Re: Policy Based Routing with NAT

ovieira · ‎06-28-2005

Hi!

I have a router CS1750 on wich i'm trying to implement PBR with NAT. I can't seem to have it working because the ip traffic flows always for the same output interface. I'm trying to test a real situation where one can have 2 Internet links (Frame-Relay and ADSL) and i want to have the email traffic (POP3 and SMTP) going trought the Frame-relay link and the rest (http, ftp, p2p...) through the ADSL link.

Heres's the configuration:

hostname CS1750

!

ip cef

!

interface FastEthernet0

ip address 192.168.10.254 255.255.255.0

ip nat inside

ip policy route-map PBR

!

interface Serial0

description *** FRAME-RELAY - 250Kbps ***

ip nat outside

encapsulation frame-relay

ip route-cache policy

no fair-queue

!

interface Serial0.1 point-to-point

ip address 10.10.20.1 255.255.255.252

ip nat outside

frame-relay interface-dlci 16

!

interface Serial1

description *** HDLC - 2Mbps ***

ip address 10.10.10.1 255.255.255.252

ip nat outside

ip route-cache policy

no fair-queue

!

ip nat inside source route-map NAT-ADSL interface Serial1 overload

ip nat inside source route-map NAT-FR interface Serial0.1 overload

!

ip classless

!

ip access-list extended ADSL

permit icmp 192.168.10.0 0.0.0.255 any

permit ip any any

remark *** All Traffic ***

!

ip access-list extended FR

permit tcp 192.168.10.0 0.0.0.255 any eq smtp

permit tcp 192.168.10.0 0.0.0.255 any eq pop3

remark *** Email Traffic (SMTP e POP3) ***

!

route-map PBR permit 10

match ip address FR

set interface Serial0.1

!

route-map PBR permit 20

match ip address ADSL

set interface Serial1

!

route-map PBR permit 30

set default interface Null0

!

route-map NAT-FR permit 10

match ip address FR

!

route-map NAT-ADSL permit 10

match ip address ADSL

!

Thanks for your attention.

Regards.

Harold Ritter · ‎06-28-2005

Make sure that the ADSL ACL denies traffic that is allowed in the FR ACL. Otherwise "permit ip any any" will match all traffic, which will cause some traffic to go out via serial0.1 but with a natted source address of serial1. Your ACL should look like this:

ip access-list extended ADSL

deny tcp 192.168.10.0 0.0.0.255 any eq smtp

deny tcp 192.168.10.0 0.0.0.255 any eq pop3

permit icmp 192.168.10.0 0.0.0.255 any

permit ip any any

remark *** All Traffic ***

Hope this helps,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

ovieira · ‎06-29-2005

Hi!

Thanks for your answer. I've tried that already and with success. The problem I have now is that I want my solution to be redundant and if one of the Internet links goes down all traffic should go trough the other link. With the ACL you mentioned that can't happen.

Regards.

ankurbhasin · ‎06-29-2005

Hi Ovieira,

I do not think that is possible becase NAT fall back is not possible. As you must be having 2 different ISPs so Nat will be different for 2 interfaces and that is kinda not possible.

It would have been possible if you have 2 routers and you run HSRP between the ethernet lan links terminate one ISP on one router and another ISp on another router.

Regards,

Ankur

ovieira · ‎06-29-2005

Hi!

I don't think this is NAT fallback. I want first to decide wich internet link to use, using PBR, and then do NAT that is configured for that output interface.

Thanks.

ankurbhasin · ‎06-29-2005

Hi,

You PBR says that traffic soming from this source for particualr port number moves out interface x for suppose and if that interface goes does there is no ACL saying it falls back to other interface so its a kinda PBR fallback and also NAT fallback because if the first interface goes down PBT as well as NAT should work for another interface which I think is not possible on a single router.

Regards,

Ankur

nkumar2005 · ‎06-29-2005

Hi,

here the ACL does the following

1; IF permit no action is taken

2: if deny then the packets are routed as per the Policy routing settings

thus you need to define the ACL in such a way that packets that need to use the PBR are denied and rest are permitted

thanks

ovieira · ‎06-29-2005

Hi!

What ACL are you refering to? I have a Cisco document that says that the router first deals with PBR and then NAT. So, after the router decides witch link to use for output packets, NAT sould be applyed acourding to the output interface, rifgt?

Regards.

nkumar2005 · ‎06-29-2005

kumar here

Please try the method that I send to you before.

Instead of permit please us deny

it has to work

ovieira · ‎06-29-2005

Hi Kumar!

Please confirm me what ACL are you refering.

Thanks.

alfredshum · ‎06-29-2005

I think he's talking about this:

ip access-list extended ADSL

permit icmp 192.168.10.0 0.0.0.255 any

permit ip any any

remark *** All Traffic ***

!

ip access-list extended FR

permit tcp 192.168.10.0 0.0.0.255 any eq smtp

permit tcp 192.168.10.0 0.0.0.255 any eq pop3

remark *** Email Traffic (SMTP e POP3) ***

!

Since you have permit ip any any on ADSL, your pop3/smtp traffic will also hit this ADSL ACL. Clearly defining the ACLs for PBR/NAT will be convenience to your future troubleshooting and it's a very common & recommended practice.

So what you need will be:

!

ip access-list extended ADSL

deny tcp 192.168.10.0 0.0.0.255 any eq smtp

deny tcp 192.168.10.0 0.0.0.255 any eq pop3

permit icmp 192.168.10.0 0.0.0.255 any

permit ip any any

remark *** OTHER Traffic ***

!

ip access-list extended FR

permit tcp 192.168.10.0 0.0.0.255 any eq smtp

permit tcp 192.168.10.0 0.0.0.255 any eq pop3

remark *** Email Traffic (SMTP e POP3) ***

!

nkumar2005 · ‎06-29-2005

this one,

only ICMP packets will be redirected

ip access-list extended ADSL

deny icmp 192.168.10.0 0.0.0.255 any

permit ip any any

remark *** All Traffic ***

!

will only redirect smtp and pop3

ip access-list extended FR

deny tcp 192.168.10.0 0.0.0.255 any eq smtp

deny tcp 192.168.10.0 0.0.0.255 any eq pop3

remark *** Email Traffic (SMTP e POP3) ***

alfredshum · ‎06-29-2005

try to use "match interface" for the NAT:

!

route-map NAT-FR permit 10

match interface s0.1

!

route-map NAT-ADSL permit 10

match interface s1

!

ip nat inside source route-map NAT-ADSL interface Serial1 overload

ip nat inside source route-map NAT-FR interface Serial0.1 overload

!

For your PBR, you need to set a secondary interface

route-map PBR permit 10

match ip address FR

set interface Serial0.1 Serial1

!

route-map PBR permit 20

match ip address ADSL

set interface Serial1 Serial0.1

!

But I doubt the PBR will work when the FR cloud has problems and your interface link status is still up.

alfredshum · ‎06-29-2005

And please also follow kumar's suggestion to change your ACLs accordingly.

kamlesh_s1181 · ‎07-01-2005

Hi friend,

here is the config from Jeff Doyle for load balancing and redundency with two ISP's for diagram read the Jeff Doyle 2

interface Ethernet0

ip address 10.1.1.1 255.255.255.0

ip nat inside

!

interface Ethernet1

ip address 10.5.1.1 255.255.255.0

ip nat inside

!

interface Serial1

no ip address

encapsulation frame-relay

!

interface Serial1.708 point-to-point

description PVC to ISP1

ip address 205.113.49.253 255.255.255.252

ip nat outside

frame-relay interface-dlci 708

!

interface Serial1.709 point-to-point

description PVC to ISP2

ip address 207.36.65.253 255.255.255.252

ip nat outside

frame-relay interface-dlci 709

!

router ospf 10

network 10.0.0.0 0.255.255.255 area 10

default-information originate always

!

router bgp 451

neighbor 205.113.49.254 remote-as 1135

neighbor 207.36.65.254 remote-as 216

!

ip nat pool ISP1 205.113.50.1 205.113.51.254 prefix-length 23

ip nat pool ISP2 207.36.76.1 207.36.77.254 prefix-length 23

ip nat inside source route-map ISP1_MAP pool ISP1

ip nat inside source route-map ISP2_MAP pool ISP2

!

access-list 1 permit 10.0.0.0 0.255.255.255

access-list 2 permit 207.36.65.254

!

route-map ISP1_MAP permit 10

match ip address 1

match interface Serial1.708

!

route-map ISP2_MAP permit 10

match ip address 1

match ip next-hop 2

!