cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1868
Views
0
Helpful
6
Replies

NAT on ASA with Branch location ip

vinodk_gupta
Level 1
Level 1

Hi,

our branch Location is connected with Head office via two different ISP. one is Reliance Leased line link & second is MPLS link. By default primary link is MPLS & incase MPLS goes down then Leased line link will be use as a backup.we have internet link at Head office only & our LAN is behind the ASA.There is no any default route towards ASA from any HO router.

I want to static NAT of one ip from Branch location (172.26.48.191) with public ip address on Cisco ASA & its traffic is to & fro via leased line link.


Let suppose Head office LAN segment is 172.26.4.0/22
Branch location LAN Segment is 172.26.48.0/22
Cisco ASA inside ip address is 172.26.4.203/22
T56 is MPLS Link between Head office to Branch Location
Multilink is bundle of two leased line link between Head office to Branch Location

Configuration:

Head office router config:

ip route 172.26.48.0 255.255.252.0 T56  
ip route 172.26.48.0 255.255.252.0 Multilink1 100

access-list 108 permit ip host 172.26.48.191 any

route-map LABMATE permit 30
match ip address 108
set ip next-hop 172.26.4.203

interface GigabitEthernet0/0
ip address 172.26.4.48 255.255.252.0
ip policy route-map LABMATE
duplex full
speed auto
media-type rj45
no cdp enable


Head Office ASA config:

route inside 172.26.48.191 255.255.255.255 172.26.4.48 1
static (inside,outside) 116.214.24.20 172.26.48.191 netmask 255.255.255.255
access-list 100 extended permit tcp any host 116.214.24.20 eq 3389

Branch Location router configuration:


interface Multilink1
description **** Reliance 4 Mbps Aggregated To KCO ****
bandwidth 4096
ip address 172.26.0.14 255.255.255.252
ppp multilink
ppp multilink group 1

ip route 0.0.0.0 0.0.0.0 Tunnel56
ip route 0.0.0.0 0.0.0.0 Multilink1 100

access-list 108 permit ip host 172.26.48.191 any

route-map LABMATE permit 20
match ip address 108
set ip next-hop 172.26.0.13

interface FastEthernet0/0
ip address 172.26.48.1 255.255.252.0
ip policy route-map LABMATE
duplex auto
speed auto

After doing this configuration, when i trace any public ip address from branch location, our packet came via multilink1 & landing at Head office routerbut not going toward cisco ASA.while we can ping ASA inside ip from branch location.

whats going wrong, i could not understand. please help us.

2 Accepted Solutions

Accepted Solutions

ok to enable that you have two options:

1. Add one statement above your current PBR ACL

access-list 108 deny ip host 172.26.48.191 172.26.4.0 0.0.3.255

access-list 108 permit ip host 172.26.48.191 any

or

2. Modify the PBR route-map and use "set ip default next-hop" instead of "set ip next-hop". Keep the original ACL if you use this option

route-map LABMATE permit 30

match ip address 108

set ip default next-hop 172.26.4.203

This should make things work for you.

Neeraj

View solution in original post

well for failover use the following route on the HO side:

ip route 172.26.48.191 255.255.255.255 T56 100

and on Tunnel 56, I already suggested you to use the PBR command "ip policy route-map LABMATE". so these two commands should enable failover as well for that one host

I am not sure about how your internet users are accessing the proxy as it was not mentioned earlier and "PBR_LABMATE" is a new route-map which was no there in the original config.

View solution in original post

6 Replies 6

Neeraj Arora
Level 3
Level 3

Vinod,

PBR (ip policy route-map) command is always configured on an interface where the traffic will enter the device and after understanding your topology and packet flow, as per me the traffic from server 172.26.48.191 will enter the interface FastEthernet0/0 on the branch router (you have configured PBR correctly), then it leaves through Multilink interface and enters HO router through Multilink interface and then should leave through GigabitEthernet0/0 interface towards the ASA.

Now on this HeadOffice router, you need to put the "ip policy route-map LABMATE" command on the multilink interface (and on the Tunnel interface for failover) as this is where the packet will actually enter the router and Policy Based routing can happen for this.

for Return traffic towards this server 172.26.48.191, you should configure a host static route pointing towards Multilink1 as the preferred link

So as per me this is the config that should be there of HeadOffice router:

ip route 172.26.48.191 255.255.255.255 Multilink1

interface Multilink1

ip policy route-map LABMATE

interface tunnel56

ip policy route-map LABMATE

interface gig0/0

no ip policy route-map LABMATE

Hope this helps.

Neeraj

Hi, neeraj

Thanks a lot.

Now its working as per your suggestion but facing one problem after applying this policy.

Problem : we are unable to ping 172.26.4.0/22 LAN subnet from 172.26.48.191 machine. we require this facility also.

please helpus what should i do additionally.

Rehards

Vinod Gupta

09810966625

ok to enable that you have two options:

1. Add one statement above your current PBR ACL

access-list 108 deny ip host 172.26.48.191 172.26.4.0 0.0.3.255

access-list 108 permit ip host 172.26.48.191 any

or

2. Modify the PBR route-map and use "set ip default next-hop" instead of "set ip next-hop". Keep the original ACL if you use this option

route-map LABMATE permit 30

match ip address 108

set ip default next-hop 172.26.4.203

This should make things work for you.

Neeraj

Hi Neeraj,

Thank you very much our problem has been resolved.

For redundancy purpose, lets suppose our multilink got down , then in this case we need to put following steps

AT HO end router:

ip route 172.26.48.191 255.255.255.255 T56

int t56

ip policy route-map PBR_LABMATE

In this condition , i seems that every users can reach internet directly where as we have policy that every users can access internet through microsoft ISA proxy..

Is there any way to control this issue.

well for failover use the following route on the HO side:

ip route 172.26.48.191 255.255.255.255 T56 100

and on Tunnel 56, I already suggested you to use the PBR command "ip policy route-map LABMATE". so these two commands should enable failover as well for that one host

I am not sure about how your internet users are accessing the proxy as it was not mentioned earlier and "PBR_LABMATE" is a new route-map which was no there in the original config.

Hi Neeraj,

Thank, I am getting fallback also. Now my problem has been comletly resolved.

once again thanks for your support.

Regards

vinod Gupta

Review Cisco Networking for a $25 gift card