Re: Policy Based Routing with NAT not working as expected - Page 2

Josh Mil · ‎10-05-2025

The system consists of a switch with two VLANs for hosts, and a router with two WAN connections.

Switch:
Interface vlan10 - 192.168.1.1/24, with some hosts
Interface vlan20 - 192.168.2.1/24, with some hosts
interface g0/12 - 172.16.0.2/252, uplink to router
ip route 0.0.0.0 0.0.0.0 172.16.0.1

Router:
Interface g0/0/0 - 172.16.0.1/252, from switch, with PBR configured for distributing traffic to WAN1 and WAN2
Interface g0/0/1 - WAN1, DHCP client
Interface g0/0/2 - WAN2, DHCP client

Intended logic:
Hosts on 192.168.1.1/24 use WAN1 for internet access
Hosts on 192.168.2.1/24 use WAN2 for internet access
No load balancing, No failover. Two internet services are intended to be kept separate.

The problem is, when both WAN interfaces are up, none of hosts from vlan 10 and vlan 20 has internet access. If I shut down one WAN interface, the hosts in the vlan that is distributed by PBR to the other WAN interface are able to access internet. For example, if WAN2 is shut down, hosts on 192.168.0.1/24 can access internet.

Could someone please help me figure out the reason? Thank you.

 
*** 1xLAN and 2xWAN interfaces ***

interface g0/0/0
! receives traffic from LAN and distributes to two WAN interfaces
 ip address 172.16.0.1 255.255.255.252
 ip nat inside
 ip policy route-map rm_lan_to_wan

interface g0/0/1
! WAN 1
 ip nat outside

interface g0/0/2
! WAN 2
 ip nat outside

*** Policy Based Routing ***

route-map rm_lan_to_wan permit 10
 match ip address pbr_wan1
 set interface g0/0/1

route-map rm_lan_to_wan permit 20
 match ip address pbr_wan2
 set interface g0/0/2

ip access-list extended pbr_wan1
 permit ip 192.168.1.0 0.0.0.255 any

ip access-list extended pbr_wan2
 permit ip 192.168.2.0 0.0.0.255 any

*** NAT ***

ip access-list standard nat_wan1
 permit 192.168.1.0 0.0.0.255

ip access-list standard nat_wan2
 permit 192.168.2.0 0.0.0.255

ip nat inside source list nat_wan1 interface g0/0/1 overload
ip nat inside source list nat_wan2 interface g0/0/2 overload

paul driver · ‎10-06-2025

Hello
FYI -based on what you have posted your configuration is incorrect- hence why it doesn't work.
It isn't difficult to implement anything as you understand all the features that incorporates a working solution whatever you maybe working on (including dual WAN/NAT & policy based routing)
But just obtaining the an example configuration but not having an understanding of how it works is the key.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Josh Mil · ‎10-06-2025

Hi Paul,

My configuration is not "obtained an example". I typed them letter by letter on the keyboard following Cisco official documentation and third-party articles. It's not an example code copied and pasted from somewhere.

https://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/13772-12.html

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/9-x/unicast/configuration/guide/l3_cli_nxos/l3pbr.html#71793

Also, according to Cisco, PBR is processed before NAT.

If the above information is correct, the config should work, but it doesn't.

paul driver · ‎10-07-2025

Hello

@Josh Mil wrote:
the above information is correct, the config should work, but it doesn't.

As stated previously - your configuration wouldn't have worked due to it missing the points I highlighted , regards your route-maps for NAT and PBR

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Josh Mil · ‎10-07-2025

Hi Paul,

May I please ask why my config doesn't work? As I see, it has correct and clear logic, and complies with the syntax and usage of PBR and NAT.

I could replace my code with your correct version, but that would still leave me having no idea what to do next time when I write my own algorithm.

This is the logic of my original code:

I set LAN interface as nat inside, and set two WAN interfaces as nat outside. This is in line with Cisco's guide.
I created nat rule 1, translating outbound traffic from Vlan10 to WAN1, as well as nat rule 2 translating traffic from Vlan20 to WAN2. This is in line with Cisco's guide.
I created route-map, directing Vlan10 traffic to WAN1, and Vlan20 traffic to WAN2. This is in line with Cisco's guide.
According to Cisco, routing is performed before NAT. This means outbound traffic arriving at the LAN interface is dispatched by the route-map first, and then translated by NAT, and then sent out through WAN1 and WAN2. For return traffic received by WAN1 and WAN2, they are translated by NAT, sent back to LAN interface.

Where is the problem?

paul driver · ‎10-07-2025

Hello
As i’ve have stated-
your route-maps were incorrect-

You didn’t specify a match clause for an wan interface in addition to the nat acl

Your PBR rm set clause was for a interface and NOT a next hop Ip ( obviously due to a dhcp wan ip allocation) however stating “set interface” in a PBR policy RM towards an multi-access interface isn’t applicable as your telling the rtr every external ip ( including the next hop ip) is directly connected which it obviously isn’t -the rtr needs to know the next hop ip address for the PBR to perform correctly before NAT is initialised.

Lastly you had ecmp towards the wan interfaces -which wouldn’t negate the operation of NAT but could cause failures with unnecessary asymmetric routing -incorrect load balancing

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul