Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
346
Views
1
Helpful
16
Replies

Policy Based Routing with NAT not working as expected

Josh Mil
Level 1
Level 1

‎10-05-2025 10:56 PM - edited ‎10-05-2025 11:22 PM

The system consists of a switch with two VLANs for hosts, and a router with two WAN connections.

Switch:
Interface vlan10 - 192.168.1.1/24, with some hosts
Interface vlan20 - 192.168.2.1/24, with some hosts
interface g0/12 - 172.16.0.2/252, uplink to router
ip route 0.0.0.0 0.0.0.0 172.16.0.1

Router:
Interface g0/0/0 - 172.16.0.1/252, from switch, with PBR configured for distributing traffic to WAN1 and WAN2
Interface g0/0/1 - WAN1, DHCP client
Interface g0/0/2 - WAN2, DHCP client

Intended logic:
Hosts on 192.168.1.1/24 use WAN1 for internet access
Hosts on 192.168.2.1/24 use WAN2 for internet access
No load balancing, No failover. Two internet services are intended to be kept separate.

The problem is, when both WAN interfaces are up, none of hosts from vlan 10 and vlan 20 has internet access. If I shut down one WAN interface, the hosts in the vlan that is distributed by PBR to the other WAN interface are able to access internet. For example, if WAN2 is shut down, hosts on 192.168.0.1/24 can access internet.

Could someone please help me figure out the reason? Thank you.

 

 
*** 1xLAN and 2xWAN interfaces ***

interface g0/0/0
! receives traffic from LAN and distributes to two WAN interfaces
 ip address 172.16.0.1 255.255.255.252
 ip nat inside
 ip policy route-map rm_lan_to_wan

interface g0/0/1
! WAN 1
 ip nat outside

interface g0/0/2
! WAN 2
 ip nat outside

*** Policy Based Routing ***

route-map rm_lan_to_wan permit 10
 match ip address pbr_wan1
 set interface g0/0/1

route-map rm_lan_to_wan permit 20
 match ip address pbr_wan2
 set interface g0/0/2

ip access-list extended pbr_wan1
 permit ip 192.168.1.0 0.0.0.255 any

ip access-list extended pbr_wan2
 permit ip 192.168.2.0 0.0.0.255 any

*** NAT ***

ip access-list standard nat_wan1
 permit 192.168.1.0 0.0.0.255

ip access-list standard nat_wan2
 permit 192.168.2.0 0.0.0.255

ip nat inside source list nat_wan1 interface g0/0/1 overload
ip nat inside source list nat_wan2 interface g0/0/2 overload

 

Labels:
16 Replies 16

balaji.bandi
Hall of Fame
Hall of Fame

‎10-05-2025 11:35 PM

You have route available as below :

ip route 0.0.0.0 0.0.0.0  ISP1 IP
ip route 0.0.0.0 0.0.0.0  ISP2 IP

check full configuration here  also SLA to failover if one of the ISP go down.

https://www.balajibandi.com/?p=1643

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Josh Mil
Level 1
Level 1
In response to balaji.bandi

‎10-05-2025 11:54 PM - edited ‎10-06-2025 03:55 AM

Thank you. I particularly want to keep the two WAN services separate. Definitely don't want the two networks mixed up. VLAN10 should always use WAN1, VLAN20 should always use WAN2. As mentioned in the original post, no failover.

0 Helpful

Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to Josh Mil

‎10-06-2025 12:26 AM - edited ‎10-06-2025 12:28 AM

Hello @Josh Mil ,

>> Definitely don't want the two networks mixed up. VLAN10 should always use WAN1, VLAN20 should always use WAN2. As mentioned in the original post, no failover.

I would use VRFs to have WAN1 and LAN1 in VRFA and WAN2 and LAN2 in VRFB, because you want each LAN to use only one WAN.

In each VRF configuration is very simple because there is only one LAN and one WAN.

Edit:

you would need two subinterfaces on the single LAN interface to use the two VRFs approach.

Hope to help

Giuseppe

0 Helpful

Josh Mil
Level 1
Level 1
In response to Giuseppe Larosa

‎10-06-2025 03:38 AM

Thank you.

But the VLANs need to talk to each other within the same switch.

In terms of internet access, VLANs need to be isolated from each other.

0 Helpful

HaiCa
Level 1
Level 1

‎10-06-2025 12:35 AM

Did you try to use set ip next-hop instead?

0 Helpful

Josh Mil
Level 1
Level 1
In response to HaiCa

‎10-06-2025 03:39 AM

Thank you.

Both WAN services are DHCP. I can't specify an IP address for the next hop.

0 Helpful

paul driver
VIP
VIP
In response to Josh Mil

‎10-06-2025 04:26 AM

Hello

@Josh Mil wrote:

Thank you.

Both WAN services are DHCP. I can't specify an IP address for the next hop.

You should be able to, check the route table for candidate static routes  *

sh ip route static



Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Josh Mil
Level 1
Level 1
In response to paul driver

‎10-06-2025 02:02 PM - edited ‎10-06-2025 02:05 PM

There is no gateway address listed in sh ip route static. Instead, it's just the interface name, such as "0.0.0.0/0 is directly connected, g0/0/1"

That actual IP address changes every time when the interface is disabled/enabled or the route is rebooted.

0 Helpful

paul driver
VIP
VIP

‎10-06-2025 03:27 AM - edited ‎10-06-2025 04:18 AM

Hello
As you are receiving dhcp wan ip allocation your site router will have dual dhcp candidate default routes with the same A/D distance (254)
I would say manually specify a primary interface with a lower administrative distance then just policy route towards the secondary wan interface, (here you can add some conditional tracking for wan resiliency if you wish- excluded at present)

Also specifying a PBR interface on a multi=-access interface may result in PBR/NAT not working, it would be preferable to set an ip next hop address ( you should be able find this in the routers route table for the default candidate routes  - ( show ip route static)

As for the NAT-
Your route-maps you need to add a match clause towards each wan interface , again no resiliency is shown here but you would require possibly some EEM scripting to clear and flush the nat translation tables to accomplish and also tweak your NAT acls to provide translation for ALL hosts if/when either wan interface fails ( again not shown here)

Example:
sh ip route static

int x/x
description WAN1
ip dhcp client default-router distance 1

int x/x
description WAN2
ip dhcp client default-router distance 2 *

no route-map rm_lan_to_wan permit 10
route-map rm_lan_to_wan permit 20
no set interface g0/0/2
set ip next-hop x.x.x.x

ip access-list standard nat_wan1
match interface gig0/1

ip access-list standard nat_wan2
match interface gig0/2


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Josh Mil
Level 1
Level 1
In response to paul driver

‎10-06-2025 03:45 AM

Thank you.

But I think this is risky:
>>> manually specify a primary interface with a lower administrative distance then just policy route towards the secondary wan interface

For example, if I specify WAN1 as primary, and use PBR to direct Vlan20 traffic to WAN2, what would happen if WAN1 is down due to a technical failure or ISP outage? Hosts in Vlan10 will go to WAN2 as well. This will break the isolation.

0 Helpful

paul driver
VIP
VIP
In response to Josh Mil

‎10-06-2025 04:18 AM

Hello

@Josh Mil wrote:

For example, if I specify WAN1 as primary, and use PBR to direct Vlan20 traffic to WAN2, what would happen if WAN1 is down due to a technical failure or ISP outage? Hosts in Vlan10 will go to WAN2 as well. This will break the isolation.

No it wont - as if you do not specify a nat policy towards wan2 for the hosts in vlan 10 they will not be able have external reachability, and even more so if you do NOT specify a primary interface then the rtr would simply try an EMCP between dual default paths with the same AD of 254


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Josh Mil
Level 1
Level 1
In response to paul driver

‎10-06-2025 02:01 PM

Thank you for correcting me. Now I see. Without an explicitly defined NAT rule, Vlan10 won't go to WAN2. Thank you.

0 Helpful

Josh Mil
Level 1
Level 1

‎10-06-2025 03:54 AM

I appreciate the alternative solutions provided in the above replies. I truly thank you for your help.

But my question is: Cisco published PBR and NAT as usable functions of their router products. My config code complies with Cisco's syntax. There is no error reported. Logic is simple and clear. Why does it not work?

An organisation has two WAN connections from two ISPs. Internet-bound traffic from LAN hosts are distributed to the two WAN connections based on the department that the host belongs to. Isn't it a very normal, legit and reasonable scenario? Why is it so difficult to implement such a simple requirement?

0 Helpful

paul driver
VIP
VIP
In response to Josh Mil

‎10-06-2025 04:14 AM - edited ‎10-06-2025 04:24 AM

Hello
FYI -based on what you have posted your configuration is incorrect- hence why it doesn't work. 
It isn't difficult to implement anything as you understand all the features that incorporates a working solution whatever you maybe working on  (including  dual WAN/NAT & policy based routing) 
But just obtaining the an example configuration but not having an understanding of how it works is the key. 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful
Customers Also Viewed These Support Documents