PBR and NAT inbound

Junior Mateus · ‎08-15-2012

Hello Everybody,

I´m a new in a routing environement particulary for PBR mechanisme :

here is the scenario :

i have one RT connecting to 2 ISP :

ISP1 : 41.218.114.85

ISP2: 41.63.166.254

interface GigabitEthernet0/0

description LINK-TO-LAN(ASA)

ip address 10.30.21.1 255.255.255.252

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly in

ip policy route-map concerned-traffic

duplex auto

speed auto

no mop enabled

!

interface GigabitEthernet0/1

description RESERVED TO ISP1(ITA)

ip address 41.218.114.86 255.255.255.252

no ip redirects

no ip unreachables

no ip proxy-arp

ip nbar protocol-discovery

ip nat outside

ip virtual-reassembly in

ip verify unicast source reachable-via rx allow-default 100

duplex auto

speed auto

no mop enabled

!

interface GigabitEthernet0/2

description RERSERVED-ISP2(Tvcabo)

ip address dhcp

no ip redirects

no ip unreachables

no ip proxy-arp

ip nbar protocol-discovery

ip nat outside

ip virtual-reassembly in

ip verify unicast source reachable-via rx allow-default 100

duplex auto

speed auto

no mop enabled

ip route 0.0.0.0 0.0.0.0 41.63.166.254 254

ip route 0.0.0.0 0.0.0.0 41.218.114.85 255

ip route 10.0.0.0 255.0.0.0 10.30.21.2

ip route 172.30.0.0 255.255.0.0 10.30.21.2

Objective :

1. Use the ISP for Critical traffic : Telnet, SSH, MAIL(smtp,pop3,imap) and VPN

2.Use the ISP2 for All of the reste of Traffic : HTTP.HTTPS,FTP,....

3. All Traffic for External Users (outside) have to be Nating to ISP1 interface, example https of internal web server, ftp server..

Doing :

(1-2) i have create an acl for critical Traffic and a route-map as :

ip access-list extended WEB-ACCESS

permit ip any any

ip access-list extended critical-traffic

permit udp any any eq isakmp

permit udp any any eq non500-isakmp

permit udp any any eq 10000

permit tcp any any eq smtp

permit tcp any any eq pop3

permit tcp any any eq 143

permit tcp any any eq 993

permit tcp any any eq 587

permit tcp any any eq telnet

permit tcp any any eq 22

route-map concerned-traffic permit 10

match ip address critical-traffic

set ip next-hop 41.218.114.85

!

route-map concerned-traffic permit 20

set ip next-hop 41.63.166.254

i have applied it to the LAN interface

wich route all the critical traffic to the ISP1 and all of the rest to ISP2

(3) for permit my internal LAn to have access to the internet i have use the nat overload and create 2 route map :

route-map WEB-ISP2 permit 10

match ip address WEB-ACCESS

match interface GigabitEthernet0/2

!

route-map WEB-isp1 permit 10

match ip address WEB-ACCESS

match interface GigabitEthernet0/1

ip nat inside source route-map WEB-ISP2 interface GigabitEthernet0/2 overload

ip nat inside source route-map WEB-isp1 interface GigabitEthernet0/1 overload

(4) Difficulties that i meet :

this operation work well when i´m inside the network mean, in the LAN

but i have a big difficulties to set the inbound nat for https , VPN,...

ip nat inside source static tcp 10.30.21.2 21 41.63.166.15 21 extendable

ip nat inside source static tcp 10.30.21.2 22 41.218.114.86 22 extendable

ip nat inside source static tcp 10.30.21.1 23 41.218.114.86 23 extendable

ip nat inside source static tcp 10.30.21.2 443 41.218.114.86 443 extendable

ip nat inside source static udp 10.30.21.2 500 41.218.114.86 500 extendable

ip nat inside source static udp 10.30.21.2 4500 41.218.114.86 4500 extendable

ip nat inside source static udp 10.30.21.2 10000 41.218.114.86 10000 extendable

when i try with the IP of the interface ISP1 (41.218.114.86) to reach an inside server via static nating, i´m not able

Maybe my configuration are wrong ? i need your help guys , please help me

thank u in Advance