Port Forwaring Issue on two internet link

hseakleang1 · ‎09-18-2016

I have two internet links.

I configure port forwarding for these two internet link into my internal server.
After i configure, port forwarding only work on first ISP1. It doesn't work on ISP2 and i try to ping ISP2 link but it requests timeout.

If i shutdown ISP1, port forwarding works fine on ISP2. But if both link are active at the same time, port forwarding on ISP2 doestn't work.

For internet access on both link is fine, client can access on both link.

The IOS version is :Version 15.0(1r)M9

interface GigabitEthernet0/0
description To_Internal
ip address 192.168.2.1 255.255.255.252
ip flow ingress
ip nat inside
ip virtual-reassembly
ip policy route-map tointernet
duplex auto
speed auto
!
interface GigabitEthernet0/1
description ISP1
ip address 1.1.1.1 255.255.255.224
ip nat outside
ip virtual-reassembly max-fragments 64 max-reassemblies 512
duplex auto
speed auto
!
interface GigabitEthernet0/2
description ISP2
ip address 2.2.2.1 255.255.255.240
ip nat outside
ip virtual-reassembly
duplex auto
speed auto

ip nat inside source static esp 192.168.2.2 interface GigabitEthernet0/1
ip nat inside source route-map ISPA interface GigabitEthernet0/1 overload
ip nat inside source route-map ISPB interface GigabitEthernet0/2 overload
ip nat inside source static tcp 192.168.1.2 80 1.1.1.1 80 extendable
ip nat inside source static tcp 192.168.1.2 443 1.1.1.1 443 extendable

ip nat inside source static tcp 192.168.1.2 80 2.2.2.1 80 extendable
ip nat inside source static tcp 192.168.1.2 443 2.2.2.1 443 extendable

ip route 0.0.0.0 0.0.0.0 1.1.1.2
ip route 0.0.0.0 0.0.0.0 2.2.2.2

Georg Pauwen · ‎09-18-2016

Hello,

can you also post the configs of the route maps ISPA and ISPB (and also the route map 'tointernet') ? Is there a specific reason why you don't have the route maps applied to your static NAT mappings as well ?

hseakleang1 · ‎09-19-2016

Hello,

Please find the config.

For route map, i just configure specific IP to ISP2 and other to ISP1.

interface GigabitEthernet0/0
description To_Internal
ip address 192.168.2.1 255.255.255.252
ip flow ingress
ip nat inside
ip virtual-reassembly
ip policy route-map tointernet
duplex auto
speed auto
!
interface GigabitEthernet0/1
description ISP1
ip address 1.1.1.1 255.255.255.224
ip nat outside
ip virtual-reassembly max-fragments 64 max-reassemblies 512
duplex auto
speed auto
!
interface GigabitEthernet0/2
description ISP2
ip address 2.2.2.1 255.255.255.240
ip nat outside
ip virtual-reassembly
duplex auto
speed auto

ip nat inside source static esp 192.168.2.2 interface GigabitEthernet0/1
ip nat inside source route-map ISPA interface GigabitEthernet0/1 overload
ip nat inside source route-map ISPB interface GigabitEthernet0/2 overload
ip nat inside source static tcp 192.168.1.2 80 1.1.1.1 80 extendable
ip nat inside source static tcp 192.168.1.2 443 1.1.1.1 443 extendable

ip nat inside source static tcp 192.168.1.2 80 2.2.2.1 80 extendable
ip nat inside source static tcp 192.168.1.2 443 2.2.2.1 443 extendable

ip route 0.0.0.0 0.0.0.0 1.1.1.2
ip route 0.0.0.0 0.0.0.0 2.2.2.2

access-list 1 permit any
access-list 10 permit any
access-list 11 permit any
access-list 100 permit ip 192.168.1.100 255.255.255.255 any
!
route-map tointernet permit 10
match ip address 100
set ip next-hop 2.2.2.2
!
route-map tointernet permit 20
match ip address 1
set ip next-hop 1.1.1.2
!
route-map ISPB permit 10
match ip address 11
match interface GigabitEthernet0/2
!
route-map ISPA permit 10
match ip address 10
match interface GigabitEthernet0/1

Georg Pauwen · ‎09-19-2016

Hello,

just for clarification purposes: your inside NAT interface is GigabitEthernet0/0, which has IP address 192.168.2.1/30, which leaves only one other host address available, 192.168.2.2/30.

Your server address is 192.168.1.2 I assume ? You also have 192.168.1.100 in your access list. Assuming that this belongs to subnet 192.168.1.0/24, where is that subnet connected to ? Is there another device connected to the device of which you posted the configuration ?

hseakleang1 · ‎09-19-2016

Hello,

Yes, I have another layer 3 device placing behind that router.