 AM - edited 02-20-2018 02:38 AM
Hello
@saba wrote:
I didn't think that address has to be assigned in an interface. That
address needs to be translated, and the article explaining ip nat inside
destination doesn't have any interface assigned with the public address
which needs to be translated.
Do you think I should change the public address to the address associated
in the ip nat interface?
You need to be able to have 200.200.17.34 available for you to use and advertised by you isp, your global inside addressing 200.200.17.18/30 doesn't even extend to this ip address so why are you trying to connect via it?
As for your destination nat config this looks okay
res
Paul
02-22-2018 03:24 AM
02-22-2018 04:56 AM
Hello,
you have a virtual link with area 192 being the transit area. What re you linking to ?
Try and take the access list 'ip access-list standard NAT-GRP' out of your configuration altogether...
no ip access-list standard NAT-GRP
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide