06-28-2005 05:22 AM - edited 03-03-2019 09:55 AM
Hi!
I have a router CS1750 on wich i'm trying to implement PBR with NAT. I can't seem to have it working because the ip traffic flows always for the same output interface. I'm trying to test a real situation where one can have 2 Internet links (Frame-Relay and ADSL) and i want to have the email traffic (POP3 and SMTP) going trought the Frame-relay link and the rest (http, ftp, p2p...) through the ADSL link.
Heres's the configuration:
hostname CS1750
!
ip cef
!
interface FastEthernet0
ip address 192.168.10.254 255.255.255.0
ip nat inside
ip policy route-map PBR
!
interface Serial0
description *** FRAME-RELAY - 250Kbps ***
ip nat outside
encapsulation frame-relay
ip route-cache policy
no fair-queue
!
interface Serial0.1 point-to-point
ip address 10.10.20.1 255.255.255.252
ip nat outside
frame-relay interface-dlci 16
!
interface Serial1
description *** HDLC - 2Mbps ***
ip address 10.10.10.1 255.255.255.252
ip nat outside
ip route-cache policy
no fair-queue
!
ip nat inside source route-map NAT-ADSL interface Serial1 overload
ip nat inside source route-map NAT-FR interface Serial0.1 overload
!
ip classless
!
ip access-list extended ADSL
permit icmp 192.168.10.0 0.0.0.255 any
permit ip any any
remark *** All Traffic ***
!
ip access-list extended FR
permit tcp 192.168.10.0 0.0.0.255 any eq smtp
permit tcp 192.168.10.0 0.0.0.255 any eq pop3
remark *** Email Traffic (SMTP e POP3) ***
!
route-map PBR permit 10
match ip address FR
set interface Serial0.1
!
route-map PBR permit 20
match ip address ADSL
set interface Serial1
!
route-map PBR permit 30
set default interface Null0
!
route-map NAT-FR permit 10
match ip address FR
!
route-map NAT-ADSL permit 10
match ip address ADSL
!
Thanks for your attention.
Regards.
06-28-2005 12:30 PM
Make sure that the ADSL ACL denies traffic that is allowed in the FR ACL. Otherwise "permit ip any any" will match all traffic, which will cause some traffic to go out via serial0.1 but with a natted source address of serial1. Your ACL should look like this:
ip access-list extended ADSL
deny tcp 192.168.10.0 0.0.0.255 any eq smtp
deny tcp 192.168.10.0 0.0.0.255 any eq pop3
permit icmp 192.168.10.0 0.0.0.255 any
permit ip any any
remark *** All Traffic ***
Hope this helps,
06-29-2005 12:52 AM
Hi!
Thanks for your answer. I've tried that already and with success. The problem I have now is that I want my solution to be redundant and if one of the Internet links goes down all traffic should go trough the other link. With the ACL you mentioned that can't happen.
Regards.
06-29-2005 01:19 AM
Hi Ovieira,
I do not think that is possible becase NAT fall back is not possible. As you must be having 2 different ISPs so Nat will be different for 2 interfaces and that is kinda not possible.
It would have been possible if you have 2 routers and you run HSRP between the ethernet lan links terminate one ISP on one router and another ISp on another router.
Regards,
Ankur
06-29-2005 01:30 AM
Hi!
I don't think this is NAT fallback. I want first to decide wich internet link to use, using PBR, and then do NAT that is configured for that output interface.
Thanks.
06-29-2005 01:43 AM
Hi,
You PBR says that traffic soming from this source for particualr port number moves out interface x for suppose and if that interface goes does there is no ACL saying it falls back to other interface so its a kinda PBR fallback and also NAT fallback because if the first interface goes down PBT as well as NAT should work for another interface which I think is not possible on a single router.
Regards,
Ankur
06-29-2005 01:13 AM
Hi,
here the ACL does the following
1; IF permit no action is taken
2: if deny then the packets are routed as per the Policy routing settings
thus you need to define the ACL in such a way that packets that need to use the PBR are denied and rest are permitted
thanks
06-29-2005 01:27 AM
Hi!
What ACL are you refering to? I have a Cisco document that says that the router first deals with PBR and then NAT. So, after the router decides witch link to use for output packets, NAT sould be applyed acourding to the output interface, rifgt?
Regards.
06-29-2005 01:34 AM
kumar here
Please try the method that I send to you before.
Instead of permit please us deny
it has to work
06-29-2005 02:06 AM
Hi Kumar!
Please confirm me what ACL are you refering.
Thanks.
06-29-2005 02:14 AM
I think he's talking about this:
ip access-list extended ADSL
permit icmp 192.168.10.0 0.0.0.255 any
permit ip any any
remark *** All Traffic ***
!
ip access-list extended FR
permit tcp 192.168.10.0 0.0.0.255 any eq smtp
permit tcp 192.168.10.0 0.0.0.255 any eq pop3
remark *** Email Traffic (SMTP e POP3) ***
!
Since you have permit ip any any on ADSL, your pop3/smtp traffic will also hit this ADSL ACL. Clearly defining the ACLs for PBR/NAT will be convenience to your future troubleshooting and it's a very common & recommended practice.
So what you need will be:
!
ip access-list extended ADSL
deny tcp 192.168.10.0 0.0.0.255 any eq smtp
deny tcp 192.168.10.0 0.0.0.255 any eq pop3
permit icmp 192.168.10.0 0.0.0.255 any
permit ip any any
remark *** OTHER Traffic ***
!
ip access-list extended FR
permit tcp 192.168.10.0 0.0.0.255 any eq smtp
permit tcp 192.168.10.0 0.0.0.255 any eq pop3
remark *** Email Traffic (SMTP e POP3) ***
!
06-29-2005 03:12 AM
this one,
only ICMP packets will be redirected
ip access-list extended ADSL
deny icmp 192.168.10.0 0.0.0.255 any
permit ip any any
remark *** All Traffic ***
!
will only redirect smtp and pop3
ip access-list extended FR
deny tcp 192.168.10.0 0.0.0.255 any eq smtp
deny tcp 192.168.10.0 0.0.0.255 any eq pop3
remark *** Email Traffic (SMTP e POP3) ***
06-29-2005 01:38 AM
try to use "match interface" for the NAT:
!
route-map NAT-FR permit 10
match interface s0.1
!
route-map NAT-ADSL permit 10
match interface s1
!
ip nat inside source route-map NAT-ADSL interface Serial1 overload
ip nat inside source route-map NAT-FR interface Serial0.1 overload
!
For your PBR, you need to set a secondary interface
route-map PBR permit 10
match ip address FR
set interface Serial0.1 Serial1
!
route-map PBR permit 20
match ip address ADSL
set interface Serial1 Serial0.1
!
But I doubt the PBR will work when the FR cloud has problems and your interface link status is still up.
06-29-2005 01:47 AM
And please also follow kumar's suggestion to change your ACLs accordingly.
07-01-2005 11:13 PM
Hi friend,
here is the config from Jeff Doyle for load balancing and redundency with two ISP's for diagram read the Jeff Doyle 2
interface Ethernet0
ip address 10.1.1.1 255.255.255.0
ip nat inside
!
interface Ethernet1
ip address 10.5.1.1 255.255.255.0
ip nat inside
!
interface Serial1
no ip address
encapsulation frame-relay
!
interface Serial1.708 point-to-point
description PVC to ISP1
ip address 205.113.49.253 255.255.255.252
ip nat outside
frame-relay interface-dlci 708
!
interface Serial1.709 point-to-point
description PVC to ISP2
ip address 207.36.65.253 255.255.255.252
ip nat outside
frame-relay interface-dlci 709
!
router ospf 10
network 10.0.0.0 0.255.255.255 area 10
default-information originate always
!
router bgp 451
neighbor 205.113.49.254 remote-as 1135
neighbor 207.36.65.254 remote-as 216
!
ip nat pool ISP1 205.113.50.1 205.113.51.254 prefix-length 23
ip nat pool ISP2 207.36.76.1 207.36.77.254 prefix-length 23
ip nat inside source route-map ISP1_MAP pool ISP1
ip nat inside source route-map ISP2_MAP pool ISP2
!
access-list 1 permit 10.0.0.0 0.255.255.255
access-list 2 permit 207.36.65.254
!
route-map ISP1_MAP permit 10
match ip address 1
match interface Serial1.708
!
route-map ISP2_MAP permit 10
match ip address 1
match ip next-hop 2
!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide