08-03-2011 05:32 AM - edited 03-04-2019 01:10 PM
Hi,
I have the attached topology where we're deploying NAT and PBR to send certain traffic (defined by destination IP address) through one of the Internet links.
For some reason there are no matches on access-list 100 rules, the only rule that matches is the "permit ip host 172.16.1.253 any"
Do you see anything wrong in this config? I've tried changing the PBR sequence and NAT rules order but no luck
Also, the ASA is doing NAT for everything that comes from the LAN, so the router is only "seeing" the ASA's IP address (172.16.1.253)
Hope someone can give me a hint about this
Thanks
Solved! Go to Solution.
08-03-2011 05:38 AM
Hi
this because your NAT need a route map to match the exit interface
please refer to this doc whcih will gudie step by step how to configure it
https://supportforums.cisco.com/docs/DOC-8313
HTH
if helpful Rate
08-03-2011 05:38 AM
Hi
this because your NAT need a route map to match the exit interface
please refer to this doc whcih will gudie step by step how to configure it
https://supportforums.cisco.com/docs/DOC-8313
HTH
if helpful Rate
08-03-2011 05:55 AM
Thank you for replying
I will try this
08-03-2011 06:09 AM
Just a question that came up...
in your example your route maps are like this:
route-map ISP2 permit 10
match ip address 10
match interface FastEthernet2/0
!
route-map ISP1 permit 10
match ip address 10
match interface FastEthernet1/1
that's correct? i must match the same acl on both route maps, being the exit interface the only difference between them?
08-03-2011 06:23 AM
For the NAT configuration yes you should use the same acl because you are simply specifying what traffic to NAT. Whichever ISP you send the traffic to you are still natting the same sourrce IPs.
Jon
08-03-2011 06:52 AM
i think i must be missing something
changed my config (below) to use route maps as marwanshawi's example but the desired traffic is still being routed to the "main" isp
i also tried changing the route-maps sequence and it didn't help
any ideas?
route-map isp1 permit 10
match ip address 10
match interface GigabitEthernet0/0
!
route-map isp2 permit 10
match ip address 10
match interface GigabitEthernet0/2
!
ip nat inside source route-map isp2 interface GigabitEthernet0/2
ip nat inside source route-map isp1 interface GigabitEthernet0/0
!
!
!
route-map pbr permit 10
match ip address 151
set ip next-hop 1.1.1.1
!
route-map pbr permit 20
match ip address 150
set ip next-hop 2.2.2.2
!
!
!
access-list 10 permit 172.16.1.253
access-list 150 permit ip host 172.16.1.253 A.A.A.A 0.0.15.255
access-list 150 permit ip host 172.16.1.253 host B.B.B.B
access-list 150 permit ip host 172.16.1.253 host C.C.C.C
access-list 150 permit ip host 172.16.1.253 host D.D.D.D
access-list 150 permit ip host 172.16.1.253 host E.E.E.E
access-list 150 permit ip host 172.16.1.253 host F.F.F.F
access-list 150 permit ip 187.16.230.224 0.0.0.15 any
access-list 151 deny ip host 172.16.1.253 host A.A.A.A
access-list 151 deny ip host 172.16.1.253 host B.B.B.B
access-list 151 deny ip host 172.16.1.253 host C.C.C.C
access-list 151 deny ip host 172.16.1.253 host D.D.D.D
access-list 151 deny ip host 172.16.1.253 host E.E.E.E
access-list 151 deny ip host 172.16.1.253 F.F.F.F 0.0.15.255
access-list 151 permit ip host 172.16.1.253 any
access-list 151 permit ip host 172.16.1.252 any
access-list 151 permit ip G.G.G.G 0.0.0.15 any
08-03-2011 06:57 AM
So you only want to NAT 172.16.1.253 ?
Have you applied the PBR route-map pbr to the LAN interface ?
Jon
08-03-2011 07:02 AM
yes, PBR is applied to the LAN interface
actually the 172.16.1.253 is an ASA 5520 connected to the router's LAN.
this ASA is NAT'ing all the LAN traffic so this router is only "seeing" the ASA
08-03-2011 07:06 AM
Can you post full config ?
By the way your access-lists for the PBR route-map don't need to be as complicated as you have made them ie.
access-list 150 permit ip host 172.16.1.253 A.A.A.A 0.0.15.255
access-list 150 permit ip host 172.16.1.253 host B.B.B.B
access-list 150 permit ip host 172.16.1.253 host C.C.C.C
access-list 150 permit ip host 172.16.1.253 host D.D.D.D
access-list 150 permit ip host 172.16.1.253 host E.E.E.E
access-list 150 permit ip host 172.16.1.253 host F.F.F.F
access-list 150 permit ip 187.16.230.224 0.0.0.15 any
access-list 151 deny ip host 172.16.1.253 host A.A.A.A
access-list 151 deny ip host 172.16.1.253 host B.B.B.B
access-list 151 deny ip host 172.16.1.253 host C.C.C.C
access-list 151 deny ip host 172.16.1.253 host D.D.D.D
access-list 151 deny ip host 172.16.1.253 host E.E.E.E
access-list 151 deny ip host 172.16.1.253 F.F.F.F 0.0.15.255
access-list 151 permit ip host 172.16.1.253 any
access-list 151 permit ip host 172.16.1.252 any
access-list 151 permit ip G.G.G.G 0.0.0.15 any
you don't need the lines in bold because route-maps are checked in sequence. So if you have a permit for that acl line in the first check it won't then go on to the second check.
Jon
08-03-2011 07:23 AM
yes, i see. i will try to sum the acls as soon as i get this thing working.
here's the config:
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname c2911
!
boot-start-marker
boot system flash0:/c2900-universalk9-mz.SPA.151-4.M.bin
boot-end-marker
!
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
!
no aaa new-model
clock timezone BRA -3 0
!
no ipv6 cef
no ip source-route
ip cef
!
!
!
!
!
no ip bootp server
multilink bundle-name authenticated
!
!
!
ip tcp synwait-time 10
no ip ftp passive
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
bandwidth 8192
ip address 2.2.2.2 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly in
load-interval 30
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/1
description lan asa5520
ip address 172.16.1.254 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
ip policy route-map pbr
load-interval 30
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/2
bandwidth 4096
ip address 1.1.1.2 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly in
load-interval 30
duplex auto
speed auto
no mop enabled
!
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source route-map isp2 interface GigabitEthernet0/0 overload
ip nat inside source route-map isp1 interface GigabitEthernet0/2 overload
!
ip route 0.0.0.0 0.0.0.0 1.1.1.1
ip route A.A.A.A 255.255.240.0 2.2.2.1
ip route B.B.B.B 255.255.255.255 2.2.2.1
ip route C.C.C.C 255.255.255.255 2.2.2.1
ip route D.D.D.D 255.255.255.255 2.2.2.1
ip route E.E.E.E 255.255.255.255 2.2.2.1
ip route F.F.F.F 255.255.255.255 2.2.2.1
!
logging trap debugging
!
access-list 10 permit 172.16.1.253
access-list 150 permit ip host 172.16.1.253 A.A.A.A 0.0.15.255
access-list 150 permit ip host 172.16.1.253 host B.B.B.B
access-list 150 permit ip host 172.16.1.253 host C.C.C.C
access-list 150 permit ip host 172.16.1.253 host D.D.D.D
access-list 150 permit ip host 172.16.1.253 host E.E.E.E
access-list 150 permit ip host 172.16.1.253 host F.F.F.F
access-list 150 permit ip G.G.G.G 0.0.0.15 any
access-list 151 deny ip host 172.16.1.253 host A.A.A.A
access-list 151 deny ip host 172.16.1.253 host B.B.B.B
access-list 151 deny ip host 172.16.1.253 host C.C.C.C
access-list 151 deny ip host 172.16.1.253 host D.D.D.D
access-list 151 deny ip host 172.16.1.253 host E.E.E.E
access-list 151 deny ip host 172.16.1.253 F.F.F.F 0.0.15.255
access-list 151 permit ip host 172.16.1.253 any
access-list 151 permit ip G.G.G.G 0.0.0.15 any
no cdp run
route-map isp2 permit 10
match ip address 10
match interface GigabitEthernet0/0
!
route-map isp1 permit 10
match ip address 10
match interface GigabitEthernet0/2
!
route-map pbr permit 10
match ip address 150
set ip next-hop 1.1.1.1
!
route-map pbr permit 20
match ip address 151
set ip next-hop 2.2.2.1
!
route-map pbr permit 30
set default interface Null0
!
!
!
08-03-2011 07:33 AM
thanks.
So what test are you running, presumably a traceroute. Can you do a traceroute from 172.16.1.253 to 2 different destinations on via ISP1 and one ISP2 then post.
Jon
08-03-2011 07:53 AM
i'm testing with a traceroute and with a ssh to one of the destinations
with a traceroute it seem to be working but here is what i see on the router's nat table when i ssh to the destination host:
c2911# sh ip nat trans | include destination_ip
tcp 1.1.1.2:48679 172.16.1.253:48679 destination_ip:22 destionation_ip:22
read 1.1.1.2 as GigabitEthernet0/2 IP address, but according to my PBR/NAT this should be NAT'ed to G0/0
also when I connect to the host and check who is connected it shows me interface's G0/2 IP addresss. should be going through G0/0.
08-03-2011 10:06 AM
i just figured it out
there was a static nat like this:
ip nat inside source static 172.16.1.253
i think it was overlapping the NAT route-map
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide