Solved: Re: Policy Based Routing & Static NAT

kyle.heath · ‎10-16-2010

I have been trying to work out how to allow access to a website via https with a failover dsl solution. I have already configured the failover dsl using route-maps and a ip sla track and I now have smtp working on both public IP addresses if the one dsl circuit fails.

What I want to try to do now is be able to have a round robin DNS for a URL like remote.mydomain.com and have this resolve to two public IP addresses, then on the router enabled a static NAT for https from each public ip address to two ip addresses on my web server, this should then allow multiple connections to IIS as I have an ip listening on https for each connection.

The problem is routing now, I can make the static NAT work if I connect on the public ip that is the default route for 0.0.0.0, if I shutdown my ATM0/0/0.1 interface the Dialer0 becomes the default route and I can access the website via the static NAT on the Dialer0 public ip and I know this is because the route to 0.0.0.0 is updated to the interface I am connecting in on.

The question is, how do I enable access from either public IP address so I can provide access to the website, will this need to involve Policy Based Routing so that I can direct traffic out of the dialer0 interface if the traffic originates from this interface?

This is a 1841 router with Advanced Security IOS.

Cheers

Kyle

Fabrizio Pedracini · ‎11-06-2010

Hi Kyle,

ok so at the moment you have 2 simple "ip nat source static" translating the 2 local addresses to 2 global ones, correct?

If you want the traffic hitting the 2nd global IP to come back through the 2nd interface you can apply a route-map on the inside interface:

access-list N permit <2nd-inside-local-IP>

route-map RM

match ip address N

set ip next-hop <2nd-interface-next-hop>

interface x/y

ip policy route-map RM

hope this helps,

Fabrizio

View solution in original post

Fabrizio Pedracini · ‎11-05-2010

Hi Kyle,

one thing you can do is to source-nat the traffic coming from outside directed to your 2 public IP addresses using 2 different pools. This way you can have the return traffic (from your network to the outside) going out the interface it came from.

hope this helps.

Fabrizio

kyle.heath · ‎11-05-2010

Fabrizio

At present I use two static NAT statements for the access to the web server from the two public IPs, are you suggesting I should use a route map in the NAT statement to match an ACL that states the source interface of the traffic?

If you could show me an example of what you are suggesting I am sure I get this working?

Thanks

Kyle

Fabrizio Pedracini · ‎11-06-2010

Hi Kyle,

ok so at the moment you have 2 simple "ip nat source static" translating the 2 local addresses to 2 global ones, correct?

If you want the traffic hitting the 2nd global IP to come back through the 2nd interface you can apply a route-map on the inside interface:

access-list N permit <2nd-inside-local-IP>

route-map RM

match ip address N

set ip next-hop <2nd-interface-next-hop>

interface x/y

ip policy route-map RM

hope this helps,

Fabrizio

kyle.heath · ‎11-07-2010

Fabrizio,

Thanks for your help, the route map has done the trick. I added an ACL for the traffic back from my server and then in the route map set the interface to send the traffic out from instead of the next hop as I have a dynamic ip on this circuit. Then I added the static NAT to the secondary inside ip address and the web site works from both public ip addresses.

I shall read up some more on PBR and Route Maps. Thanks for your help