Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1187
Views
0
Helpful
3
Replies

Need help confirming my NAT statements for using Route-Maps for NAT translations with IP sla and PBR.

Michael Couture
Level 1
Level 1

‎02-14-2012 08:56 AM - edited ‎03-04-2019 03:15 PM

I am getting ready to deploy IP sla with policy based routing. I feel pretty confident that my IP sla and PBR configuration is correct, although I attached their configuration to the bottom of my post. My question is with the NAT statements; as long as both interfaces are up all traffic will flow through the Comcast connection except for tcp traffic (25,135). Both interfaces are set so that if they should fail all traffic will go to the up interface. This is where the NAT statement is confusing me, do I need two or one ACL for this and are my ACLs for the NAT correct? My Edge is a Cisco 2921 router, this router connects to an ASA firewall on the inside of the network.

Here is my CURRENT NAT configuration on the Cisco 2921: (currently only one ISP)

ip nat inside source route-map CAVTEL interface GigabitEthernet0/1 overload

ip nat inside source static tcp 172.20.5.49 25 190.90.90.90 25 extendable

ip nat inside source static tcp 172.20.5.49 80 190.90.90.90 80 extendable

ip nat inside source static tcp 172.20.5.49 135 190.90.90.90 135 extendable

ip nat inside source static tcp 172.20.5.49 443 190.90.90.90 443 extendable

ip nat inside source static tcp 172.20.5.53 3389 190.90.90.90 3389 extendable

route-map CAVTEL permit 10

match interface GigabitEthernet0/1

Here is what I am thinking for the new NAT statement (with the two ISPs):

IP access-list extended CAVTEL-NAT

Permit tcp host 172.20.5.49 25 host 190.90.90.90 eq 25 extendable

Permit tcp host 172.20.5.49 135 host 190.90.90.90 eq 135 extendable

Permit tcp host 172.20.5.53 3389 host 190.90.90.90 eq 3389 extendable

Permit tcp host 172.20.5.49 80 host 190.90.90.90 eq 80 extendable

Permit tcp host 172.20.5.49 443 host 190.90.90.90 eq 443 extendable

Permit tcp ip 172.20.0.0 0.0.7.255 any

IP access-list extended COMCAST-NAT

Permit tcp host 172.20.5.49 25 host 75.75.75.75 eq 25 extendable

Permit tcp host 172.20.5.49 135 host 75.75.75.75 eq 135 extendable

Permit tcp host 172.20.5.53 3389 host 75.75.75.75 eq 3389 extendable

Permit tcp host 172.20.5.49 80 host 75.75.75.75 80 extendable

Permit tcp host 172.20.5.49 443 host 75.75.75.75 eq 443 extendable

Permit tcp ip 172.20.0.0 0.0.7.255 any

Route-map CAVTEL permit 10

Match ip address CAVTEL-NAT

Match interface G0/1

Route-map COMCAST permit 20

Match ip address COMCAST-NAT

Match interface G0/2

ip nat inside source route-map CAVTEL interface G0/1 overload
ip nat inside source route-map COMCAST interface G0/2 overload

Will this work and if so is it the best solution for what I am trying to accomplish?

IP SLA CONFIGURATION

Ip sla 1

Icmp-echo 8.8.8.8

Frequency 4

Ip sla schedule 1 life forever start-time now

Ip sla 2

Icmp-echo 190.90.90.91

Frequency 4

Ip sla schedule 2 life forever start-time now

Track 10 rtr 1 reachability

Delay down 1 up 1

Track 20 rtr 2 reachability

Delay down 1 up 1

Ip route 0.0.0.0 0.0.0.0 75.75.75.76 track 10

Ip route 0.0.0.0 0.0.0.0 190.90.90.91 track 20

ACCESS LISTS FOR PBR

IP Access-list extended PBR-CAVTEL

Permit tcp 172.20.0.0 0.0.7.255 any eq 25

Permit tcp 172.20.0.0 0.0.7.255 any eq 135

IP Access-list extended PBR-COMCAST

Permit ip any any

ROUTE MAPS for POLICY Routing

Route-map PBR permit 10

Match ip address PBR-CAVTEL

Set next-hop verify-availability 190.90.90.91

Route-map PBR permit 20

Match ip address PBR-COMCAST

Set next-hop verify-availability 75.75.75.76

Labels:
0 Helpful
3 Replies 3

Michael Couture
Level 1
Level 1

‎02-15-2012 12:19 PM

I implemented my configuration with some slight modifications and as I feared I had an issue with the e-mail. Once the Comcast (primary) connection come online the e-mail stopped working, as far as I could tell everything else worked fine. When both interfaces are up I want all traffic except for e-mail to flow through the COMCAST connection, e-mail should flow through the CAVTEL (secondary) connection. If either connection should fail then all traffic should flow through the up interface. IP sla appears to be working fine. I shut down the interfaces and brought them back up and then checked the IP sla statistics and all seemed to work properly.

I am not sure if my issue is my port forwarding as the router is connected on the inside interface to an ASA firewall, or if the problem is with my policy routing. Here is my currnet config.

Current configuration : 4992 bytes

!

! Last configuration change at 19:02:49 UTC Wed Feb 15 2012 by

!

version 15.1

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname

!

boot-start-marker

boot-end-marker

!

enable secret 5

!

no aaa new-model

!

no ipv6 cef

ip source-route

ip cef

!

!

!

!

ip domain name

multilink bundle-name authenticated

!

!

!

!

license udi pid CISCO2921/K9

!

!

redundancy

!

!

ip ssh version 2

!

track 10 ip sla 1 reachability

delay down 1 up 1

!

track 20 ip sla 2 reachability

delay down 1 up 1

!

!

!

!

interface GigabitEthernet0/0

description INSIDE-TO-ASA100Mbps

ip address 172.20.10.9 255.255.255.248

ip nat inside

ip virtual-reassembly

duplex full

speed 100

!

interface GigabitEthernet0/1

description OUTSITE-T1-CAVILER

ip address 88.88.88.88 255.255.255.248

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

interface GigabitEthernet0/2

description OUTSIDE-TO-COMCAST

ip address 75.75.75.75 255.255.255.252

ip nat outside

ip virtual-reassembly

shutdown

duplex auto

speed auto

!

!

!

router eigrp 1

network 172.20.10.8 0.0.0.7

network 172.21.10.8 0.0.0.7

redistribute static

passive-interface default

no passive-interface GigabitEthernet0/0

!

ip forward-protocol nd

!

no ip http server

no ip http secure-server

!

ip nat inside source route-map CAVTEL interface GigabitEthernet0/1 overload

ip nat inside source route-map COMCAST interface GigabitEthernet0/2 overload

ip nat inside source static tcp 172.20.5.49 25 75.75.75.75 25 extendable

ip nat inside source static tcp 172.20.5.49 80 75.75.75.75 80 extendable

ip nat inside source static tcp 172.20.5.49 135 75.75.75.75 135 extendable

ip nat inside source static tcp 172.20.5.49 443 75.75.75.75 443 extendable

ip nat inside source static tcp 172.20.5.53 3389 75.75.75.75 3389 extendable

ip nat inside source static tcp 172.20.5.49 25 88.88.88.88 25 extendable

ip nat inside source static tcp 172.20.5.49 80 88.88.88.88 80 extendable

ip nat inside source static tcp 172.20.5.49 135 88.88.88.88 135 extendable

ip nat inside source static tcp 172.20.5.49 443 88.88.88.88 443 extendable

ip nat inside source static tcp 172.20.5.53 3389 88.88.88.88 3389 extendable

ip route 0.0.0.0 0.0.0.0 75.75.75.76 track 10

ip route 0.0.0.0 0.0.0.0 88.88.88.89 track 20

ip route 8.8.8.8 255.255.255.255 75.75.75.76

!

ip access-list standard NATPermit

permit 172.20.0.0 0.0.7.255

permit 172.20.20.0 0.0.0.255

permit 172.20.100.0 0.0.0.255

permit 172.20.10.0 0.0.0.7

permit 172.20.10.8 0.0.0.7

!

ip access-list extended OUTSIDE-ACCESS-IN

permit tcp any host 172.20.5.53 eq 3389

permit tcp any host 172.20.5.49 eq 443

permit tcp any host 172.20.5.49 eq www

permit tcp any host 172.20.5.49 eq smtp

ip access-list extended PBR-CAVTEL

permit tcp 172.20.0.0 0.0.7.255 any eq smtp

permit tcp 172.20.0.0 0.0.7.255 any eq 135

ip access-list extended PBR-COMCAST

permit ip any any

!

ip sla 1

icmp-echo 8.8.8.8 source-interface GigabitEthernet0/2

frequency 5

ip sla schedule 1 life forever start-time now

ip sla 2

icmp-echo 88.88.88.89 source-interface GigabitEthernet0/1

frequency 5

ip sla schedule 2 life forever start-time now

logging 172.20.5.55

!

!

!

!

route-map CAVTEL permit 10

match ip address NATPermit

match interface GigabitEthernet0/1

!

route-map PBR permit 10

match ip address PBR-CAVTEL

set ip next-hop verify-availability 88.88.88.89 1 track 20

!

route-map PBR permit 20

match ip address PBR-COMCAST

set ip next-hop verify-availability 75.75.75.76 2 track 10

!

route-map COMCAST permit 10

match ip address NATPermit

match interface GigabitEthernet0/2

0 Helpful

Marwan ALshawi
VIP Alumni
VIP Alumni
In response to Michael Couture

‎02-15-2012 02:58 PM

have you check this document ?

https://supportforums.cisco.com/docs/DOC-8313

hope this help

0 Helpful

Michael Couture
Level 1
Level 1
In response to Marwan ALshawi

‎02-16-2012 06:16 AM

Thanks Marwanshawi, but I had already looked over that doc.

Actually after looking over everything again and again and not seeing an error, it finally hit me. It had nothing to do with the router or firewall, it was an exchange and DNS issue. I needed to add a new DNS record and adjust the Exchange send connector. Now that I have done that the mail flow goes on uninterrupted.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card