cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
814
Views
4
Helpful
12
Replies

Preventing 2 different NAT instances from hopping across public interfaces

packetfish
Level 1
Level 1

PROBLEM:

A subnet NAT'ing out DSL occasionally ends up going across another public and then out on the internet in a

set up with 2 differing private subnets that each NAT out each of their own public interfaces.

DETAILS:

For sake of example:

Outside Interfaces:

DSL: 1.1.1.1, next-hop indicated in route table 5.5.5.5

Bonded Multilink: 2.2.2.2, next-hop 3.3.3.3

Inside Interfaces:

Eth1: 6.6.6.6/24 (Hardwired LAN)

Eth2: 7.7.7.7/24 (Wifi)

CONFIG:

ip route 0.0.0.0 0.0.0.0 Multilink1

ip route 0.0.0.0 0.0.0.0 Dialer0

ip nat inside source route-map nonat Multilink 1 overload

ip nat inside source list 1 Dialer0 overload

route-map nonnat = 6.6.6.6/24 (Hardwired LAN) permited to NAT, and a VPN subnet (not listed excluded from NAT) that is excluded from NAT

list 1 = 7.7.7.7/24 (Wifi)

Things I've tried that didn't work to effectively fully segment the NAT instances...

- setting next-hop in a route-map

- inserting Null routes so the proper route gets picked up out of the translation table and doesn't get to

its NAT interface only to hop over and out another public interface.

*I think setting next-hop on my DSL doesn't work because of the setup bridging-wise on the ISP side

Appreciate any help. I'm sure its some minor little oversight, but my main issue is simply to just have

wifi NAT out DSL only, no hopping over and out via another public and vice-versa.

12 Replies 12

Edison Ortiz
Hall of Fame
Hall of Fame

Configure PBR (Policy Based Routing):

ip access-list standard wifi

permit [wifi subnet]

ip access-list standard dsl

permit [everyone else]

route-map internet permit 10

match ip address wifi

set interface dialer0

route-map internet permit 20

match ip address dsl

set interface Multilink 1

at the ingress interface on the router

interface fx/x

ip policy route-map internet

HTH,

__

Edison.

Thanks much Edison. I will try this towards the end of the day when the office thins out. Good to know I wasn't too far off base. I was setting next-hop which didn't seem to want to work.

I will report back on how things turned out.

It worked beautifully to stop my hopping across public but with one caveat. It more or less broke my VPN. For some reason I could not pass about every other packet in a ping.

So I added a route for the VPN network to get it to work and it seemed like it did, but now its not again. Its very random in terms of passing packets reliably.

Suggestions appreciated.

Please post config.

I will as soon as I have 5 seconds.... I'm sure it will help to see the 'actual' config.

Thanks for your patience and assistance.

The config below works as far as keeping NAT instances from hopping over and out another public once

they get to their NAT outside interface, however it breaks access to other local subnets connected the

router for ANY interface with ip policy applied. It also causes about 50% or more packet loss across my VPN tunnel.

Hopefully I didn't leave anything out that is applicable to review, which I sincerely appreciate.

Assume for my example, our subnet we hit via VPN is 8.8.0.0/16, and again 2.2.2.2 is my Multilink IP which

my tunnel is set up on.

It might be as simple as adding a few routes or some minor ACL tweaks but have not been able to do

much more testing since I have a full office of people using the network.

!

ip dhcp pool LAN-USERS

network 6.6.6.0 255.255.255.0

dns-server 6.6.6.1

default-router 6.6.6.1

!

ip dhcp pool WIRELESS-USERS

network 7.7.7.0 255.255.255.0

dns-server 7.7.7.1

default-router 7.7.7.1

!

!

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key address

!

!

crypto ipsec transform-set MY-transform-set esp-3des esp-md5-hmac

!

crypto map MY-tunnel-515e 10 ipsec-isakmp

set peer

set transform-set MY-transform-set

match address 110

!

!

interface Multilink1

description BONDED 2xT1

ip address 2.2.2.2 255.255.255.252

ip access-group 120 in <-to block port scans

ip nat outside

ip virtual-reassembly

rate-limit input access-group 105 256000 65536 65536 conform-action set-prec-transmit 5 exceed-action set-prec-continue 5

ip route-cache flow

no ip mroute-cache

ppp multilink

ppp multilink fragment disable

ppp multilink group 1

crypto map MY-tunnel-515e

service-policy output policy1

!

interface FastEthernet0/0

description LAN-USERS

ip address 6.6.6.1 255.255.255.0

ip nat inside

ip virtual-reassembly

no ip route-cache cef

ip route-cache flow

ip policy route-map NAT-CNTRL

no ip mroute-cache

duplex full

speed 100

!

interface Dialer0

description DSL

bandwidth inherit

ip address negotiated

ip nat outside

no ip virtual-reassembly

encapsulation ppp

ip route-cache flow

no ip mroute-cache

dialer pool 1

ppp pap sent-username password 0

!

interface FastEthernet0/1

description WIRELESS-USERS

ip address 7.7.7.1 255.255.255.0

ip nat inside

ip virtual-reassembly

no ip route-cache cef

ip route-cache flow

ip policy route-map NAT-CNTRL

no ip mroute-cache

duplex full

speed 100

!

!

!! VOIP/PBX COMES IN VIA HERE FROM

!! A 16 PORT PoE module

interface GigabitEthernet1/0

description RTR-to-SW-Interconnect

ip address 255.255.255.252

ip nat inside

ip virtual-reassembly

ip route-cache flow

ip policy route-map NAT-CNTRL

no ip mroute-cache

!

ip classless

ip route 0.0.0.0 0.0.0.0 Multilink1

ip route 0.0.0.0 0.0.0.0 Dialer0

ip route 6.6.6.0 255.255.255.0 FastEthernet0/0

ip route 7.7.7.0 255.255.255.0 FastEthernet0/1

ip route 255.255.255.0

ip route 255.255.255.0

ip nat inside source list LAN-MULTI interface Multilink1 overload

ip nat inside source list WIFI-DSL interface Dialer0 overload

ip nat inside source static udp 5060 interface Loopback66 5060

ip nat inside source static tcp 5060 interface Loopback66 5060

!

ip access-list standard WIFI-DSL

permit 7.7.7.0 0.0.0.255

!

!

ip access-list extended LAN-MULTI

deny ip 6.6.6.0 0.0.0.255 8.8.0.0 0.0.255.255

permit ip 6.6.6.0 0.0.0.255 any

permit ip host any

deny ip any any

!

access-list 110 remark CRYPTO-list for VPN-office-tunnel-Serial

access-list 110 permit ip host 2.2.2.2 host

access-list 110 permit ip 6.6.6.0 0.0.0.255 8.8.0.0 0.0.255.255

route-map NAT-CNTRL permit 10

match ip address WIFI-DSL

set interface Dialer0

!

route-map NAT-CNTRL permit 20

match ip address LAN-MULTI

set interface Multilink1

If you have other networks in addition to 6.6.6.0/24 sitting behind this router, you need to add then in the LAN-MULTI ACL with a deny statement similar to deny ip 6.6.6.0 0.0.0.255 8.8.0.0 0.0.255.255

__

Edison.

Edison:

You are a gentleman and a scholar. I got everything working exactly as planned this weekend based on your initial post. Just was a little rusty on policy routing, and a few things gave me grief in terms of the right combo of routes and policy statements.

Thanks for your help!

Glad to be of help and remember to rate helpful posts :)

__

Edison.

By setting interface I now also effectively break routing between my internal subnets. My goal was only to isolate the NAT instances so one inside subnet doesn't get to its public only to hop over to the other public out the other link, not make it so internal subnets can't reach each other.

Is it impossible for me to isolate 2 NAT instances and still be able to do that?

Thanks again.

You can add the internal src/dst networks in the route-map as a deny hence they won't be affected by the PBR.

Posting the config will also help.

Mohamed Sobair
Level 7
Level 7

Hi,

As Edison pointed out, Denying the Crybto-list in the access-list of the route-map should prevent your VPN from going through The PBR process twards the internet or being droped.

Route-map name

match ip add 100

set int dialer 0

route-map name

match ip add 101

set int multilink1

access-list 100 deny (Your Local VPN subnet) (Your Remote VPN subnet)

access-list 100 permit ip (Desired 1st Lan subnet any)

access-list 101 deny (Your Local VPN subnet) (Your Remote VPN subnet)

access-list 101 permit ip (Desired 2nd lan any).

HTH

Mohamed

Review Cisco Networking for a $25 gift card