Solved: NAT via 3 connections using ip sla track

maxnetstat · ‎09-22-2023

Hi!
I had a difficult task for me.
I need to configure NAT for three different connections.
We have 3 communication channels with our partner:

interface Port-channel1.10
description PARTNER_CONNECT1
encapsulation dot1Q 10
ip address 10.10.0.2 255.255.255.248
ip nat outside

interface Port-channel1.11
description PARTNER_CONNECT2
encapsulation dot1Q 11
ip address 10.11.0.2 255.255.255.248
ip nat outside

interface Port-channel1.12
description PARTNER_CONNECT3
encapsulation dot1Q 12
ip address 10.12.0.2 255.255.255.248
ip nat outside

#LocalNet
interface Port-channel1.5
encapsulation dot1Q 5
ip address 192.168.10.1 255.255.255.0
ip nat inside

I build routes depending on track:

track 10 ip sla 10 reachability

ip sla 10
icmp-echo 10.10.0.1 source-ip 10.10.0.2
threshold 75
timeout 100
frequency 1
ip sla schedule 10 life forever start-time now
----------------

track 11 ip sla 11 reachability

ip sla 11
icmp-echo 10.11.0.1 source-ip 10.11.0.2
threshold 75
timeout 100
frequency 1
ip sla schedule 11 life forever start-time now
----------------

track 12 ip sla 12 reachability

ip sla 12
icmp-echo 10.12.0.1 source-ip 10.12.0.2
threshold 75
timeout 100
frequency 1
ip sla schedule 12 life forever start-time now

Partner network I need access to:
ip route 10.100.0.0 255.255.0.0 10.10.0.1 track 10
ip route 10.100.0.0 255.255.0.0 10.11.0.1 10 track 11
ip route 10.100.0.0 255.255.0.0 10.12.0.1 20 track 12

I need to NAT my addresses depending on ip sla track through 10.10.0.1 or 10.11.0.1 or 10.12.0.1

ip access-list extended acl-to-partner
permit ip host 192.168.10.10 any
permit ip host 192.168.10.11 any
permit ip host 192.168.10.12 any
permit ip host 192.168.10.20 any
permit ip host 192.168.10.31 any
permit ip host 192.168.10.42 any
permit ip host 192.168.10.75 any
permit ip host 192.168.10.87 any
permit ip host 192.168.10.92 any

ip nat pool pool-partn1 10.10.0.3 10.10.0.6 netmask 255.255.255.0
ip nat pool pool-partn2 10.11.0.3 10.11.0.6 netmask 255.255.255.0
ip nat pool pool-partn3 10.12.0.3 10.12.0.6 netmask 255.255.255.0

ip nat inside source list acl-to-partner pool pool-partn1 overload

While we only had one connection, everything worked great, but now there are 3 of them (only 1 channel should be used at a time) and it is necessary to change NAT rules depending on track.
It seems that this can be done via

route-map

, but it didn’t work for me.
Has anyone encountered a similar problem?

maxnetstat · ‎09-26-2023

Thanks a lot, everyone!
Your advice helped me a lot, thanks to which I understood how it all works)

In the end, I solved the problem.
I did it using

route maps

but I didn’t use them to match the track, but set the interface.
Everything works as I need it. When interfaces are turned off, the pool changes according to the track

interface Port-channel1.10
description PARTNER_CONNECT1
encapsulation dot1Q 10
ip address 10.10.0.2 255.255.255.248
ip nat outside

interface Port-channel1.11
description PARTNER_CONNECT2
encapsulation dot1Q 11
ip address 10.11.0.2 255.255.255.248
ip nat outside

interface Port-channel1.12
description PARTNER_CONNECT3
encapsulation dot1Q 12
ip address 10.12.0.2 255.255.255.248
ip nat outside

#LocalNet
interface Port-channel1.5
encapsulation dot1Q 5
ip address 192.168.10.1 255.255.255.0
ip nat inside

track 10 ip sla 10 reachability
track 11 ip sla 11 reachability
track 12 ip sla 12 reachability

ip sla 10
icmp-echo 10.10.0.1 source-ip 10.10.0.2
threshold 75
timeout 100
frequency 1
ip sla schedule 10 life forever start-time now

ip sla 11
icmp-echo 10.11.0.1 source-ip 10.11.0.2
threshold 75
timeout 100
frequency 1
ip sla schedule 11 life forever start-time now

ip sla 12
icmp-echo 10.12.0.1 source-ip 10.12.0.2
threshold 75
timeout 100
frequency 1
ip sla schedule 12 life forever start-time now

ip route 10.100.0.0 255.255.0.0 10.10.0.1 track 10
ip route 10.100.0.0 255.255.0.0 10.11.0.1 10 track 11
ip route 10.100.0.0 255.255.0.0 10.12.0.1 20 track 12


ip access-list extended acl-to-partner
permit ip host 192.168.10.10 any
permit ip host 192.168.10.11 any
permit ip host 192.168.10.12 any
permit ip host 192.168.10.20 any
permit ip host 192.168.10.31 any
permit ip host 192.168.10.42 any
permit ip host 192.168.10.75 any
permit ip host 192.168.10.87 any
permit ip host 192.168.10.92 any

route-map to-Partner1 permit 10
match ip address acl-to-partner
match interface Port-channel1.10

route-map to-Partner2 permit 10
match ip address acl-to-partner
match interface Port-channel1.11

route-map to-Partner3 permit 10
match ip address acl-to-partner
match interface Port-channel1.12

ip nat pool pool-partn1 10.10.0.3 10.10.0.6 netmask 255.255.255.0
ip nat pool pool-partn2 10.11.0.3 10.11.0.6 netmask 255.255.255.0
ip nat pool pool-partn3 10.12.0.3 10.12.0.6 netmask 255.255.255.0

ip nat inside source route-map to-Partner1 pool pool-partn1 overload
ip nat inside source route-map to-Partner2 pool pool-partn2 overload
ip nat inside source route-map to-Partner3 pool pool-partn3 overload

View solution in original post

M02@rt37 · ‎09-22-2023

Hello @maxnetstat,

You can use a

route-map

and a few additional NAT configuration commands.

--Create

route-maps

to match the state of the IP SLA tracks and then apply the appropriate

NAT pool

based on the track's state

ip access-list extended acl-partner1
permit ip host 192.168.10.10 any
permit ip host 192.168.10.11 any
permit ip host 192.168.10.12 any
permit ip host 192.168.10.20 any
permit ip host 192.168.10.31 any
permit ip host 192.168.10.42 any
permit ip host 192.168.10.75 any
permit ip host 192.168.10.87 any
permit ip host 192.168.10.92 any

ip access-list extended acl-partner2
permit ip host 192.168.10.10 any
permit ip host 192.168.10.11 any
permit ip host 192.168.10.12 any
permit ip host 192.168.10.20 any
permit ip host 192.168.10.31 any
permit ip host 192.168.10.42 any
permit ip host 192.168.10.75 any
permit ip host 192.168.10.87 any
permit ip host 192.168.10.92 any

ip access-list extended acl-partner3
permit ip host 192.168.10.10 any
permit ip host 192.168.10.11 any
permit ip host 192.168.10.12 any
permit ip host 192.168.10.20 any
permit ip host 192.168.10.31 any
permit ip host 192.168.10.42 any
permit ip host 192.168.10.75 any
permit ip host 192.168.10.87 any
permit ip host 192.168.10.92 any

route-map partner-nat1 permit 10
match ip address acl-partner1
match track 10

route-map partner-nat2 permit 10
match ip address acl-partner2
match track 11

route-map partner-nat3 permit 10
match ip address acl-partner3
match track 12

--Apply the route-maps to your NAT configuration:

ip nat pool pool-partn1 10.10.0.3 10.10.0.6 netmask 255.255.255.0
ip nat pool pool-partn2 10.11.0.3 10.11.0.6 netmask 255.255.255.0
ip nat pool pool-partn3 10.12.0.3 10.12.0.6 netmask 255.255.255.0

ip nat inside source route-map partner-nat1 pool pool-partn1 overload
ip nat inside source route-map partner-nat2 pool pool-partn2 overload
ip nat inside source route-map partner-nat3 pool pool-partn3 overload

Your router should now dynamically select the appropriate

NAT pool

based on the state of the IP SLA tracks. If one track is up (e.g., track 10), the corresponding

NAT pool (pool-partn1)

will be used for NAT translations. If another track is up (e.g., track 11),

pool-partn2

will be used, and so on.

Best regards
******* If This Helps, Please Rate *******
Ben

maxnetstat · ‎09-22-2023

My knowledge is not enough, but I would like to clarify whether this configuration will not work with one ACL?

ip access-list extended acl-partner
permit ip host 192.168.10.10 any
permit ip host 192.168.10.11 any
permit ip host 192.168.10.12 any
permit ip host 192.168.10.20 any
permit ip host 192.168.10.31 any
permit ip host 192.168.10.42 any
permit ip host 192.168.10.75 any
permit ip host 192.168.10.87 any
permit ip host 192.168.10.92 any

route-map partner-nat1 permit 10
match ip address acl-partner
match track 10

route-map partner-nat2 permit 10
match ip address acl-partner
match track 11

route-map partner-nat3 permit 10
match ip address acl-partner
match track 12

M02@rt37 · ‎09-22-2023

Yes it is @maxnetstat,

it was just to slice the explanation.

Best regards
******* If This Helps, Please Rate *******
Ben

maxnetstat · ‎09-24-2023

Sorry it took so long to answer!
Your solution is very similar to what I need.
Now I'm trying to reproduce this in EVE-NG, but so far NAT switching is not happening.
Perhaps I made a mistake somewhere. I'll post when I'm done.
Thanks for the help!

Jaderson Pessoa · ‎09-22-2023

Hello...
i created a lab for you simulating your design

Follow config:

LAN-SIDE


track 1 ip sla 1 reachability
!
track 2 ip sla 2 reachability
!
track 3 ip sla 3 reachability
!
!
interface Loopback1
no shutdown
description LAN_SIDE
ip address 192.168.10.1 255.255.255.255
ip nat inside
ip virtual-reassembly in
!
interface Loopback2
no shutdown
ip address 192.168.10.2 255.255.255.255
ip nat inside
ip virtual-reassembly in
!
interface Ethernet0/0
no shutdown
ip address 10.10.10.1 255.255.255.252
ip nat outside
ip virtual-reassembly in
!
interface Ethernet0/1
no shutdown
ip address 10.10.10.5 255.255.255.252
ip nat outside
ip virtual-reassembly in
!
interface Ethernet0/2
no shutdown
ip address 10.10.10.9 255.255.255.252
ip nat outside
ip virtual-reassembly in
!
interface Ethernet0/3
no shutdown
no ip address
shutdown
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip nat pool pool-partn1 10.10.0.3 10.10.0.6 netmask 255.255.255.0
ip nat pool pool-partn2 10.11.0.3 10.11.0.6 netmask 255.255.255.0
ip nat pool pool-partn3 10.12.0.3 10.12.0.6 netmask 255.255.255.0
ip nat inside source route-map part1 pool pool-partn1 overload
ip nat inside source route-map part2 pool pool-partn2 overload
ip nat inside source route-map part3 pool pool-partn3 overload
ip route 10.100.0.0 255.255.0.0 10.10.10.2 name R2 track 1
ip route 10.100.0.0 255.255.0.0 10.10.10.6 5 name R3 track 2
ip route 10.100.0.0 255.255.0.0 10.10.10.10 10 name R4 track 3
!
ip access-list extended acl-partner1
permit ip host 192.168.10.1 any
ip access-list extended acl-partner2
permit ip host 192.168.10.2 any
ip access-list extended acl-partner3
permit ip host 192.168.10.3 any
!
ip sla 1
icmp-echo 10.10.10.2 source-ip 10.10.10.1
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo 10.10.10.6 source-ip 10.10.10.5
ip sla schedule 2 life forever start-time now
ip sla 3
icmp-echo 10.10.10.10 source-ip 10.10.10.9
ip sla schedule 3 life forever start-time now
!
route-map part3 permit 10
match ip address acl-partner3
match track 3
!
route-map part2 permit 10
match ip address acl-partner2
match track 2
!
route-map part1 permit 10
match ip address acl-partner1
match track 1
!

R2:

interface Ethernet0/0
no shutdown
ip address 10.10.10.2 255.255.255.252
shutdown
!
interface Ethernet0/1
no shutdown
ip address 10.10.11.2 255.255.255.252
shutdown
!
interface Ethernet0/2
no shutdown
no ip address
shutdown
!
interface Ethernet0/3
no shutdown
no ip address
shutdown
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 10.10.0.0 255.255.0.0 10.10.10.1 name NATPOOL
ip route 10.100.0.0 255.255.0.0 10.10.11.1 name PARTNER
ip route 192.168.10.0 255.255.255.0 10.10.10.1 name LAN-SIDE
!

R3:

interface Ethernet0/0
no shutdown
ip address 10.10.10.6 255.255.255.252
!
interface Ethernet0/1
no shutdown
ip address 10.10.11.6 255.255.255.252
!
interface Ethernet0/2
no shutdown
no ip address
shutdown
!
interface Ethernet0/3
no shutdown
no ip address
shutdown
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 10.11.0.0 255.255.0.0 10.10.10.5 name NATPOOL
ip route 10.100.0.0 255.255.0.0 10.10.11.5 name PARTNER
ip route 192.168.10.0 255.255.255.0 10.10.10.5 name LAN-SIDE

R4:

interface Ethernet0/0
no shutdown
ip address 10.10.10.10 255.255.255.252
!
interface Ethernet0/1
no shutdown
ip address 10.10.11.10 255.255.255.252
!
interface Ethernet0/2
no shutdown
no ip address
shutdown
!
interface Ethernet0/3
no shutdown
no ip address
shutdown
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 10.12.0.0 255.255.0.0 10.10.10.9 name NATPOOL
ip route 10.100.0.0 255.255.0.0 10.10.11.9 name PARTNER
ip route 192.168.10.0 255.255.255.0 10.10.10.9 name LAN-SIDE

PARTNER:

interface Loopback1
no shutdown
description PARTNER
ip address 10.100.0.1 255.255.0.0
!
interface Ethernet0/0
no shutdown
ip address 10.10.11.1 255.255.255.252
shutdown
!
interface Ethernet0/1
no shutdown
ip address 10.10.11.5 255.255.255.252
!
interface Ethernet0/2
no shutdown
ip address 10.10.11.9 255.255.255.252
!
interface Ethernet0/3
no shutdown
no ip address
shutdown
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 10.10.11.2 name R2
ip route 0.0.0.0 0.0.0.0 10.10.11.6 5 name R3
ip route 0.0.0.0 0.0.0.0 10.10.11.10 10 name R4

Everything works automatically according with ip sla

Jaderson Pessoa
*** Rate All Helpful Responses ***

Jaderson Pessoa · ‎09-22-2023

Hello, i created your design in lab...

Follow configuration

LAN-SIDE
track 1 ip sla 1 reachability
!
track 2 ip sla 2 reachability
!
track 3 ip sla 3 reachability
!
!
!
!
interface Loopback1
no shutdown
description LAN_SIDE
ip address 192.168.10.1 255.255.255.255
ip nat inside
ip virtual-reassembly in
!
interface Loopback2
no shutdown
ip address 192.168.10.2 255.255.255.255
ip nat inside
ip virtual-reassembly in
!
interface Ethernet0/0
no shutdown
ip address 10.10.10.1 255.255.255.252
ip nat outside
ip virtual-reassembly in
!
interface Ethernet0/1
no shutdown
ip address 10.10.10.5 255.255.255.252
ip nat outside
ip virtual-reassembly in
!
interface Ethernet0/2
no shutdown
ip address 10.10.10.9 255.255.255.252
ip nat outside
ip virtual-reassembly in
!
interface Ethernet0/3
no shutdown
no ip address
shutdown
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip nat pool pool-partn1 10.10.0.3 10.10.0.6 netmask 255.255.255.0
ip nat pool pool-partn2 10.11.0.3 10.11.0.6 netmask 255.255.255.0
ip nat pool pool-partn3 10.12.0.3 10.12.0.6 netmask 255.255.255.0
ip nat inside source route-map part1 pool pool-partn1 overload
ip nat inside source route-map part2 pool pool-partn2 overload
ip nat inside source route-map part3 pool pool-partn3 overload
ip route 10.100.0.0 255.255.0.0 10.10.10.2 name R2 track 1
ip route 10.100.0.0 255.255.0.0 10.10.10.6 5 name R3 track 2
ip route 10.100.0.0 255.255.0.0 10.10.10.10 10 name R4 track 3
!
ip access-list extended acl-partner1
permit ip host 192.168.10.1 any
ip access-list extended acl-partner2
permit ip host 192.168.10.2 any
ip access-list extended acl-partner3
permit ip host 192.168.10.3 any
!
ip sla 1
icmp-echo 10.10.10.2 source-ip 10.10.10.1
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo 10.10.10.6 source-ip 10.10.10.5
ip sla schedule 2 life forever start-time now
ip sla 3
icmp-echo 10.10.10.10 source-ip 10.10.10.9
ip sla schedule 3 life forever start-time now
!
route-map part3 permit 10
match ip address acl-partner3
match track 3
!
route-map part2 permit 10
match ip address acl-partner2
match track 2
!
route-map part1 permit 10
match ip address acl-partner1
match track 1
!

R2

interface Ethernet0/0
no shutdown
ip address 10.10.10.2 255.255.255.252
shutdown
!
interface Ethernet0/1
no shutdown
ip address 10.10.11.2 255.255.255.252
shutdown
!
interface Ethernet0/2
no shutdown
no ip address
shutdown
!
interface Ethernet0/3
no shutdown
no ip address
shutdown
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 10.10.0.0 255.255.0.0 10.10.10.1 name NATPOOL
ip route 10.100.0.0 255.255.0.0 10.10.11.1 name PARTNER
ip route 192.168.10.0 255.255.255.0 10.10.10.1 name LAN-SIDE
!
R3

interface Ethernet0/0
no shutdown
ip address 10.10.10.6 255.255.255.252
!
interface Ethernet0/1
no shutdown
ip address 10.10.11.6 255.255.255.252
!
interface Ethernet0/2
no shutdown
no ip address
shutdown
!
interface Ethernet0/3
no shutdown
no ip address
shutdown
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 10.11.0.0 255.255.0.0 10.10.10.5 name NATPOOL
ip route 10.100.0.0 255.255.0.0 10.10.11.5 name PARTNER
ip route 192.168.10.0 255.255.255.0 10.10.10.5 name LAN-SIDE
!

R4

interface Ethernet0/0
no shutdown
ip address 10.10.10.10 255.255.255.252
!
interface Ethernet0/1
no shutdown
ip address 10.10.11.10 255.255.255.252
!
interface Ethernet0/2
no shutdown
no ip address
shutdown
!
interface Ethernet0/3
no shutdown
no ip address
shutdown
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 10.10.0.0 255.255.0.0 10.10.10.9 name NATPOOL
ip route 10.12.0.0 255.255.0.0 10.10.10.9 name NATPOOL
ip route 10.100.0.0 255.255.0.0 10.10.11.9 name PARTNER
ip route 192.168.10.0 255.255.255.0 10.10.10.9 name LAN-SIDE


PARTNER

!
interface Loopback1
no shutdown
description PARTNER
ip address 10.100.0.1 255.255.0.0
!
interface Ethernet0/0
no shutdown
ip address 10.10.11.1 255.255.255.252
shutdown
!
interface Ethernet0/1
no shutdown
ip address 10.10.11.5 255.255.255.252
!
interface Ethernet0/2
no shutdown
ip address 10.10.11.9 255.255.255.252
!
interface Ethernet0/3
no shutdown
no ip address
shutdown
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 10.10.11.2 name R2
ip route 0.0.0.0 0.0.0.0 10.10.11.6 5 name R3
ip route 0.0.0.0 0.0.0.0 10.10.11.10 10 name R4

TESTING SLA 1

TESTING SLA 2

Jaderson Pessoa
*** Rate All Helpful Responses ***

maxnetstat · ‎09-24-2023

Hi, sorry I haven't checked in for a long time!

You did a good job!
Thanks for the help!
But there is a nuance...

ip access-list extended acl-partner1
permit ip host 192.168.10.1 any
ip access-list extended acl-partner2
permit ip host 192.168.10.2 any
ip access-list extended acl-partner3
permit ip host 192.168.10.3 any

I have one ACL.
And the networks from it need to be connected through different IP addresses depending on the track.
If all channels are alive (10.10, 10.11, 10.12), then

NAT occurs through 10.10.0.3 10.10.0.6

if channel 10.10 is down, then

NAT is through the pool 10.11.0.3 10.11.0.6

and if this channel is down, then

NAT is through 10.12.0.3 10.12.0.6

I don't have a goal to use all channels at the same time or balance the load.
All users must work through only one channel at a time, depending on the track.

MHM Cisco World · ‎09-24-2023

I send you message check it

maxnetstat · ‎09-25-2023

I did this in two ways, which were recommended to me here.

1. without route map:

ip access-list extended acl-to-partner1
permit ip host 192.168.10.10 any
permit ip host 192.168.10.11 any
permit ip host 192.168.10.12 any

ip access-list extended acl-to-partner2
permit ip host 192.168.10.10 any
permit ip host 192.168.10.11 any
permit ip host 192.168.10.12 any

ip access-list extended acl-to-partner3
permit ip host 192.168.10.10 any
permit ip host 192.168.10.11 any
permit ip host 192.168.10.12 any


ip nat pool pool-partn1 10.10.0.3 10.10.0.6 netmask 255.255.255.0
ip nat pool pool-partn2 10.11.0.3 10.11.0.6 netmask 255.255.255.0
ip nat pool pool-partn3 10.12.0.3 10.12.0.6 netmask 255.255.255.0

ip nat inside source list acl-to-partner1 pool pool-partn1 overload
ip nat inside source list acl-to-partner2 pool pool-partn2 overload
ip nat inside source list acl-to-partner3 pool pool-partn3 overload

The track is configured correctly, routes switch as expected:

ip route 10.100.0.0 255.255.0.0 10.10.0.1 track 10
ip route 10.100.0.0 255.255.0.0 10.11.0.1 10 track 11
ip route 10.100.0.0 255.255.0.0 10.12.0.1 20 track 12

2. Using route-map:

ip nat pool pool-partn1 10.10.0.3 10.10.0.6 netmask 255.255.255.0
ip nat pool pool-partn2 10.11.0.3 10.11.0.6 netmask 255.255.255.0
ip nat pool pool-partn3 10.12.0.3 10.12.0.6 netmask 255.255.255.0

ip nat inside source route-map partner-nat1 pool pool-partn1 overload
ip nat inside source route-map partner-nat2 pool pool-partn2 overload
ip nat inside source route-map partner-nat3 pool pool-partn3 overload


route-map partner-nat1 permit 10
match ip address acl-to-partner1
match track 10
!
route-map partner-nat2 permit 10
match ip address acl-to-partner2
match track 11
!
route-map partner-nat3 permit 10
match ip address acl-to-partner3
match track 12

Neither the first nor the second option changes the address pool.
When I turn off channels one at a time, the route changes (respectively the track), but the pool does not change:

MyRouter1#sh ip nat translations verbose
Pro Inside global Inside local Outside local Outside global
icmp 10.10.0.3:33826 192.168.10.10:33826 10.100.0.5:33826 10.100.0.5:33826
create: 09/25/23 08:39:47, use: 09/25/23 08:39:51, timeout: 00:00:59
RuleID : 7
Flags: unknown
ALG Application Type: NA
WLAN-Flags: unknown
Mac-Address: 0000.0000.0000 Input-IDB: Port-channel1.5
VRF: Parnter, entry-id: 0xe943d900, use_count:1
In_pkts: 5 In_bytes: 320, Out_pkts: 0 Out_bytes: 0
Output-IDB: Port-channel1.10

MyRouter#sh ip nat translations verbose
Pro Inside global Inside local Outside local Outside global
icmp 10.10.0.3:19729 192.168.10.10:19729 10.100.0.5:19729 10.100.0.5:19729
create: 09/25/23 08:42:31, use: 09/25/23 08:43:17, timeout: 00:00:59
RuleID : 7
Flags: unknown
ALG Application Type: NA
WLAN-Flags: unknown
Mac-Address: 0000.0000.0000 Input-IDB: Port-channel1.5
VRF: Parnter, entry-id: 0xe943d900, use_count:1
In_pkts: 5 In_bytes: 320, Out_pkts: 0 Out_bytes: 0
Output-IDB: Port-channel1.11

Either I'm wrong in the setup, or this is not a working solution in the first place.
Now I’m looking towards the “

event manager applet”, but it seems to me that it’s very easy to ruin everything there:

event manager applet EVENT_NAT
event track 10 state down
action 10 cli command "enable"
action 20 cli command "conf t"
action 30 cli command "do clear ip nat translation forced"
action 40 cli command "no ip nat inside source route-map partner-nat1 pool pool-partn1 overload"
action 50 cli command "ip nat inside source route-map partner-nat2 pool pool-partn2 overload"
action 60 cli command "exit"
action 70 cli command "exit"

maxnetstat · ‎09-26-2023

Thanks a lot, everyone!
Your advice helped me a lot, thanks to which I understood how it all works)

In the end, I solved the problem.
I did it using

route maps

but I didn’t use them to match the track, but set the interface.
Everything works as I need it. When interfaces are turned off, the pool changes according to the track

interface Port-channel1.10
description PARTNER_CONNECT1
encapsulation dot1Q 10
ip address 10.10.0.2 255.255.255.248
ip nat outside

interface Port-channel1.11
description PARTNER_CONNECT2
encapsulation dot1Q 11
ip address 10.11.0.2 255.255.255.248
ip nat outside

interface Port-channel1.12
description PARTNER_CONNECT3
encapsulation dot1Q 12
ip address 10.12.0.2 255.255.255.248
ip nat outside

#LocalNet
interface Port-channel1.5
encapsulation dot1Q 5
ip address 192.168.10.1 255.255.255.0
ip nat inside

track 10 ip sla 10 reachability
track 11 ip sla 11 reachability
track 12 ip sla 12 reachability

ip sla 10
icmp-echo 10.10.0.1 source-ip 10.10.0.2
threshold 75
timeout 100
frequency 1
ip sla schedule 10 life forever start-time now

ip sla 11
icmp-echo 10.11.0.1 source-ip 10.11.0.2
threshold 75
timeout 100
frequency 1
ip sla schedule 11 life forever start-time now

ip sla 12
icmp-echo 10.12.0.1 source-ip 10.12.0.2
threshold 75
timeout 100
frequency 1
ip sla schedule 12 life forever start-time now

ip route 10.100.0.0 255.255.0.0 10.10.0.1 track 10
ip route 10.100.0.0 255.255.0.0 10.11.0.1 10 track 11
ip route 10.100.0.0 255.255.0.0 10.12.0.1 20 track 12


ip access-list extended acl-to-partner
permit ip host 192.168.10.10 any
permit ip host 192.168.10.11 any
permit ip host 192.168.10.12 any
permit ip host 192.168.10.20 any
permit ip host 192.168.10.31 any
permit ip host 192.168.10.42 any
permit ip host 192.168.10.75 any
permit ip host 192.168.10.87 any
permit ip host 192.168.10.92 any

route-map to-Partner1 permit 10
match ip address acl-to-partner
match interface Port-channel1.10

route-map to-Partner2 permit 10
match ip address acl-to-partner
match interface Port-channel1.11

route-map to-Partner3 permit 10
match ip address acl-to-partner
match interface Port-channel1.12

ip nat pool pool-partn1 10.10.0.3 10.10.0.6 netmask 255.255.255.0
ip nat pool pool-partn2 10.11.0.3 10.11.0.6 netmask 255.255.255.0
ip nat pool pool-partn3 10.12.0.3 10.12.0.6 netmask 255.255.255.0

ip nat inside source route-map to-Partner1 pool pool-partn1 overload
ip nat inside source route-map to-Partner2 pool pool-partn2 overload
ip nat inside source route-map to-Partner3 pool pool-partn3 overload

M02@rt37 · ‎09-26-2023

Great @maxnetstat !

Thanks for your feedback.

Best regards
******* If This Helps, Please Rate *******
Ben