cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3413
Views
6
Helpful
14
Replies

NAT not working

falkaabi
Level 1
Level 1

Hi,

I need some one help me with my problem.I work for a small organization as an network operator.Here in our company they have brought 2 WAN Leased link of

2 Mbps each from the same ISP.The ISP according to their policy provides a block of 8 Public ip address for LAN for each 2 Mbps WAN link purchased.So now with 2 WAN links i have a total of (8+8=16) Valid IP Address.Now my problem is the router which i am using is 1720 with one ethernet port.I am attaching the sample config file for ur reference.With this config i can nslookup but cannot browse.

Thanks in advance.

SEEID

14 Replies 14

Pravin Phadte
Level 5
Level 5

Hi,

after checking the attached config i would like to clear one of the statements linsted in the running config.

ip nat pool NET-POOL2 45.222.48.16.24 45.222.48.16.31 prefix-length 29

Can you verify this statement ?

it is the for the mask i used this i.e.255.255.255.248

Why are you setting "ip next-hop" in the route-map?

Can you try without that?

Also, you are not using "overload".... doesthat mean you have so les hosts inside who need to access the web?

Regards,

Niranjan

I think you did not understand what i was pointing out to.

ip nat pool NET-POOL2 45.222.48.16.24 45.222.48.16.31 prefix-length 29 ? You need to verify this ip address its 5 octets.

Is this links from 1 ISP or diffrent ISP ?

Show ip nat translation whats the output for this ?

If possible pls try this acl.

access-list 111 permit ip 172.16.13.0 0.0.0.255 200.100.132.142 255.255.255.252

access-list 112 permit ip ip 172.16.13.0 0.0.0.255 200.100.132.146 255.255.255.252

Regards,

Pravin

Hi,

Let me again explain to you,well we have 2 Leased Circuits of 2Mbps each coming from the same ISP and terminating on the 2 WAN ports of a single router 1720.The router is with one LAN port.

Now with this 2 WAN Links the,ISP has supplied with 2 Blocks of IP Address (45.222.48.16-23/29 & 45.222.48.16.24-31/29),

you can refer to the attached config file.Now the problem is there is no nat happening when i ping some external site and check for (RTR#show ip nat translation),i dont see anything translations,but sometimes when i nslookup i can resolve but no browsing :(

Thanks in advance

Saeeid

Saeeid..Going thru your config..it paused me for a question. What exactly are u looking to achieve with the existing config or for that matter the additional ip's.There are couple of points to be noted here.

First you see there are 2 default routes pointing to different Se interfaces.This wud only make sense if its coupled into a floating static route so that it moves over other Se i/f if one of the attached Se link fails(assuming same ISP uses different paths to advertise out to internet).

Secondly,do u intend to host any web/ftp server internally in ur n/w and have this being accessed from external sources.In this case the additional ip's can be used for this.

Also,having so much additional ip's is normally used wen the additional global ip's are alloted as primary & secondary to the internal lan fe0 interface & further part of these are assigned to any other connected firewall or routers inside of the network to segregate and have the traffic flow with different directions.If so , NAT will happen on the devices connected to the Fe0 interfaces.

Let us know ur views so that we can work forward to ur desired solution.

Pls rate the post if it helps!!!

Hi reco,

Let me quickly answer your

queries:

1.Well the use of two default routes is the idea to utilise both the links.

2.No i dont intend to have any web/ftp server on my internal n/w.

Hope i answered your queries....

Requirement:

So,coming on to what exactly i am trying to do or looking for is that.

1.I want to utilise both the wan links from the same ISP,and also both the block of IP's

in whatever possibly way and route the traffic on both the links at a given time.

Concerns:

I appreciate any new config for my requirement or alter the exiting one,whichever best possible way.

Thanks in advance..

Saeeid..here we go.

Pls try the below config.I havn't really tested this but based on ur need this should work in all logic, unless otherwise.

The configs i h'v posted is kept minimal to the need here.IP's used are also as provided.if any changes pls amend accordingly.

________________

int se0

ip address 200.100.132.142 255.255.255.252

ip nat outside

ip policy route-map exit

int se1

ip address 200.100.132.146 255.255.255.252

ip nat outside

ip policy route-map exit

int fe0

ip address 172.16.13.1 255.255.255.0

ip nat inside

ip nat inside source route-map test1 int se0 overload

ip nat inside source route-map test2 int se1 overload

ip route 0.0.0.0 0.0.0.0 200.100.132.141 10

ip route 0.0.0.0 0.0.0.0 200.100.132.145 70

acl 25 permit 200.100.132.145

acl 26 permit 200.100.132.141

acl 35 permit 172.16.13.0 0.0.0.255

acl 45 permit 45.222.48.16 0.0.0.7 ( isp1 global range)

acl 55 permit 45.222.48.24 0.0.0.7 ( isp2 global range)

route-map exit permit 10

match ip addr 45

set ip next-hop 200.100.132.145

route-map exit permit 20

match ip addr 55

set ip next-hop 200.100.132.141

route-map test1 permit 10

match ip addr 35

match ip next-hop 26

route-map test2 permit 20

match ip addr 35

match ip next-hop 25

_________________

Jst a headups on this..the 2 default routes used here are floating ones each tagged with a metric.This allows the other to be used in case of one of them not reachable.

Route-maps point/invoke respective hops/addresses.

Let us know the output once u hook this to the device.

Pls rate/mark if this helps!!!

Hi foxbatreco ,

I am yet to try this on the router as because of hectic schedule.Anyway thank you very much for the config and i have already rated your post.If will get back you once and try the config.,

Saeed

Thanks buddy! Pls try the config and let us know if its thru.Any issues ..we will help u to find a solution.

Hi there,

Well today i tried the config below,but unfortunetly only i can browse one site i.e.www.google.com,and also the traffic is not hitting both the interface as i wanted,if i shut one interface there is no translation or any traffic passing...All the transalation and traffic is moving on one link i.e serial0

Urgent reply to my problem will be appreciated.

Thanks in advance...

int se0

ip address 200.100.132.142 255.255.255.252

ip nat outside

ip policy route-map exit

int se1

ip address 200.100.132.146 255.255.255.252

ip nat outside

ip policy route-map exit

int fe0

ip address 172.16.13.1 255.255.255.0

ip nat inside

ip nat inside source route-map test1 int se0 overload

ip nat inside source route-map test2 int se1 overload

ip route 0.0.0.0 0.0.0.0 200.100.132.141 10

ip route 0.0.0.0 0.0.0.0 200.100.132.145 70

acl 25 permit 200.100.132.145

acl 26 permit 200.100.132.141

acl 35 permit 172.16.13.0 0.0.0.255

acl 45 permit 45.222.48.16 0.0.0.7 ( isp1 global range)

acl 55 permit 45.222.48.24 0.0.0.7 ( isp2 global range)

route-map exit permit 10

match ip addr 45

set ip next-hop 200.100.132.145

route-map exit permit 20

match ip addr 55

set ip next-hop 200.100.132.141

route-map test1 permit 10

match ip addr 35

match ip next-hop 26

route-map test2 permit 20

match ip addr 35

match ip next-hop 25

This is a nasty issue that you will find many threads on. Even though you have the same ISP on both connections it has the same issue as using 2 ISP.

Best solution is to ask the ISP to bond the links together with something like multilink ppp and route both block to you over what now appears to be a single link.

Assuming that is not possible I will point out some of the issues you have.

First policy routing is input only you cannot policy route output. You really need to do the policy routing on the ethernet but since policy routing is done before nat on inside to ouside traffic you can't just match the ISP addresses.

You biggest issue is that you cannot really load balance this. By default the router will use a combination of source and destination ip addresses to pick a path. The problem you will find is that the address you are natted to will change based on the path. This may work but in many cases even though a site may appear to have only 1 address behind the covers it may have many. If the router would choose a different path to get to these you get different nat source addresses which the servers at the remote site will detect as a spoof and drop your session.

Although not a good solution you need to manually balance your traffic. You in effect assign your users to on or the other ISP.

One common way would be to send all even addresses on way and all odd addresses the other.

So to start you put a policy route on the ethernet interface that matches the 172.16.13.x addresses and sets the next hop to whichever ISP you choose.

Now you have to fix the nat issue. You need to create 2 pools one with each ISP and assign the addresses based on the nexthop. This will be very similar to the way you do it with your nat overload in your sample. You should most likely remove the nat overload statements of you are going to use a nat pool

This should make it mostly work but you will never get true load balancing.

You also have a issue if one of the connections fail which I won't discuss here but you can look up policy routing and track object for a solution.

falkaabi
Level 1
Level 1

Hi,Can somone help me with some example configuring 1720 router with single ethernet port,for two subnet internal with natting to access internet and two wan links to the same ISP.

I believe what pravinxyz was trying to say is that your NAT Pool line should look something like this:

ip nat pool NET-POOL2 45.222.48.16 45.222.48.31 prefix-length 29

The IP address length is too big in your statement.