Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
649
Views
0
Helpful
3
Replies

One NAT inside to multiple NAT outside with DHCP

seanboulter
Level 1
Level 1

‎03-31-2011 11:25 AM - edited ‎03-04-2019 11:56 AM

Here's the setup: a router connecting to two ISPs, one on DSL and one on 4G.  Both of these interfaces are assigned via DHCP and configured as nat outside.  The nat inside interface would host a few clients wanting to get to the Internet.  The routing is such that DSL is primary and 4G is secondary.

The problem is that when I disconnect the DSL, clients are not getting NAT'd out the 4G connection.  I can ping out that interface from the router, but one of two things happens: 1) with a ip nat source list <interface> overload, it completely fails; 2) with a route-map that matches the outbound interface, it works, but only if you clear the existing translations.

Thanks in advance for any suggestions.

Sean

This config works until the primary link goes down:

!

ip nat source list 20 interface GigabitEthernet0/0 overload

ip nat source list 21 interface GigabitEthernet0/1 overload

!
access-list 20 permit 192.168.255.0 0.0.0.255
access-list 21 permit 192.168.255.0 0.0.0.255
This config works if you clear the nat trans table after the primary link goes down
!
ip nat inside source route-map Gig00 interface GigabitEthernet0/0 overload
ip nat inside source route-map Gig01 interface GigabitEthernet0/1 overload
!
route-map Gig00 permit 10
match interface GigabitEthernet0/0
!
route-map Gig01 permit 10
match interface GigabitEthernet0/1

Labels:
0 Helpful
3 Replies 3

NetworkNinja79
Level 1
Level 1

‎03-31-2011 11:46 AM

Sean,

You should only need one ACL to implement this. Also with your second config I would try and add the match ip address 2* to the route-maps.

You can lower the NAT translation timeout with these commands
ip nat translation tcp-timeout 30
ip nat translation udp-timeout 30
0 Helpful

seanboulter
Level 1
Level 1
In response to NetworkNinja79

‎03-31-2011 12:31 PM

Thanks for the reply.

The reason I'm using 2 ACLs is that the ip nat inside source command will not allow me to assign the same ACL to two different interfaces.  Same with the route-map suggestion.

0 Helpful

seanboulter
Level 1
Level 1

‎04-01-2011 01:16 PM

I opened up a case with TAC and they identified an internal bug related to nat timeouts using IP SLA and tracking (which I didn't mention I was using).  Here's the config as it should work (minus the tracking).  With tracking however, you have to manually do "clear ip nat trans *" for it to work as you would normally expect; otherwise the inside hosts stay bound to the outside interface even after it goes down.  Cisco's workaround for me was to use EEM to do the clear ip nat trans.

interface GigabitEthernet0/0

description primary

ip dhcp client default-router distance 8

ip address dhcp

ip nat outside

ip virtual-reassembly

!
interface GigabitEthernet0/1
description secondary
ip dhcp client default-router distance 24
ip address dhcp
ip nat outside
ip virtual-reassembly
!
interface Vlan10
ip address 192.168.255.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip nat inside source route-map Gig00 interface GigabitEthernet0/0 overload
ip nat inside source route-map Gig01 interface GigabitEthernet0/1 overload
!
route-map Gig00 permit 10
match ip address 101
match interface GigabitEthernet0/0
!
route-map Gig01 permit 10
match ip address 101
match interface GigabitEthernet0/1
!
access-list 101 permit ip 192.168.255.0 0.0.0.255 any
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card