Re: One router, Two Outside, One Inside, Two Outside public NAT in One inside IP

Ronnie Billate · ‎05-26-2019

One router, Two Outside, One Inside, Two Outside public NAT in One inside IP.

Any can help me, I trying to have a network with

- 1 router
- 2 ISPs
- two OUTSIDE

- one Inside
- all servers publicly have two NAT PUBLIC ISP.

What I did is I configure IPsla, in case if the primary goes down it will fail over to secondary. But the problem comes in
The router have a configuration of
"ip nat inside source static private_IP public_isp1"
"ip nat inside source static private_IP public_isp2"

the problem is the NAT translation, if I shutdown the link of Public ISP1 (assumption the traffic will traverse to ISP2) NOW the default route is already in ISP 2.BUT in NAT TRANSLATION the router using the NAT subnet of ISP1, as resulting the packet starting to drop because the translated IP address is wrong (ISP1) that supposed to be using the static nat of ISP2.

Giuseppe Larosa · ‎05-27-2019

Hello Ronnie,

you need to use route-maps in your NAT configuration

see the below document

https://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/100658-ios-nat-load-balancing-2isp.html

ip nat inside source route-map fixed-nat interface Dialer0 overload
ip nat inside source route-map dhcp-nat interface FastEthernet0 overload

route-map fixed-nat permit 10
 match ip address 110
 match interface Dialer0
!
route-map dhcp-nat permit 10
 match ip address 110
 match interface FastEthernet0


!--- Route-maps associate NAT ACLs with NAT outside on !--- the ISP-facing interfaces.

The route-maps check the outgoing interface

Hope to help
Giuseppe

Ronnie Billate · ‎09-04-2019

Thank you for the efforts, I think the load balancer is the answer in our problem

Georg Pauwen · ‎09-04-2019

Hello,

on a side note, in case of ISP failover configurations in combination with NAT, it is useful to have an EEM script that clears the existing NAT translations and removes any static NAT lines pointing to the 'failed' ISP from your confguration. If you post your full running configuration, I can suggest what to edit...

Here is a sample configuration:

track 1 ip sla 1 reachability
!
interface FastEthernet0/0
description ISP Primary
ip address 100.100.100.1 255.255.255.252
ip nat outside
duplex auto
speed auto
media-type rj45
!
interface FastEthernet0/1
description ISP Secondary
ip address 200.200.200.1 255.255.255.252
ip nat outside
duplex auto
speed auto
media-type rj45
!
ip nat inside source static private_IP public_isp1
ip nat inside source static private_IP public_isp2
!
ip route 0.0.0.0 0.0.0.0 100.100.100.2 track 1
ip route 0.0.0.0 0.0.0.0 200.200.2000.2 200
!
ip sla 1
icmp-echo 8.8.8.8 source-interface FastEthernet0/0
threshold 1000
timeout 3000
frequency 3
ip sla schedule 1 life forever start-time now
!
event manager applet ISP_PRIMARY_DOWN_CLEAR_NAT
event track 1 state down
action 1.0 cli command “enable”
action 2.0 cli command "conf t"
action 3.0 cli command "no ip nat inside source static private_IP public_isp1"
action 4.0 cli command "ip nat inside source static private_IP public_isp2"
action 5.0 cli command "end"
action 6.0 cli command “clear ip nat translation *”
action 7.0 cli command "end"
!
event manager applet ISP_PRIMARY_DOWN_CLEAR_UP
event track 1 state up
action 1.0 cli command “enable”
action 2.0 cli command "conf t"
action 3.0 cli command "no ip nat inside source static private_IP public_isp2"
action 4.0 cli command "ip nat inside source static private_IP public_isp1"
action 5.0 cli command "end"
action 6.0 cli command “clear ip nat translation *”
action 7.0 cli command "end"