Solved: Hello,

jeradandrews · ‎12-16-2016

I'm making preparations to add connectivity to a second ISP which will result in BGP4 peering between two ISPs. Our edge router also serves as a NAT device translating various addresses to a public Class C we own which will be advertised out both connections. The second connection will result in two NAT Outside interfaces on the router. If the source/translated addresses will remain the same regardless of which connection handles the traffic is anything special needed in the NAT configuration other than just specifying the interface connected to the second ISP as an additional NAT Outside?

I've attached a diagram of what we'll be doing.

Georg Pauwen · ‎12-16-2016

Hello,

sorry for my confusion...

The below configuration assures failover for your static NAT entries.I am not sure you can do load balancing for static NAT, since you cannot divide a static NAT entry into different pools (obviously).

route-map ISP1_STATIC permit 10
match interface GigabitEthernet0/0

route-map ISP2_STATIC permit 10
match interface GigabitEthernet0/2

ip nat inside source static 172.16.1.Y 198.x.x.Y route-map ISP1_STATIC
ip nat inside source static 172.16.1.Z 198.x.x.Z route-map ISP2_STATIC

ip route 0.0.0.0 0.0.0.0 y.y.y.y (next hop of ISP1)

ip route 0.0.0.0 0.0.0.0 z.z.z.z 10 (next hop of ISP2)

The second default route has an administrative distance of 10, hence will become active when the first route fails.

View solution in original post

Georg Pauwen · ‎12-16-2016

Hello,

typically in your situation, you will need two route maps and two access lists. The route maps should match the access lists and the outgoing interface. Example:

route-map ISP_1 permit 10

match ip address 101

match interface GigabitEthernet0/0

route-map ISP_2 permit 10

match ip address 102

match interface GigabitEthernet0/1

access-list 101 permit ip 172.16.1 0.0.0.255 x.x.x.x x.x.x.x

access-list 102 permit ip 172.16.1 0.0.0.255 x.x.x.x x.x.x.x

Can you post the config of your router ? We can then finetune it...

jeradandrews · ‎12-16-2016

Here is an example of my NAT config. As you can see it's quite simple. I'm not translating the entire network behind the router, only specific hosts.

interface GigabitEthernet0/0
description Outside - ISP1
ip address 172.16.2.1 255.255.255.0
ip nat outside
duplex auto
speed auto
!
interface GigabitEthernet0/1
description Inside
ip address 172.16.1.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
interface GigabitEthernet0/2 (Not yet configured)
description Outside - ISP2
ip address 172.16.3.1 255.255.255.0
ip nat outside
!

ip nat inside source static network 172.16.1.Y 198.x.x.Y /32
ip nat inside source static network 172.16.1.Z 198.x.x.Z /32

Georg Pauwen · ‎12-16-2016

Hello,

you still need two route maps with access lists that match the traffic that needs to be translated:

ip nat inside source route-map ISP_1 interface GigabitEthernet0/0 overload

ip nat inside source route-map ISP_2 interface GigabitEthernet0/2 overload

route-map ISP_1 permit 10

match ip address 101

match interface GigabitEthernet0/0

route-map ISP_2 permit 10

match ip address 102

match interface GigabitEthernet0/2

access-list 101 permit ip 172.16.1.Y 0.0.0.255 198.x.x.Y / 32

access-list 101 permit ip 172.16.1.Z 0.0.0.255 198.x.x.Z / 32

access-list 102 permit ip 172.16.1.Y 0.0.0.255 198.x.x.Y / 32

access-list 102 permit ip 172.16.1.Z 0.0.0.255 198.x.x.Z / 32

ip nat inside source route-map ISP_1 interface GigabitEthernet0/0 overload

ip nat inside source route-map ISP_2 interface GigabitEthernet0/2 overload

jeradandrews · ‎12-16-2016

Thank you. I should clarify, I'm not wanting to translate hosts to the outside interface IP based on flow, I'm explicitly (statically) translating hosts behind the router to addresses from our Class C. For example, host 172.16.1.10 will translate to 198.x.x.10 regardless of which outside interface handles the traffic. No hosts/networks will translate to the interface addresses.

Georg Pauwen · ‎12-16-2016

Hello,

sorry for my confusion...

The below configuration assures failover for your static NAT entries.I am not sure you can do load balancing for static NAT, since you cannot divide a static NAT entry into different pools (obviously).

route-map ISP1_STATIC permit 10
match interface GigabitEthernet0/0

route-map ISP2_STATIC permit 10
match interface GigabitEthernet0/2

ip nat inside source static 172.16.1.Y 198.x.x.Y route-map ISP1_STATIC
ip nat inside source static 172.16.1.Z 198.x.x.Z route-map ISP2_STATIC

ip route 0.0.0.0 0.0.0.0 y.y.y.y (next hop of ISP1)

ip route 0.0.0.0 0.0.0.0 z.z.z.z 10 (next hop of ISP2)

The second default route has an administrative distance of 10, hence will become active when the first route fails.

paul driver · ‎12-19-2016

Hello

Just like to add to the suggestion gpauwen -

I would advise adding some SLA tracking to those statics otherwise if the isps have a failure within their environment you would then be black holing your own traffic as the next-hop would or could still be available.

res

paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

NAT with mutiple outside interfaces