Solved: NAT with PBR question

guilherme · ‎08-03-2011

Hi,

I have the attached topology where we're deploying NAT and PBR to send certain traffic (defined by destination IP address) through one of the Internet links.

For some reason there are no matches on access-list 100 rules, the only rule that matches is the "permit ip host 172.16.1.253 any"

Do you see anything wrong in this config? I've tried changing the PBR sequence and NAT rules order but no luck

Also, the ASA is doing NAT for everything that comes from the LAN, so the router is only "seeing" the ASA's IP address (172.16.1.253)

Hope someone can give me a hint about this

Thanks

Marwan ALshawi · ‎08-03-2011

Hi

this because your NAT need a route map to match the exit interface

please refer to this doc whcih will gudie step by step how to configure it

https://supportforums.cisco.com/docs/DOC-8313

HTH

if helpful Rate

View solution in original post

Marwan ALshawi · ‎08-03-2011

Hi

this because your NAT need a route map to match the exit interface

please refer to this doc whcih will gudie step by step how to configure it

https://supportforums.cisco.com/docs/DOC-8313

HTH

if helpful Rate

guilherme · ‎08-03-2011

Thank you for replying

I will try this

guilherme · ‎08-03-2011

Just a question that came up...

in your example your route maps are like this:

route-map ISP2 permit 10
match ip address 10
match interface FastEthernet2/0
!
route-map ISP1 permit 10
match ip address 10
match interface FastEthernet1/1

that's correct? i must match the same acl on both route maps, being the exit interface the only difference between them?

Jon Marshall · ‎08-03-2011

For the NAT configuration yes you should use the same acl because you are simply specifying what traffic to NAT. Whichever ISP you send the traffic to you are still natting the same sourrce IPs.

Jon

guilherme · ‎08-03-2011

i think i must be missing something

changed my config (below) to use route maps as marwanshawi's example but the desired traffic is still being routed to the "main" isp

i also tried changing the route-maps sequence and it didn't help

any ideas?

route-map isp1 permit 10
match ip address 10
match interface GigabitEthernet0/0
!
route-map isp2 permit 10
match ip address 10
match interface GigabitEthernet0/2
!

ip nat inside source route-map isp2 interface GigabitEthernet0/2

ip nat inside source route-map isp1 interface GigabitEthernet0/0

!

route-map pbr permit 10
match ip address 151
set ip next-hop 1.1.1.1
!
route-map pbr permit 20
match ip address 150
set ip next-hop 2.2.2.2
!

!

access-list 10 permit 172.16.1.253

access-list 150 permit ip host 172.16.1.253 A.A.A.A 0.0.15.255
access-list 150 permit ip host 172.16.1.253 host B.B.B.B
access-list 150 permit ip host 172.16.1.253 host C.C.C.C
access-list 150 permit ip host 172.16.1.253 host D.D.D.D
access-list 150 permit ip host 172.16.1.253 host E.E.E.E
access-list 150 permit ip host 172.16.1.253 host F.F.F.F
access-list 150 permit ip 187.16.230.224 0.0.0.15 any

access-list 151 deny   ip host 172.16.1.253 host A.A.A.A
access-list 151 deny   ip host 172.16.1.253 host B.B.B.B
access-list 151 deny   ip host 172.16.1.253 host C.C.C.C
access-list 151 deny   ip host 172.16.1.253 host D.D.D.D
access-list 151 deny   ip host 172.16.1.253 host E.E.E.E
access-list 151 deny   ip host 172.16.1.253 F.F.F.F 0.0.15.255
access-list 151 permit ip host 172.16.1.253 any
access-list 151 permit ip host 172.16.1.252 any
access-list 151 permit ip G.G.G.G 0.0.0.15 any

Jon Marshall · ‎08-03-2011

So you only want to NAT 172.16.1.253 ?

Have you applied the PBR route-map pbr to the LAN interface ?

Jon

guilherme · ‎08-03-2011

yes, PBR is applied to the LAN interface

actually the 172.16.1.253 is an ASA 5520 connected to the router's LAN.

this ASA is NAT'ing all the LAN traffic so this router is only "seeing" the ASA

Jon Marshall · ‎08-03-2011

Can you post full config ?

By the way your access-lists for the PBR route-map don't need to be as complicated as you have made them ie.

access-list 150 permit ip host 172.16.1.253 A.A.A.A 0.0.15.255
access-list 150 permit ip host 172.16.1.253 host B.B.B.B
access-list 150 permit ip host 172.16.1.253 host C.C.C.C
access-list 150 permit ip host 172.16.1.253 host D.D.D.D
access-list 150 permit ip host 172.16.1.253 host E.E.E.E
access-list 150 permit ip host 172.16.1.253 host F.F.F.F
access-list 150 permit ip 187.16.230.224 0.0.0.15 any

access-list 151 deny   ip host 172.16.1.253 host A.A.A.A
access-list 151 deny   ip host 172.16.1.253 host B.B.B.B
access-list 151 deny   ip host 172.16.1.253 host C.C.C.C
access-list 151 deny   ip host 172.16.1.253 host D.D.D.D
access-list 151 deny   ip host 172.16.1.253 host E.E.E.E
access-list 151 deny   ip host 172.16.1.253 F.F.F.F 0.0.15.255
access-list 151 permit ip host 172.16.1.253 any
access-list 151 permit ip host 172.16.1.252 any
access-list 151 permit ip G.G.G.G 0.0.0.15 any

you don't need the lines in bold because route-maps are checked in sequence. So if you have a permit for that acl line in the first check it won't then go on to the second check.

Jon

guilherme · ‎08-03-2011

yes, i see. i will try to sum the acls as soon as i get this thing working.

here's the config:

no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname c2911
!
boot-start-marker
boot system flash0:/c2900-universalk9-mz.SPA.151-4.M.bin
boot-end-marker
!
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
!
no aaa new-model
clock timezone BRA -3 0
!
no ipv6 cef
no ip source-route
ip cef
!
!
!
!
!
no ip bootp server
multilink bundle-name authenticated
!
!
!
ip tcp synwait-time 10
no ip ftp passive
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
bandwidth 8192
ip address 2.2.2.2 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly in
load-interval 30
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/1
description lan asa5520
ip address 172.16.1.254 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
ip policy route-map pbr
load-interval 30
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/2
bandwidth 4096
ip address 1.1.1.2 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly in
load-interval 30
duplex auto
speed auto
no mop enabled
!
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!

ip nat inside source route-map isp2 interface GigabitEthernet0/0 overload
ip nat inside source route-map isp1 interface GigabitEthernet0/2 overload
!
ip route 0.0.0.0 0.0.0.0 1.1.1.1
ip route A.A.A.A 255.255.240.0 2.2.2.1
ip route B.B.B.B 255.255.255.255 2.2.2.1
ip route C.C.C.C 255.255.255.255 2.2.2.1
ip route D.D.D.D 255.255.255.255 2.2.2.1
ip route E.E.E.E 255.255.255.255 2.2.2.1
ip route F.F.F.F 255.255.255.255 2.2.2.1
!
logging trap debugging
!
access-list 10 permit 172.16.1.253

access-list 150 permit ip host 172.16.1.253 A.A.A.A 0.0.15.255
access-list 150 permit ip host 172.16.1.253 host B.B.B.B
access-list 150 permit ip host 172.16.1.253 host C.C.C.C
access-list 150 permit ip host 172.16.1.253 host D.D.D.D
access-list 150 permit ip host 172.16.1.253 host E.E.E.E
access-list 150 permit ip host 172.16.1.253 host F.F.F.F
access-list 150 permit ip G.G.G.G 0.0.0.15 any

access-list 151 deny   ip host 172.16.1.253 host A.A.A.A
access-list 151 deny   ip host 172.16.1.253 host B.B.B.B
access-list 151 deny   ip host 172.16.1.253 host C.C.C.C
access-list 151 deny   ip host 172.16.1.253 host D.D.D.D
access-list 151 deny   ip host 172.16.1.253 host E.E.E.E
access-list 151 deny   ip host 172.16.1.253 F.F.F.F 0.0.15.255
access-list 151 permit ip host 172.16.1.253 any
access-list 151 permit ip G.G.G.G 0.0.0.15 any

no cdp run

route-map isp2 permit 10
match ip address 10
match interface GigabitEthernet0/0
!
route-map isp1 permit 10
match ip address 10
match interface GigabitEthernet0/2
!
route-map pbr permit 10
match ip address 150
set ip next-hop 1.1.1.1
!
route-map pbr permit 20
match ip address 151
set ip next-hop 2.2.2.1
!
route-map pbr permit 30
set default interface Null0
!
!
!

Jon Marshall · ‎08-03-2011

thanks.

So what test are you running, presumably a traceroute. Can you do a traceroute from 172.16.1.253 to 2 different destinations on via ISP1 and one ISP2 then post.

Jon

guilherme · ‎08-03-2011

i'm testing with a traceroute and with a ssh to one of the destinations

with a traceroute it seem to be working but here is what i see on the router's nat table when i ssh to the destination host:

c2911# sh ip nat trans | include destination_ip

tcp 1.1.1.2:48679 172.16.1.253:48679 destination_ip:22 destionation_ip:22

read 1.1.1.2 as GigabitEthernet0/2 IP address, but according to my PBR/NAT this should be NAT'ed to G0/0

also when I connect to the host and check who is connected it shows me interface's G0/2 IP addresss. should be going through G0/0.

guilherme · ‎08-03-2011

i just figured it out

there was a static nat like this:

ip nat inside source static 172.16.1.253 extendable

i think it was overlapping the NAT route-map