04-30-2015 05:20 AM - edited 03-05-2019 01:22 AM
Hello fellow engineers!
I have a puzzling situation implementing an Internet routing pilot project and I need someone with a fresh look at the matter because I cannot make-out what the problem is…
Scenario description:
2901 router with two (one used) DSL intf’s on board and its two GE ports connected to a switch via Port-Channel sub-int’f (router-on-a-stick is implemented). The router has two other WAN (Internet) connections via a Satelite link and a MetroEthernet link. These two are terminated on the switch on intf’s at the appropriate VLAN’s. At attached topology scheme I depict them all collocated on the router for “simplicity” (logical topology) since the router has intf’s at the corresponding networks. The aDSL and Metro links have an 8-IP public set, each.
Most servers/hosts utilize VLAN 10 (int port-channel 1.10) but they need to forward their internet traffic to corresponding Internet links so PBR is used. VLAN/subnet (all /24) pairs are:
VLAN 11 -> 10.0.1.x
VLAN 12 -> 10.0.2.x
VLAN 13 -> 10.0.3.x
VLAN 71 -> 192.168.17.x
VLAN 204 -> 172.16.204.x
and – last but not least ! – VLAN 10 -> 10.0.0.x
All servers use static 1-1 NAT while all other hosts/PC’s use the Metro link (PAT).
Situation: All PBR rules and static NAT’s of VLAN 10 behave as expected. So does the PAT for hosts of all other VLAN’s (11, 12, 13, …). The rest of the hosts of VLAN 10, i.e. PC’s with IP’s 10.0.0.x (in red), cannot get to the Internet !
What is puzzling is that traffic is matched (by ACL) and NAT does occur but all I see (via “sh ip nat tra”) are the translations of the DNS requests ! Nothing else ! To top that, tracerouting a public IP does lead to the target but when hitting that same public IP (not by name) on the browser can’t load the page !
Could pls someone spot what I’m missing !!
To help you I also attach the router config and some command outputs…
All help is appreciated.
Thanx
Costas
Solved! Go to Solution.
05-11-2015 12:52 AM
Hello Kosta.
After studying the provided config I've concluded to the below:
1. Default gateway of the MultiISP router is Oxygen (212.251.64.153).
2. The route map statements regarding default gateway's IP address are not needed. A permit any route map statement at the end will provide the neccessary access to all the IP addresses that are need to follow the default gateway of the router.
3. Unfortunatelly in order for the NAT rules to apply in a PBR scenario the respective ACLs need to be configured pointing to the appropriate outgoing interface (e.x. Port-Channel 1.64).
4. Since the need is for 1:1 NAT for the servers then the NAT statements should be in the form of
ip nat source static <Private IP address> < Public IP address)
As an extra if you want a complete control over PBR there should be no default gateway static routes. The routing should take place in the route map statements since it could give a better control over it and remove the additional complexity of having routing through PBR for some hosts and static routing for all the others.
Hope that helped a little. I will be more than glad to hear your feedback on this.
Thank you.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide