Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
459
Views
0
Helpful
1
Replies

Problem with NAT (NVI) in multihomed router

luchonat1
Level 1
Level 1

‎06-20-2018 11:07 PM - edited ‎03-05-2019 10:37 AM

Hello Experts!

I'm having a lot of trouble to finish a router config.

The problem is with static nat/pat.

The scenario has three different ISP's. Two of them are always load balancing the general internet access (NAT overload), and the third is dedicated to allow some specific hosts (NAT overload also).

As you can see, I have three different hosts with nat/pat to be reachable from the outside: Bosch (172.16.128.105 ports 442, 443 and 1576 reachable from First and Second ISP public addresses), WindowsServer (172.16.100.3 ports 80, 443, 16001 and 16500 reachable from third ISP) and LinuxServer (172.16.100.100 port 22 reachable from third ISP) 

But if I try to access them from a different subnet/VLAN translation also happens somehow and traffic does not go back to the host requesting it.

Also, If I try to access the public nated IP from the same subnet where the host who is being nated resides, same thing happens!

 

First strange thing is:

If i issue sh ip nat nvi translation | inc ---

tcp 3.3.3.4:80 172.16.100.3:80 --- ---
tcp 3.3.3.4:443 172.16.100.3:443 --- ---
tcp 3.3.3.4:16001 172.16.100.3:16001 --- ---
tcp 3.3.3.4:16500 172.16.100.3:16500 --- ---
tcp 3.3.3.4:22 172.16.100.100:22 --- ---
tcp 2.2.2.2:442 172.16.128.105:442 --- ---
tcp 2.2.2.2:443 172.16.128.105:443 --- ---
tcp 2.2.2.2:1756 172.16.128.105:1756 --- ---

And I would expect three more entries to show up but they don't... the ones starting with tcp 1.1.1.2:442 172.16.128.105:442 --- ---

 

Second problem is I cannot access from a host, for example 172.16.128.20 to 172.16.100.3:80. Traffic never reaches back (I can confirm that 172.16.100.3 server recieves traffic with source ip 172.16.128.20 and sends it back to that ip, i've looked at it with wireshark). Any other port that is not nated does not present that problem. Also, issuing:

sh ip nat nvi translations | inc 172.16.100.3:80 yields:

tcp 3.3.3.4:80 172.16.100.3:80 172.16.128.20:61736 172.16.128.20:61736
tcp 3.3.3.4:80 172.16.100.3:80 172.16.128.20:61737 172.16.128.20:61737
tcp 3.3.3.4:80 172.16.100.3:80 172.16.128.20:61749 172.16.128.20:61749
tcp 3.3.3.4.158:80 172.16.100.3:80 172.16.128.20:61992 172.16.128.20:61992
tcp 3.3.3.4:80 172.16.100.3:80 172.16.128.20:61993 172.16.128.20:61993
tcp 3.3.3.4:80 172.16.100.3:80 172.16.128.20:61994 172.16.128.20:61994
tcp 3.3.3.4:80 172.16.100.3:80 --- ---

And the same with other nated ports!

Also tried with a host in another vlan that does not have the pbr applied (should be the same) and:

tcp 3.3.3.4:80 172.16.100.3:80 192.168.24.2:47982 192.168.24.2:47982 with same results.

Another issue arises when trying to access the public nated IP from the same subnet where the nat destination is, for example Access 1.1.1.1:443 (nated to 172.16.128.105:443) and 2.2.2.1:443 (also nated to same host and port) with host 172.16.128.20 and does not get packet back again!

And output of sh ip nat nvi translations | inc 172.16.128.105:443 is:

tcp 1.1.1.1:3484 172.16.128.20:3484 1.1.1.1:443 172.16.128.105:443
tcp 1.1.1.1:3485 172.16.128.20:3485 1.1.1.1:443 172.16.128.105:443
tcp 1.1.1.1:3497 172.16.128.20:3497 1.1.1.1:443 172.16.128.105:443
tcp 2.2.2.1:3844 172.16.128.20:3844 2.2.2.1:443 172.16.128.105:443
tcp 2.2.2.1:3845 172.16.128.20:3845 2.2.2.1:443 172.16.128.105:443
tcp 2.2.2.1:3857 172.16.128.20:3857 2.2.2.1:443 172.16.128.105:443
tcp 2.2.2.1:443 172.16.128.105:443 --- ---

 

Heres's my config:

!
! BLAH
ip cef
no ipv6 cef
!
ip dhcp pool ccp-pool
import all
network 10.10.10.0 255.255.255.128
default-router 10.10.10.1
lease 0 2
!
ip dhcp pool Administrative
import all
network 192.168.16.0 255.255.255.0
default-router 192.168.16.1
dns-server 192.168.16.1
lease 0 0 10
!
ip dhcp pool PublicWiFi
import all
network 192.168.28.0 255.255.255.0
default-router 192.168.28.1
dns-server 192.168.28.1
lease 0 1
!
object-group network AdminNetworks
description Administrative privileged networks
192.168.16.0 255.255.255.0
192.168.252.0 255.255.255.0
!
object-group network AlwaysThroughTelecom
description This IP will always exit through TELECOM to the internet unless link is down
host 172.16.100.77
host 172.16.100.85
host 172.16.100.86
host 172.16.100.88
!
object-group network EasyVPNNetworks
description VPN networks for VPN clients
192.168.252.0 255.255.255.0
192.168.232.0 255.255.255.0
!
object-group network LocalNetworks
description All local networks
192.168.16.0 255.255.255.0
192.168.20.0 255.255.255.0
192.168.24.0 255.255.255.0
192.168.28.0 255.255.255.0
192.168.32.0 255.255.255.0
172.16.100.0 255.255.255.0
172.16.128.0 255.255.255.0
!
object-group network NatEnabled
description Internet Access Nat enabled networks
192.168.16.0 255.255.255.0
192.168.20.0 255.255.255.0
192.168.24.0 255.255.255.0
192.168.28.0 255.255.255.0
172.16.100.0 255.255.255.0
172.16.128.0 255.255.255.0
!
object-group network NatedThroughTelecom
host 172.16.100.3
host 172.16.100.100
!
username BLAH
!
redundancy
!
!
!
!
lldp run
track timer interface 5
!
track 1 ip sla 1
delay down 90 up 90
!
track 2 ip sla 2
delay down 90 up 90
!
track 3 ip sla 3
delay down 90 up 90
!
no ip ftp passive
!
class-map type inspect match-all ccp-cls--1
match access-group name inside-nav
class-map type inspect match-all ccp-cls--3
match access-group name management-nav
class-map type inspect match-all ccp-cls--2
match access-group name wifi-nav
class-map type inspect match-all ccp-cls--5
match access-group name inside-to-management
class-map type inspect match-all ccp-cls--4
match access-group name management-to-inside
class-map type inspect match-any ccp-cls--6
match access-group name BoschNat
match access-group name LinuxServerNat
match access-group name WindowsServerNat
!
policy-map type inspect ccp-policy-ccp-cls--4
class type inspect ccp-cls--4
inspect
class class-default
drop log
policy-map type inspect ccp-policy-ccp-cls--5
class type inspect ccp-cls--5
inspect
class class-default
drop
policy-map type inspect ccp-policy-ccp-cls--6
class type inspect ccp-cls--6
inspect
class class-default
drop
policy-map type inspect ccp-policy-ccp-cls--1
class type inspect ccp-cls--1
inspect
class class-default
drop log
policy-map type inspect ccp-policy-ccp-cls--2
class type inspect ccp-cls--2
inspect
class class-default
drop log
policy-map type inspect ccp-policy-ccp-cls--3
class type inspect ccp-cls--3
inspect
class class-default
drop log
!
zone security outside
zone security inside
zone security public-wifi
zone security management
zone-pair security sdm-zp-inside-outside source inside destination outside
service-policy type inspect ccp-policy-ccp-cls--1
zone-pair security sdm-zp-public-wifi-outside source public-wifi destination outside
service-policy type inspect ccp-policy-ccp-cls--2
zone-pair security sdm-zp-management-outside source management destination outside
service-policy type inspect ccp-policy-ccp-cls--3
zone-pair security sdm-zp-management-inside source management destination inside
service-policy type inspect ccp-policy-ccp-cls--4
zone-pair security sdm-zp-inside-management source inside destination management
service-policy type inspect ccp-policy-ccp-cls--5
zone-pair security sdm-zp-outside-inside source outside destination inside
service-policy type inspect ccp-policy-ccp-cls--6
!
!
crypto isakmp client configuration group management
key BLAH
dns 192.168.252.1
pool SDM_POOL_1
acl roamers
pfs
netmask 255.255.255.0
!
crypto isakmp client configuration group development
key BLAH
dns 192.168.253.1
pool SDM_POOL_2
acl devel-roamers
pfs
netmask 255.255.255.0
crypto isakmp profile ciscocp-ike-profile-1
description Management privileged VPN
match identity group management
client authentication list ciscocp_vpn_xauth_ml_1
isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address initiate
client configuration address respond
virtual-template 1
crypto isakmp profile ciscocp-ike-profile-2
description Development access to local LANs except management
match identity group development
client authentication list ciscocp_vpn_xauth_ml_2
isakmp authorization list ciscocp_vpn_group_ml_2
client configuration address initiate
client configuration address respond
virtual-template 2
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode tunnel
!
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA
set pfs group2
set isakmp-profile ciscocp-ike-profile-1
!
crypto ipsec profile CiscoCP_Profile2
set transform-set ESP-3DES-SHA
set pfs group2
set isakmp-profile ciscocp-ike-profile-2
!
!
!
!
!
!
!
interface Loopback0
ip address 192.168.252.1 255.255.255.0
!
interface Loopback1
ip address 192.168.253.1 255.255.255.0
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description FiberCorp$ETH-WAN$
ip address 1.1.1.2 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat enable
ip virtual-reassembly in
zone-member security outside
duplex auto
speed auto
!
interface GigabitEthernet0/1
description Telecentro$ETH-WAN$
ip address 2.2.2.2 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat enable
ip virtual-reassembly in
zone-member security outside
duplex auto
speed auto
!
interface GigabitEthernet0/0/0
description snlc-s02-roo-r6a/24
switchport mode trunk
no ip address
!
interface GigabitEthernet0/0/1
description snlc-s06-roo-r6a/25
switchport mode trunk
no ip address
!
interface GigabitEthernet0/0/2
no ip address
!
interface GigabitEthernet0/0/3
description Telecom Simetrico
switchport access vlan 100
no ip address
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
zone-member security management
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
interface Virtual-Template2 type tunnel
ip unnumbered Loopback1
zone-member security inside
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile2
!
interface Vlan1
description Administrative
ip address 192.168.16.1 255.255.255.0
ip nat enable
ip virtual-reassembly in
zone-member security management

ip policy route-map AlwaysTelecom
!
interface Vlan10
description Servers
ip address 192.168.20.1 255.255.255.0
ip nat enable
ip virtual-reassembly in
zone-member security inside

ip policy route-map AlwaysTelecom
!
interface Vlan11
description Telephony
ip address 192.168.24.1 255.255.255.0
ip helper-address 192.168.20.2
ip nat enable
ip virtual-reassembly in
zone-member security inside
!
interface Vlan12
description Public WiFi
ip address 192.168.28.1 255.255.255.0
ip nat enable
ip virtual-reassembly in
zone-member security public-wifi
!
interface Vlan13
description Cameras
ip address 192.168.32.1 255.255.255.0
ip virtual-reassembly in
zone-member security inside
!
interface Vlan20
description Private LAN & WiFi
ip address 172.16.100.1 255.255.255.0
ip nat enable
ip virtual-reassembly in
zone-member security inside
ip policy route-map AlwaysTelecom
!
interface Vlan21
description Development
ip address 172.16.128.1 255.255.255.0
ip helper-address 192.168.20.2
ip nat enable
ip virtual-reassembly in
zone-member security inside

ip policy route-map AlwaysTelecom
!
interface Vlan100
description Telecom$ETH-WAN$
ip address 3.3.3.3 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat enable
ip virtual-reassembly in
zone-member security outside
!
ip local policy route-map router-local
ip local pool SDM_POOL_1 192.168.252.10 192.168.252.254
ip local pool SDM_POOL_2 192.168.253.10 192.168.253.255
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat pool FiberCorp-pool 1.1.1.2 1.1.1.2 prefix-length 24
ip nat pool Telecentro-pool 2.2.2.2 2.2.2.2 prefix-length 24
ip nat pool Telecom-pool 3.3.3.2 3.3.3.3 prefix-length 29
ip nat source route-map FiberCorp-nat pool FiberCorp-pool overload
ip nat source route-map Telecentro-nat pool Telecentro-pool overload
ip nat source route-map Telecom-nat pool Telecom-pool overload
ip nat source static tcp 172.16.100.100 22 3.3.3.4 22 extendable
ip nat source static tcp 172.16.100.3 80 3.3.3.4 80 extendable
ip nat source static tcp 172.16.100.3 443 3.3.3.4 443 extendable
ip nat source static tcp 172.16.100.3 16001 3.3.3.4 16001 extendable
ip nat source static tcp 172.16.100.3 16500 3.3.3.4 16500 extendable
ip nat source static tcp 172.16.128.105 442 2.2.2.2 442 extendable
ip nat source static tcp 172.16.128.105 443 2.2.2.2 443 extendable
ip nat source static tcp 172.16.128.105 1756 2.2.2.2 1756 extendable
ip nat source static tcp 172.16.128.105 442 1.1.1.2 442 extendable
ip nat source static tcp 172.16.128.105 443 1.1.1.2 443 extendable
ip nat source static tcp 172.16.128.105 1756 1.1.1.2 1756 extendable
ip route 0.0.0.0 0.0.0.0 1.1.1. 10 track 1
ip route 0.0.0.0 0.0.0.0 2.2.2.1 10 track 2
ip route 0.0.0.0 0.0.0.0 3.3.3.1 20 track 3
!
ip access-list standard secure_vty
permit 10.10.10.0 0.0.0.127
permit 192.168.16.0 0.0.0.255
permit 192.168.252.0 0.0.0.255
remark Secure VTY Access
deny any
!
ip access-list extended BoschNat
permit tcp any host 172.16.128.105 eq 442 443 1756
ip access-list extended FiberCorp_Local
permit ip host 1.1.1.2 any
permit icmp host 1.1.1.2 any
ip access-list extended LinuxServerNat
permit tcp any host 172.16.100.100 eq 22
ip access-list extended Telecentro_Local
permit ip host 2.2.2.2 any
permit icmp host 2.2.2.2 any
ip access-list extended Telecom_Local
permit ip host 3.3.3.3 any
permit icmp host 3.3.3.3 any
ip access-list extended WindowsServerNat
permit tcp any host 172.16.100.3 eq www 443 16001 16500
ip access-list extended always-telecom-pbr
deny ip object-group AlwaysThroughTelecom object-group LocalNetworks
deny icmp object-group AlwaysThroughTelecom object-group LocalNetworks
deny ip object-group AlwaysThroughTelecom object-group EasyVPNNetworks
deny icmp object-group AlwaysThroughTelecom object-group EasyVPNNetworks
permit ip object-group AlwaysThroughTelecom any
permit icmp object-group AlwaysThroughTelecom any
deny ip any any
deny icmp any any
ip access-list extended devel-roamers
remark CCP_ACL Category=4
permit ip 172.16.100.0 0.0.0.255 any
permit ip 172.16.128.0 0.0.0.255 any
permit ip 192.168.24.0 0.0.0.255 any
permit ip 192.168.32.0 0.0.0.255 any
permit ip 192.168.20.0 0.0.0.255 any
ip access-list extended inside-nav
permit ip object-group NatEnabled any
permit icmp object-group NatEnabled any
ip access-list extended inside-to-management
remark CCP_ACL Category=128
permit ip host 192.168.20.2 192.168.16.0 0.0.0.255
ip access-list extended management-nav
remark CCP_ACL Category=128
permit ip 192.168.16.0 0.0.0.255 any
ip access-list extended management-to-inside
remark CCP_ACL Category=16
deny ip object-group AdminNetworks object-group AdminNetworks
deny icmp object-group AdminNetworks object-group AdminNetworks
permit ip object-group AdminNetworks object-group LocalNetworks
permit icmp object-group AdminNetworks object-group LocalNetworks
ip access-list extended navigation-nat
remark CCP_ACL Category=18
deny ip object-group LocalNetworks object-group LocalNetworks

Hello Experts!

I'm having a lot of trouble to finish a router config.

The problem is with static nat/pat.

The scenario has three different ISP's. Two of them are always load balancing the general internet access (NAT overload), and the third is dedicated to allow some specific hosts (NAT overload also).

As you can see, I have three different hosts with nat/pat to be reachable from the outside: Bosch (172.16.128.105 ports 442, 443 and 1576 reachable from First and Second ISP public addresses), WindowsServer (172.16.100.3 ports 80, 443, 16001 and 16500 reachable from third ISP) and LinuxServer (172.16.100.100 port 22 reachable from third ISP) 

But if I try to access them from a different subnet/VLAN translation also happens somehow and traffic does not go back to the host requesting it.

Also, If I try to access the public nated IP from the same subnet where the host who is being nated resides, same thing happens!

 

First strange thing is:

If i issue sh ip nat nvi translation | inc ---

tcp 3.3.3.4:80 172.16.100.3:80 --- ---
tcp 3.3.3.4:443 172.16.100.3:443 --- ---
tcp 3.3.3.4:16001 172.16.100.3:16001 --- ---
tcp 3.3.3.4:16500 172.16.100.3:16500 --- ---
tcp 3.3.3.4:22 172.16.100.100:22 --- ---
tcp 2.2.2.2:442 172.16.128.105:442 --- ---
tcp 2.2.2.2:443 172.16.128.105:443 --- ---
tcp 2.2.2.2:1756 172.16.128.105:1756 --- ---

And I would expect three more entries to show up but they don't... the ones starting with tcp 1.1.1.2:442 172.16.128.105:442 --- ---

 

Second problem is I cannot access from a host, for example 172.16.128.20 to 172.16.100.3:80. Traffic never reaches back (I can confirm that 172.16.100.3 server recieves traffic with source ip 172.16.128.20 and sends it back to that ip, i've looked at it with wireshark). Any other port that is not nated does not present that problem. Also, issuing:

sh ip nat nvi translations | inc 172.16.100.3:80 yields:

tcp 3.3.3.4:80 172.16.100.3:80 172.16.128.20:61736 172.16.128.20:61736
tcp 3.3.3.4:80 172.16.100.3:80 172.16.128.20:61737 172.16.128.20:61737
tcp 3.3.3.4:80 172.16.100.3:80 172.16.128.20:61749 172.16.128.20:61749
tcp 3.3.3.4.158:80 172.16.100.3:80 172.16.128.20:61992 172.16.128.20:61992
tcp 3.3.3.4:80 172.16.100.3:80 172.16.128.20:61993 172.16.128.20:61993
tcp 3.3.3.4:80 172.16.100.3:80 172.16.128.20:61994 172.16.128.20:61994
tcp 3.3.3.4:80 172.16.100.3:80 --- ---

And the same with other nated ports!

Also tried with a host in another vlan that does not have the pbr applied (should be the same) and:

tcp 3.3.3.4:80 172.16.100.3:80 192.168.24.2:47982 192.168.24.2:47982 with same results.


Another issue arises when trying to access the public nated IP from the same subnet where the nat destination is, for example Access 1.1.1.1:443 (nated to 172.16.128.105:443) and 2.2.2.1:443 (also nated to same host and port) with host 172.16.128.20 and does not get packet back again!

And output of sh ip nat nvi translations | inc 172.16.128.105:443 is:

tcp 1.1.1.1:3484 172.16.128.20:3484 1.1.1.1:443 172.16.128.105:443
tcp 1.1.1.1:3485 172.16.128.20:3485 1.1.1.1:443 172.16.128.105:443
tcp 1.1.1.1:3497 172.16.128.20:3497 1.1.1.1:443 172.16.128.105:443
tcp 2.2.2.1:3844 172.16.128.20:3844 2.2.2.1:443 172.16.128.105:443
tcp 2.2.2.1:3845 172.16.128.20:3845 2.2.2.1:443 172.16.128.105:443
tcp 2.2.2.1:3857 172.16.128.20:3857 2.2.2.1:443 172.16.128.105:443
tcp 2.2.2.1:443 172.16.128.105:443 --- ---

 

Heres's my config:

!
! BLAH
ip cef
no ipv6 cef
!
ip dhcp pool ccp-pool
import all
network 10.10.10.0 255.255.255.128
default-router 10.10.10.1
lease 0 2
!
ip dhcp pool Administrative
import all
network 192.168.16.0 255.255.255.0
default-router 192.168.16.1
dns-server 192.168.16.1
lease 0 0 10
!
ip dhcp pool PublicWiFi
import all
network 192.168.28.0 255.255.255.0
default-router 192.168.28.1
dns-server 192.168.28.1
lease 0 1
!
object-group network AdminNetworks
description Administrative privileged networks
192.168.16.0 255.255.255.0
192.168.252.0 255.255.255.0
!
object-group network AlwaysThroughTelecom
description This IP will always exit through TELECOM to the internet unless link is down
host 172.16.100.77
host 172.16.100.85
host 172.16.100.86
host 172.16.100.88
!
object-group network EasyVPNNetworks
description VPN networks for VPN clients
192.168.252.0 255.255.255.0
192.168.232.0 255.255.255.0
!
object-group network LocalNetworks
description All local networks
192.168.16.0 255.255.255.0
192.168.20.0 255.255.255.0
192.168.24.0 255.255.255.0
192.168.28.0 255.255.255.0
192.168.32.0 255.255.255.0
172.16.100.0 255.255.255.0
172.16.128.0 255.255.255.0
!
object-group network NatEnabled
description Internet Access Nat enabled networks
192.168.16.0 255.255.255.0
192.168.20.0 255.255.255.0
192.168.24.0 255.255.255.0
192.168.28.0 255.255.255.0
172.16.100.0 255.255.255.0
172.16.128.0 255.255.255.0
!
object-group network NatedThroughTelecom
host 172.16.100.3
host 172.16.100.100
!
username BLAH
!
redundancy
!
!
!
!
lldp run
track timer interface 5
!
track 1 ip sla 1
delay down 90 up 90
!
track 2 ip sla 2
delay down 90 up 90
!
track 3 ip sla 3
delay down 90 up 90
!
no ip ftp passive
!
class-map type inspect match-all ccp-cls--1
match access-group name inside-nav
class-map type inspect match-all ccp-cls--3
match access-group name management-nav
class-map type inspect match-all ccp-cls--2
match access-group name wifi-nav
class-map type inspect match-all ccp-cls--5
match access-group name inside-to-management
class-map type inspect match-all ccp-cls--4
match access-group name management-to-inside
class-map type inspect match-any ccp-cls--6
match access-group name BoschNat
match access-group name LinuxServerNat
match access-group name WindowsServerNat
!
policy-map type inspect ccp-policy-ccp-cls--4
class type inspect ccp-cls--4
inspect
class class-default
drop log
policy-map type inspect ccp-policy-ccp-cls--5
class type inspect ccp-cls--5
inspect
class class-default
drop
policy-map type inspect ccp-policy-ccp-cls--6
class type inspect ccp-cls--6
inspect
class class-default
drop
policy-map type inspect ccp-policy-ccp-cls--1
class type inspect ccp-cls--1
inspect
class class-default
drop log
policy-map type inspect ccp-policy-ccp-cls--2
class type inspect ccp-cls--2
inspect
class class-default
drop log
policy-map type inspect ccp-policy-ccp-cls--3
class type inspect ccp-cls--3
inspect
class class-default
drop log
!
zone security outside
zone security inside
zone security public-wifi

Hello Experts!

I'm having a lot of trouble to finish a router config.

The problem is with static nat/pat.

The scenario has three different ISP's. Two of them are always load balancing the general internet access (NAT overload), and the third is dedicated to allow some specific hosts (NAT overload also).

As you can see, I have three different hosts with nat/pat to be reachable from the outside: Bosch (172.16.128.105 ports 442, 443 and 1576 reachable from First and Second ISP public addresses), WindowsServer (172.16.100.3 ports 80, 443, 16001 and 16500 reachable from third ISP) and LinuxServer (172.16.100.100 port 22 reachable from third ISP) 

But if I try to access them from a different subnet/VLAN translation also happens somehow and traffic does not go back to the host requesting it.

Also, If I try to access the public nated IP from the same subnet where the host who is being nated resides, same thing happens!

 

First strange thing is:

If i issue sh ip nat nvi translation | inc ---

tcp 3.3.3.4:80 172.16.100.3:80 --- ---
tcp 3.3.3.4:443 172.16.100.3:443 --- ---
tcp 3.3.3.4:16001 172.16.100.3:16001 --- ---
tcp 3.3.3.4:16500 172.16.100.3:16500 --- ---
tcp 3.3.3.4:22 172.16.100.100:22 --- ---
tcp 2.2.2.2:442 172.16.128.105:442 --- ---
tcp 2.2.2.2:443 172.16.128.105:443 --- ---
tcp 2.2.2.2:1756 172.16.128.105:1756 --- ---

And I would expect three more entries to show up but they don't... the ones starting with tcp 1.1.1.2:442 172.16.128.105:442 --- ---

 

Second problem is I cannot access from a host, for example 172.16.128.20 to 172.16.100.3:80. Traffic never reaches back (I can confirm that 172.16.100.3 server recieves traffic with source ip 172.16.128.20 and sends it back to that ip, i've looked at it with wireshark). Any other port that is not nated does not present that problem. Also, issuing:

sh ip nat nvi translations | inc 172.16.100.3:80 yields:

tcp 3.3.3.4:80 172.16.100.3:80 172.16.128.20:61736 172.16.128.20:61736
tcp 3.3.3.4:80 172.16.100.3:80 172.16.128.20:61737 172.16.128.20:61737
tcp 3.3.3.4:80 172.16.100.3:80 172.16.128.20:61749 172.16.128.20:61749
tcp 3.3.3.4.158:80 172.16.100.3:80 172.16.128.20:61992 172.16.128.20:61992
tcp 3.3.3.4:80 172.16.100.3:80 172.16.128.20:61993 172.16.128.20:61993
tcp 3.3.3.4:80 172.16.100.3:80 172.16.128.20:61994 172.16.128.20:61994
tcp 3.3.3.4:80 172.16.100.3:80 --- ---

And the same with other nated ports!

Also tried with a host in another vlan that does not have the pbr applied (should be the same) and:

tcp 3.3.3.4:80 172.16.100.3:80 192.168.24.2:47982 192.168.24.2:47982 with same results.


Another issue arises when trying to access the public nated IP from the same subnet where the nat destination is, for example Access 1.1.1.1:443 (nated to 172.16.128.105:443) and 2.2.2.1:443 (also nated to same host and port) with host 172.16.128.20 and does not get packet back again!

And output of sh ip nat nvi translations | inc 172.16.128.105:443 is:

tcp 1.1.1.1:3484 172.16.128.20:3484 1.1.1.1:443 172.16.128.105:443
tcp 1.1.1.1:3485 172.16.128.20:3485 1.1.1.1:443 172.16.128.105:443
tcp 1.1.1.1:3497 172.16.128.20:3497 1.1.1.1:443 172.16.128.105:443
tcp 2.2.2.1:3844 172.16.128.20:3844 2.2.2.1:443 172.16.128.105:443
tcp 2.2.2.1:3845 172.16.128.20:3845 2.2.2.1:443 172.16.128.105:443
tcp 2.2.2.1:3857 172.16.128.20:3857 2.2.2.1:443 172.16.128.105:443
tcp 2.2.2.1:443 172.16.128.105:443 --- ---

 

Heres's my config:

!
! BLAH
ip cef
no ipv6 cef
!
ip dhcp pool ccp-pool
import all
network 10.10.10.0 255.255.255.128
default-router 10.10.10.1
lease 0 2
!
ip dhcp pool Administrative
import all
network 192.168.16.0 255.255.255.0
default-router 192.168.16.1
dns-server 192.168.16.1
lease 0 0 10
!
ip dhcp pool PublicWiFi
import all
network 192.168.28.0 255.255.255.0
default-router 192.168.28.1
dns-server 192.168.28.1
lease 0 1
!
object-group network AdminNetworks
description Administrative privileged networks
192.168.16.0 255.255.255.0
192.168.252.0 255.255.255.0
!
object-group network AlwaysThroughTelecom
description This IP will always exit through TELECOM to the internet unless link is down
host 172.16.100.77
host 172.16.100.85
host 172.16.100.86
host 172.16.100.88
!
object-group network EasyVPNNetworks
description VPN networks for VPN clients
192.168.252.0 255.255.255.0
192.168.232.0 255.255.255.0
!
object-group network LocalNetworks
description All local networks
192.168.16.0 255.255.255.0
192.168.20.0 255.255.255.0
192.168.24.0 255.255.255.0
192.168.28.0 255.255.255.0
192.168.32.0 255.255.255.0
172.16.100.0 255.255.255.0
172.16.128.0 255.255.255.0
!
object-group network NatEnabled
description Internet Access Nat enabled networks
192.168.16.0 255.255.255.0
192.168.20.0 255.255.255.0
192.168.24.0 255.255.255.0
192.168.28.0 255.255.255.0
172.16.100.0 255.255.255.0
172.16.128.0 255.255.255.0
!
object-group network NatedThroughTelecom
host 172.16.100.3
host 172.16.100.100
!
username BLAH
!
redundancy
!
!
!
!
lldp run
track timer interface 5
!
track 1 ip sla 1
delay down 90 up 90
!
track 2 ip sla 2
delay down 90 up 90
!
track 3 ip sla 3
delay down 90 up 90
!
no ip ftp passive
!
class-map type inspect match-all ccp-cls--1
match access-group name inside-nav
class-map type inspect match-all ccp-cls--3
match access-group name management-nav
class-map type inspect match-all ccp-cls--2
match access-group name wifi-nav
class-map type inspect match-all ccp-cls--5
match access-group name inside-to-management
class-map type inspect match-all ccp-cls--4
match access-group name management-to-inside
class-map type inspect match-any ccp-cls--6
match access-group name BoschNat
match access-group name LinuxServerNat
match access-group name WindowsServerNat
!
policy-map type inspect ccp-policy-ccp-cls--4
class type inspect ccp-cls--4
inspect
class class-default
drop log
policy-map type inspect ccp-policy-ccp-cls--5
class type inspect ccp-cls--5
inspect
class class-default
drop
policy-map type inspect ccp-policy-ccp-cls--6
class type inspect ccp-cls--6
inspect
class class-default
drop
policy-map type inspect ccp-policy-ccp-cls--1
class type inspect ccp-cls--1
inspect
class class-default
drop log
policy-map type inspect ccp-policy-ccp-cls--2
class type inspect ccp-cls--2
inspect
class class-default
drop log
policy-map type inspect ccp-policy-ccp-cls--3
class type inspect ccp-cls--3
inspect
class class-default
drop log
!
zone security outside
zone security inside
zone security public-wifi
zone security management
zone-pair security sdm-zp-inside-outside source inside destination outside
service-policy type inspect ccp-policy-ccp-cls--1
zone-pair security sdm-zp-public-wifi-outside source public-wifi destination outside
service-policy type inspect ccp-policy-ccp-cls--2
zone-pair security sdm-zp-management-outside source management destination outside
service-policy type inspect ccp-policy-ccp-cls--3
zone-pair security sdm-zp-management-inside source management destination inside
service-policy type inspect ccp-policy-ccp-cls--4
zone-pair security sdm-zp-inside-management source inside destination management
service-policy type inspect ccp-policy-ccp-cls--5
zone-pair security sdm-zp-outside-inside source outside destination inside
service-policy type inspect ccp-policy-ccp-cls--6
!
!
crypto isakmp client configuration group management
key BLAH
dns 192.168.252.1
pool SDM_POOL_1
acl roamers
pfs
netmask 255.255.255.0
!
crypto isakmp client configuration group development
key BLAH
dns 192.168.253.1
pool SDM_POOL_2
acl devel-roamers
pfs
netmask 255.255.255.0
crypto isakmp profile ciscocp-ike-profile-1
description Management privileged VPN
match identity group management
client authentication list ciscocp_vpn_xauth_ml_1
isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address initiate
client configuration address respond
virtual-template 1
crypto isakmp profile ciscocp-ike-profile-2
description Development access to local LANs except management
match identity group development
client authentication list ciscocp_vpn_xauth_ml_2
isakmp authorization list ciscocp_vpn_group_ml_2
client configuration address initiate
client configuration address respond
virtual-template 2
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode tunnel
!
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA
set pfs group2
set isakmp-profile ciscocp-ike-profile-1
!
crypto ipsec profile CiscoCP_Profile2
set transform-set ESP-3DES-SHA
set pfs group2
set isakmp-profile ciscocp-ike-profile-2
!
!
!
!
!
!
!
interface Loopback0
ip address 192.168.252.1 255.255.255.0
!
interface Loopback1
ip address 192.168.253.1 255.255.255.0
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description FiberCorp$ETH-WAN$
ip address 1.1.1.2 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat enable
ip virtual-reassembly in
zone-member security outside
duplex auto
speed auto
!
interface GigabitEthernet0/1
description Telecentro$ETH-WAN$
ip address 2.2.2.2 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat enable
ip virtual-reassembly in
zone-member security outside
duplex auto
speed auto
!
interface GigabitEthernet0/0/0
description snlc-s02-roo-r6a/24
switchport mode trunk
no ip address
!
interface GigabitEthernet0/0/1
description snlc-s06-roo-r6a/25
switchport mode trunk
no ip address
!
interface GigabitEthernet0/0/2
no ip address
!
interface GigabitEthernet0/0/3
description Telecom Simetrico
switchport access vlan 100
no ip address
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
zone-member security management
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
interface Virtual-Template2 type tunnel
ip unnumbered Loopback1
zone-member security inside
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile2
!
interface Vlan1
description Administrative
ip address 192.168.16.1 255.255.255.0
ip nat enable
ip virtual-reassembly in
zone-member security management

ip policy route-map AlwaysTelecom
!
interface Vlan10
description Servers
ip address 192.168.20.1 255.255.255.0
ip nat enable
ip virtual-reassembly in
zone-member security inside

ip policy route-map AlwaysTelecom
!
interface Vlan11
description Telephony
ip address 192.168.24.1 255.255.255.0
ip helper-address 192.168.20.2
ip nat enable
ip virtual-reassembly in
zone-member security inside
!
interface Vlan12
description Public WiFi
ip address 192.168.28.1 255.255.255.0
ip nat enable
ip virtual-reassembly in
zone-member security public-wifi
!
interface Vlan13
description Cameras
ip address 192.168.32.1 255.255.255.0
ip virtual-reassembly in
zone-member security inside
!
interface Vlan20
description Private LAN & WiFi
ip address 172.16.100.1 255.255.255.0
ip nat enable
ip virtual-reassembly in
zone-member security inside
ip policy route-map AlwaysTelecom
!
interface Vlan21
description Development
ip address 172.16.128.1 255.255.255.0
ip helper-address 192.168.20.2
ip nat enable
ip virtual-reassembly in
zone-member security inside

ip policy route-map AlwaysTelecom
!
interface Vlan100
description Telecom$ETH-WAN$
ip address 3.3.3.3 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat enable
ip virtual-reassembly in
zone-member security outside
!
ip local policy route-map router-local
ip local pool SDM_POOL_1 192.168.252.10 192.168.252.254
ip local pool SDM_POOL_2 192.168.253.10 192.168.253.255
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat pool FiberCorp-pool 1.1.1.2 1.1.1.2 prefix-length 24
ip nat pool Telecentro-pool 2.2.2.2 2.2.2.2 prefix-length 24
ip nat pool Telecom-pool 3.3.3.2 3.3.3.3 prefix-length 29
ip nat source route-map FiberCorp-nat pool FiberCorp-pool overload
ip nat source route-map Telecentro-nat pool Telecentro-pool overload
ip nat source route-map Telecom-nat pool Telecom-pool overload
ip nat source static tcp 172.16.100.100 22 3.3.3.4 22 extendable
ip nat source static tcp 172.16.100.3 80 3.3.3.4 80 extendable
ip nat source static tcp 172.16.100.3 443 3.3.3.4 443 extendable
ip nat source static tcp 172.16.100.3 16001 3.3.3.4 16001 extendable
ip nat source static tcp 172.16.100.3 16500 3.3.3.4 16500 extendable
ip nat source static tcp 172.16.128.105 442 2.2.2.2 442 extendable
ip nat source static tcp 172.16.128.105 443 2.2.2.2 443 extendable
ip nat source static tcp 172.16.128.105 1756 2.2.2.2 1756 extendable
ip nat source static tcp 172.16.128.105 442 1.1.1.2 442 extendable
ip nat source static tcp 172.16.128.105 443 1.1.1.2 443 extendable
ip nat source static tcp 172.16.128.105 1756 1.1.1.2 1756 extendable
ip route 0.0.0.0 0.0.0.0 1.1.1. 10 track 1
ip route 0.0.0.0 0.0.0.0 2.2.2.1 10 track 2
ip route 0.0.0.0 0.0.0.0 3.3.3.1 20 track 3
!
ip access-list standard secure_vty
permit 10.10.10.0 0.0.0.127
permit 192.168.16.0 0.0.0.255
permit 192.168.252.0 0.0.0.255
remark Secure VTY Access
deny any
!
ip access-list extended BoschNat
permit tcp any host 172.16.128.105 eq 442 443 1756
ip access-list extended FiberCorp_Local

Hello Experts!

I'm having a lot of trouble to finish a router config.

The problem is with static nat/pat.

The scenario has three different ISP's. Two of them are always load balancing the general internet access (NAT overload), and the third is dedicated to allow some specific hosts (NAT overload also).

As you can see, I have three different hosts with nat/pat to be reachable from the outside: Bosch (172.16.128.105 ports 442, 443 and 1576 reachable from First and Second ISP public addresses), WindowsServer (172.16.100.3 ports 80, 443, 16001 and 16500 reachable from third ISP) and LinuxServer (172.16.100.100 port 22 reachable from third ISP) 

But if I try to access them from a different subnet/VLAN translation also happens somehow and traffic does not go back to the host requesting it.

Also, If I try to access the public nated IP from the same subnet where the host who is being nated resides, same thing happens!

 

First strange thing is:

If i issue sh ip nat nvi translation | inc ---

tcp 3.3.3.4:80 172.16.100.3:80 --- ---
tcp 3.3.3.4:443 172.16.100.3:443 --- ---
tcp 3.3.3.4:16001 172.16.100.3:16001 --- ---
tcp 3.3.3.4:16500 172.16.100.3:16500 --- ---
tcp 3.3.3.4:22 172.16.100.100:22 --- ---
tcp 2.2.2.2:442 172.16.128.105:442 --- ---
tcp 2.2.2.2:443 172.16.128.105:443 --- ---
tcp 2.2.2.2:1756 172.16.128.105:1756 --- ---

And I would expect three more entries to show up but they don't... the ones starting with tcp 1.1.1.2:442 172.16.128.105:442 --- ---

 

Second problem is I cannot access from a host, for example 172.16.128.20 to 172.16.100.3:80. Traffic never reaches back (I can confirm that 172.16.100.3 server recieves traffic with source ip 172.16.128.20 and sends it back to that ip, i've looked at it with wireshark). Any other port that is not nated does not present that problem. Also, issuing:

sh ip nat nvi translations | inc 172.16.100.3:80 yields:

tcp 3.3.3.4:80 172.16.100.3:80 172.16.128.20:61736 172.16.128.20:61736
tcp 3.3.3.4:80 172.16.100.3:80 172.16.128.20:61737 172.16.128.20:61737
tcp 3.3.3.4:80 172.16.100.3:80 172.16.128.20:61749 172.16.128.20:61749
tcp 3.3.3.4.158:80 172.16.100.3:80 172.16.128.20:61992 172.16.128.20:61992
tcp 3.3.3.4:80 172.16.100.3:80 172.16.128.20:61993 172.16.128.20:61993
tcp 3.3.3.4:80 172.16.100.3:80 172.16.128.20:61994 172.16.128.20:61994
tcp 3.3.3.4:80 172.16.100.3:80 --- ---

And the same with other nated ports!

Also tried with a host in another vlan that does not have the pbr applied (should be the same) and:

tcp 3.3.3.4:80 172.16.100.3:80 192.168.24.2:47982 192.168.24.2:47982 with same results.


Another issue arises when trying to access the public nated IP from the same subnet where the nat destination is, for example Access 1.1.1.1:443 (nated to 172.16.128.105:443) and 2.2.2.1:443 (also nated to same host and port) with host 172.16.128.20 and does not get packet back again!

And output of sh ip nat nvi translations | inc 172.16.128.105:443 is:

tcp 1.1.1.1:3484 172.16.128.20:3484 1.1.1.1:443 172.16.128.105:443
tcp 1.1.1.1:3485 172.16.128.20:3485 1.1.1.1:443 172.16.128.105:443
tcp 1.1.1.1:3497 172.16.128.20:3497 1.1.1.1:443 172.16.128.105:443
tcp 2.2.2.1:3844 172.16.128.20:3844 2.2.2.1:443 172.16.128.105:443
tcp 2.2.2.1:3845 172.16.128.20:3845 2.2.2.1:443 172.16.128.105:443
tcp 2.2.2.1:3857 172.16.128.20:3857 2.2.2.1:443 172.16.128.105:443
tcp 2.2.2.1:443 172.16.128.105:443 --- ---

 

Heres's my config:

!
! BLAH
ip cef
no ipv6 cef
!
ip dhcp pool ccp-pool
import all
network 10.10.10.0 255.255.255.128
default-router 10.10.10.1
lease 0 2
!
ip dhcp pool Administrative
import all
network 192.168.16.0 255.255.255.0
default-router 192.168.16.1
dns-server 192.168.16.1
lease 0 0 10
!
ip dhcp pool PublicWiFi
import all
network 192.168.28.0 255.255.255.0
default-router 192.168.28.1
dns-server 192.168.28.1
lease 0 1
!
object-group network AdminNetworks
description Administrative privileged networks
192.168.16.0 255.255.255.0
192.168.252.0 255.255.255.0
!
object-group network AlwaysThroughTelecom
description This IP will always exit through TELECOM to the internet unless link is down
host 172.16.100.77
host 172.16.100.85
host 172.16.100.86
host 172.16.100.88
!
object-group network EasyVPNNetworks
description VPN networks for VPN clients
192.168.252.0 255.255.255.0
192.168.232.0 255.255.255.0
!
object-group network LocalNetworks
description All local networks
192.168.16.0 255.255.255.0
192.168.20.0 255.255.255.0
192.168.24.0 255.255.255.0
192.168.28.0 255.255.255.0
192.168.32.0 255.255.255.0
172.16.100.0 255.255.255.0
172.16.128.0 255.255.255.0
!
object-group network NatEnabled
description Internet Access Nat enabled networks
192.168.16.0 255.255.255.0
192.168.20.0 255.255.255.0
192.168.24.0 255.255.255.0
192.168.28.0 255.255.255.0
172.16.100.0 255.255.255.0
172.16.128.0 255.255.255.0
!
object-group network NatedThroughTelecom
host 172.16.100.3
host 172.16.100.100
!
username BLAH
!
redundancy
!
!
!
!
lldp run
track timer interface 5
!
track 1 ip sla 1
delay down 90 up 90
!
track 2 ip sla 2
delay down 90 up 90
!
track 3 ip sla 3
delay down 90 up 90
!
no ip ftp passive
!
class-map type inspect match-all ccp-cls--1
match access-group name inside-nav
class-map type inspect match-all ccp-cls--3
match access-group name management-nav
class-map type inspect match-all ccp-cls--2
match access-group name wifi-nav
class-map type inspect match-all ccp-cls--5
match access-group name inside-to-management
class-map type inspect match-all ccp-cls--4
match access-group name management-to-inside
class-map type inspect match-any ccp-cls--6
match access-group name BoschNat
match access-group name LinuxServerNat
match access-group name WindowsServerNat
!
policy-map type inspect ccp-policy-ccp-cls--4
class type inspect ccp-cls--4
inspect
class class-default
drop log
policy-map type inspect ccp-policy-ccp-cls--5
class type inspect ccp-cls--5
inspect
class class-default
drop
policy-map type inspect ccp-policy-ccp-cls--6
class type inspect ccp-cls--6
inspect
class class-default
drop
policy-map type inspect ccp-policy-ccp-cls--1
class type inspect ccp-cls--1
inspect
class class-default
drop log
policy-map type inspect ccp-policy-ccp-cls--2
class type inspect ccp-cls--2
inspect
class class-default
drop log
policy-map type inspect ccp-policy-ccp-cls--3
class type inspect ccp-cls--3
inspect
class class-default
drop log
!
zone security outside
zone security inside
zone security public-wifi
zone security management
zone-pair security sdm-zp-inside-outside source inside destination outside
service-policy type inspect ccp-policy-ccp-cls--1
zone-pair security sdm-zp-public-wifi-outside source public-wifi destination outside
service-policy type inspect ccp-policy-ccp-cls--2
zone-pair security sdm-zp-management-outside source management destination outside
service-policy type inspect ccp-policy-ccp-cls--3
zone-pair security sdm-zp-management-inside source management destination inside
service-policy type inspect ccp-policy-ccp-cls--4
zone-pair security sdm-zp-inside-management source inside destination management
service-policy type inspect ccp-policy-ccp-cls--5
zone-pair security sdm-zp-outside-inside source outside destination inside
service-policy type inspect ccp-policy-ccp-cls--6
!
!
crypto isakmp client configuration group management
key BLAH
dns 192.168.252.1
pool SDM_POOL_1
acl roamers
pfs
netmask 255.255.255.0
!
crypto isakmp client configuration group development
key BLAH
dns 192.168.253.1
pool SDM_POOL_2
acl devel-roamers
pfs
netmask 255.255.255.0
crypto isakmp profile ciscocp-ike-profile-1
description Management privileged VPN
match identity group management
client authentication list ciscocp_vpn_xauth_ml_1
isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address initiate
client configuration address respond
virtual-template 1
crypto isakmp profile ciscocp-ike-profile-2
description Development access to local LANs except management
match identity group development
client authentication list ciscocp_vpn_xauth_ml_2
isakmp authorization list ciscocp_vpn_group_ml_2
client configuration address initiate
client configuration address respond
virtual-template 2
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode tunnel
!
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA
set pfs group2
set isakmp-profile ciscocp-ike-profile-1
!
crypto ipsec profile CiscoCP_Profile2
set transform-set ESP-3DES-SHA
set pfs group2
set isakmp-profile ciscocp-ike-profile-2
!
!
!
!
!
!
!
interface Loopback0
ip address 192.168.252.1 255.255.255.0
!
interface Loopback1
ip address 192.168.253.1 255.255.255.0
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description FiberCorp$ETH-WAN$
ip address 1.1.1.2 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat enable
ip virtual-reassembly in
zone-member security outside
duplex auto
speed auto
!
interface GigabitEthernet0/1
description Telecentro$ETH-WAN$
ip address 2.2.2.2 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat enable
ip virtual-reassembly in
zone-member security outside
duplex auto
speed auto
!
interface GigabitEthernet0/0/0
description snlc-s02-roo-r6a/24
switchport mode trunk
no ip address
!
interface GigabitEthernet0/0/1
description snlc-s06-roo-r6a/25
switchport mode trunk
no ip address
!
interface GigabitEthernet0/0/2
no ip address
!
interface GigabitEthernet0/0/3
description Telecom Simetrico
switchport access vlan 100
no ip address
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
zone-member security management
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
interface Virtual-Template2 type tunnel
ip unnumbered Loopback1
zone-member security inside
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile2
!
interface Vlan1
description Administrative
ip address 192.168.16.1 255.255.255.0
ip nat enable
ip virtual-reassembly in
zone-member security management

ip policy route-map AlwaysTelecom
!
interface Vlan10
description Servers
ip address 192.168.20.1 255.255.255.0
ip nat enable
ip virtual-reassembly in
zone-member security inside

ip policy route-map AlwaysTelecom
!
interface Vlan11
description Telephony
ip address 192.168.24.1 255.255.255.0
ip helper-address 192.168.20.2
ip nat enable
ip virtual-reassembly in
zone-member security inside
!
interface Vlan12
description Public WiFi
ip address 192.168.28.1 255.255.255.0
ip nat enable
ip virtual-reassembly in
zone-member security public-wifi
!
interface Vlan13
description Cameras
ip address 192.168.32.1 255.255.255.0
ip virtual-reassembly in
zone-member security inside
!
interface Vlan20
description Private LAN & WiFi
ip address 172.16.100.1 255.255.255.0
ip nat enable
ip virtual-reassembly in
zone-member security inside
ip policy route-map AlwaysTelecom
!
interface Vlan21
description Development
ip address 172.16.128.1 255.255.255.0
ip helper-address 192.168.20.2
ip nat enable
ip virtual-reassembly in
zone-member security inside

ip policy route-map AlwaysTelecom
!
interface Vlan100
description Telecom$ETH-WAN$
ip address 3.3.3.3 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat enable
ip virtual-reassembly in
zone-member security outside
!
ip local policy route-map router-local
ip local pool SDM_POOL_1 192.168.252.10 192.168.252.254
ip local pool SDM_POOL_2 192.168.253.10 192.168.253.255
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat pool FiberCorp-pool 1.1.1.2 1.1.1.2 prefix-length 24
ip nat pool Telecentro-pool 2.2.2.2 2.2.2.2 prefix-length 24
ip nat pool Telecom-pool 3.3.3.2 3.3.3.3 prefix-length 29
ip nat source route-map FiberCorp-nat pool FiberCorp-pool overload
ip nat source route-map Telecentro-nat pool Telecentro-pool overload
ip nat source route-map Telecom-nat pool Telecom-pool overload
ip nat source static tcp 172.16.100.100 22 3.3.3.4 22 extendable
ip nat source static tcp 172.16.100.3 80 3.3.3.4 80 extendable
ip nat source static tcp 172.16.100.3 443 3.3.3.4 443 extendable
ip nat source static tcp 172.16.100.3 16001 3.3.3.4 16001 extendable
ip nat source static tcp 172.16.100.3 16500 3.3.3.4 16500 extendable
ip nat source static tcp 172.16.128.105 442 2.2.2.2 442 extendable
ip nat source static tcp 172.16.128.105 443 2.2.2.2 443 extendable
ip nat source static tcp 172.16.128.105 1756 2.2.2.2 1756 extendable
ip nat source static tcp 172.16.128.105 442 1.1.1.2 442 extendable
ip nat source static tcp 172.16.128.105 443 1.1.1.2 443 extendable
ip nat source static tcp 172.16.128.105 1756 1.1.1.2 1756 extendable
ip route 0.0.0.0 0.0.0.0 1.1.1. 10 track 1
ip route 0.0.0.0 0.0.0.0 2.2.2.1 10 track 2
ip route 0.0.0.0 0.0.0.0 3.3.3.1 20 track 3
!
ip access-list standard secure_vty
permit 10.10.10.0 0.0.0.127
permit 192.168.16.0 0.0.0.255
permit 192.168.252.0 0.0.0.255
remark Secure VTY Access
deny any
!
ip access-list extended BoschNat
permit tcp any host 172.16.128.105 eq 442 443 1756
ip access-list extended FiberCorp_Local
permit ip host 1.1.1.2 any
permit icmp host 1.1.1.2 any
ip access-list extended LinuxServerNat
permit tcp any host 172.16.100.100 eq 22
ip access-list extended Telecentro_Local
permit ip host 2.2.2.2 any
permit icmp host 2.2.2.2 any
ip access-list extended Telecom_Local
permit ip host 3.3.3.3 any
permit icmp host 3.3.3.3 any
ip access-list extended WindowsServerNat
permit tcp any host 172.16.100.3 eq www 443 16001 16500
ip access-list extended always-telecom-pbr
deny ip object-group AlwaysThroughTelecom object-group LocalNetworks
deny icmp object-group AlwaysThroughTelecom object-group LocalNetworks
deny ip object-group AlwaysThroughTelecom object-group EasyVPNNetworks
deny icmp object-group AlwaysThroughTelecom object-group EasyVP

Hello Experts!

I'm having a lot of trouble to finish a router config.

The problem is with static nat/pat.

The scenario has three different ISP's. Two of them are always load balancing the general internet access (NAT overload), and the third is dedicated to allow some specific hosts (NAT overload also).

As you can see, I have three different hosts with nat/pat to be reachable from the outside: Bosch (172.16.128.105 ports 442, 443 and 1576 reachable from First and Second ISP public addresses), WindowsServer (172.16.100.3 ports 80, 443, 16001 and 16500 reachable from third ISP) and LinuxServer (172.16.100.100 port 22 reachable from third ISP) 

But if I try to access them from a different subnet/VLAN translation also happens somehow and traffic does not go back to the host requesting it.

Also, If I try to access the public nated IP from the same subnet where the host who is being nated resides, same thing happens!

 

First strange thing is:

If i issue sh ip nat nvi translation | inc ---

tcp 3.3.3.4:80 172.16.100.3:80 --- ---
tcp 3.3.3.4:443 172.16.100.3:443 --- ---
tcp 3.3.3.4:16001 172.16.100.3:16001 --- ---
tcp 3.3.3.4:16500 172.16.100.3:16500 --- ---
tcp 3.3.3.4:22 172.16.100.100:22 --- ---
tcp 2.2.2.2:442 172.16.128.105:442 --- ---
tcp 2.2.2.2:443 172.16.128.105:443 --- ---
tcp 2.2.2.2:1756 172.16.128.105:1756 --- ---

And I would expect three more entries to show up but they don't... the ones starting with tcp 1.1.1.2:442 172.16.128.105:442 --- ---

 

Second problem is I cannot access from a host, for example 172.16.128.20 to 172.16.100.3:80. Traffic never reaches back (I can confirm that 172.16.100.3 server recieves traffic with source ip 172.16.128.20 and sends it back to that ip, i've looked at it with wireshark). Any other port that is not nated does not present that problem. Also, issuing:

sh ip nat nvi translations | inc 172.16.100.3:80 yields:

tcp 3.3.3.4:80 172.16.100.3:80 172.16.128.20:61736 172.16.128.20:61736
tcp 3.3.3.4:80 172.16.100.3:80 172.16.128.20:61737 172.16.128.20:61737
tcp 3.3.3.4:80 172.16.100.3:80 172.16.128.20:61749 172.16.128.20:61749
tcp 3.3.3.4.158:80 172.16.100.3:80 172.16.128.20:61992 172.16.128.20:61992
tcp 3.3.3.4:80 172.16.100.3:80 172.16.128.20:61993 172.16.128.20:61993
tcp 3.3.3.4:80 172.16.100.3:80 172.16.128.20:61994 172.16.128.20:61994
tcp 3.3.3.4:80 172.16.100.3:80 --- ---

And the same with other nated ports!

Also tried with a host in another vlan that does not have the pbr applied (should be the same) and:

tcp 3.3.3.4:80 172.16.100.3:80 192.168.24.2:47982 192.168.24.2:47982 with same results.


Another issue arises when trying to access the public nated IP from the same subnet where the nat destination is, for example Access 1.1.1.1:443 (nated to 172.16.128.105:443) and 2.2.2.1:443 (also nated to same host and port) with host 172.16.128.20 and does not get packet back again!

And output of sh ip nat nvi translations | inc 172.16.128.105:443 is:

tcp 1.1.1.1:3484 172.16.128.20:3484 1.1.1.1:443 172.16.128.105:443
tcp 1.1.1.1:3485 172.16.128.20:3485 1.1.1.1:443 172.16.128.105:443
tcp 1.1.1.1:3497 172.16.128.20:3497 1.1.1.1:443 172.16.128.105:443
tcp 2.2.2.1:3844 172.16.128.20:3844 2.2.2.1:443 172.16.128.105:443
tcp 2.2.2.1:3845 172.16.128.20:3845 2.2.2.1:443 172.16.128.105:443
tcp 2.2.2.1:3857 172.16.128.20:3857 2.2.2.1:443 172.16.128.105:443
tcp 2.2.2.1:443 172.16.128.105:443 --- ---

 

Heres's my config:

!
! BLAH
ip cef
no ipv6 cef
!
ip dhcp pool ccp-pool
import all
network 10.10.10.0 255.255.255.128
default-router 10.10.10.1
lease 0 2
!
ip dhcp pool Administrative
import all
network 192.168.16.0 255.255.255.0
default-router 192.168.16.1
dns-server 192.168.16.1
lease 0 0 10
!
ip dhcp pool PublicWiFi
import all
network 192.168.28.0 255.255.255.0
default-router 192.168.28.1
dns-server 192.168.28.1
lease 0 1
!
object-group network AdminNetworks
description Administrative privileged networks
192.168.16.0 255.255.255.0
192.168.252.0 255.255.255.0
!
object-group network AlwaysThroughTelecom
description This IP will always exit through TELECOM to the internet unless link is down
host 172.16.100.77
host 172.16.100.85
host 172.16.100.86
host 172.16.100.88
!
object-group network EasyVPNNetworks
description VPN networks for VPN clients
192.168.252.0 255.255.255.0
192.168.232.0 255.255.255.0
!
object-group network LocalNetworks
description All local networks
192.168.16.0 255.255.255.0
192.168.20.0 255.255.255.0
192.168.24.0 255.255.255.0
192.168.28.0 255.255.255.0
192.168.32.0 255.255.255.0
172.16.100.0 255.255.255.0
172.16.128.0 255.255.255.0
!
object-group network NatEnabled
description Internet Access Nat enabled networks
192.168.16.0 255.255.255.0
192.168.20.0 255.255.255.0
192.168.24.0 255.255.255.0
192.168.28.0 255.255.255.0
172.16.100.0 255.255.255.0
172.16.128.0 255.255.255.0
!
object-group network NatedThroughTelecom
host 172.16.100.3
host 172.16.100.100
!
username BLAH
!
redundancy
!
!
!
!
lldp run
track timer interface 5
!
track 1 ip sla 1
delay down 90 up 90
!
track 2 ip sla 2
delay down 90 up 90
!
track 3 ip sla 3
delay down 90 up 90
!
no ip ftp passive
!
class-map type inspect match-all ccp-cls--1
match access-group name inside-nav
class-map type inspect match-all ccp-cls--3
match access-group name management-nav
class-map type inspect match-all ccp-cls--2
match access-group name wifi-nav
class-map type inspect match-all ccp-cls--5
match access-group name inside-to-management
class-map type inspect match-all ccp-cls--4
match access-group name management-to-inside
class-map type inspect match-any ccp-cls--6
match access-group name BoschNat
match access-group name LinuxServerNat
match access-group name WindowsServerNat
!
policy-map type inspect ccp-policy-ccp-cls--4
class type inspect ccp-cls--4
inspect
class class-default
drop log
policy-map type inspect ccp-policy-ccp-cls--5
class type inspect ccp-cls--5
inspect
class class-default
drop
policy-map type inspect ccp-policy-ccp-cls--6
class type inspect ccp-cls--6
inspect
class class-default
drop
policy-map type inspect ccp-policy-ccp-cls--1
class type inspect ccp-cls--1
inspect
class class-default
drop log
policy-map type inspect ccp-policy-ccp-cls--2
class type inspect ccp-cls--2
inspect
class class-default
drop log
policy-map type inspect ccp-policy-ccp-cls--3
class type inspect ccp-cls--3
inspect
class class-default
drop log
!
zone security outside
zone security inside
zone security public-wifi
zone security management
zone-pair security sdm-zp-inside-outside source inside destination outside
service-policy type inspect ccp-policy-ccp-cls--1
zone-pair security sdm-zp-public-wifi-outside source public-wifi destination outside
service-policy type inspect ccp-policy-ccp-cls--2
zone-pair security sdm-zp-management-outside source management destination outside
service-policy type inspect ccp-policy-ccp-cls--3
zone-pair security sdm-zp-management-inside source management destination inside
service-policy type inspect ccp-policy-ccp-cls--4
zone-pair security sdm-zp-inside-management source inside destination management
service-policy type inspect ccp-policy-ccp-cls--5
zone-pair security sdm-zp-outside-inside source outside destination inside
service-policy type inspect ccp-policy-ccp-cls--6
!
!
crypto isakmp client configuration group management
key BLAH
dns 192.168.252.1
pool SDM_POOL_1
acl roamers
pfs
netmask 255.255.255.0
!
crypto isakmp client configuration group development
key BLAH
dns 192.168.253.1
pool SDM_POOL_2
acl devel-roamers
pfs
netmask 255.255.255.0
crypto isakmp profile ciscocp-ike-profile-1
description Management privileged VPN
match identity group management
client authentication list ciscocp_vpn_xauth_ml_1
isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address initiate
client configuration address respond
virtual-template 1
crypto isakmp profile ciscocp-ike-profile-2
description Development access to local LANs except management
match identity group development
client authentication list ciscocp_vpn_xauth_ml_2
isakmp authorization list ciscocp_vpn_group_ml_2
client configuration address initiate
client configuration address respond
virtual-template 2
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode tunnel
!
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA
set pfs group2
set isakmp-profile ciscocp-ike-profile-1
!
crypto ipsec profile CiscoCP_Profile2
set transform-set ESP-3DES-SHA
set pfs group2
set isakmp-profile ciscocp-ike-profile-2
!
!
!
!
!
!
!
interface Loopback0
ip address 192.168.252.1 255.255.255.0
!
interface Loopback1
ip address 192.168.253.1 255.255.255.0
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description FiberCorp$ETH-WAN$
ip address 1.1.1.2 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat enable
ip virtual-reassembly in
zone-member security outside
duplex auto
speed auto
!
interface GigabitEthernet0/1
description Telecentro$ETH-WAN$
ip address 2.2.2.2 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat enable
ip virtual-reassembly in
zone-member security outside
duplex auto
speed auto
!
interface GigabitEthernet0/0/0
description snlc-s02-roo-r6a/24
switchport mode trunk
no ip address
!
interface GigabitEthernet0/0/1
description snlc-s06-roo-r6a/25
switchport mode trunk
no ip address
!
interface GigabitEthernet0/0/2
no ip address
!
interface GigabitEthernet0/0/3
description Telecom Simetrico
switchport access vlan 100
no ip address
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
zone-member security management
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
interface Virtual-Template2 type tunnel
ip unnumbered Loopback1
zone-member security inside
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile2
!
interface Vlan1
description Administrative
ip address 192.168.16.1 255.255.255.0
ip nat enable
ip virtual-reassembly in
zone-member security management

ip policy route-map AlwaysTelecom
!
interface Vlan10
description Servers
ip address 192.168.20.1 255.255.255.0
ip nat enable
ip virtual-reassembly in
zone-member security inside

ip policy route-map AlwaysTelecom
!
interface Vlan11
description Telephony
ip address 192.168.24.1 255.255.255.0
ip helper-address 192.168.20.2
ip nat enable
ip virtual-reassembly in
zone-member security inside
!
interface Vlan12
description Public WiFi
ip address 192.168.28.1 255.255.255.0
ip nat enable
ip virtual-reassembly in
zone-member security public-wifi
!
interface Vlan13
description Cameras
ip address 192.168.32.1 255.255.255.0
ip virtual-reassembly in
zone-member security inside
!
interface Vlan20
description Private LAN & WiFi
ip address 172.16.100.1 255.255.255.0
ip nat enable
ip virtual-reassembly in
zone-member security inside
ip policy route-map AlwaysTelecom
!
interface Vlan21
description Development
ip address 172.16.128.1 255.255.255.0
ip helper-address 192.168.20.2
ip nat enable
ip virtual-reassembly in
zone-member security inside

ip policy route-map AlwaysTelecom
!
interface Vlan100
description Telecom$ETH-WAN$
ip address 3.3.3.3 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat enable
ip virtual-reassembly in
zone-member security outside
!
ip local policy route-map router-local
ip local pool SDM_POOL_1 192.168.252.10 192.168.252.254
ip local pool SDM_POOL_2 192.168.253.10 192.168.253.255
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat pool FiberCorp-pool 1.1.1.2 1.1.1.2 prefix-length 24
ip nat pool Telecentro-pool 2.2.2.2 2.2.2.2 prefix-length 24
ip nat pool Telecom-pool 3.3.3.2 3.3.3.3 prefix-length 29
ip nat source route-map FiberCorp-nat pool FiberCorp-pool overload
ip nat source route-map Telecentro-nat pool Telecentro-pool overload
ip nat source route-map Telecom-nat pool Telecom-pool overload
ip nat source static tcp 172.16.100.100 22 3.3.3.4 22 extendable
ip nat source static tcp 172.16.100.3 80 3.3.3.4 80 extendable
ip nat source static tcp 172.16.100.3 443 3.3.3.4 443 extendable
ip nat source static tcp 172.16.100.3 16001 3.3.3.4 16001 extendable
ip nat source static tcp 172.16.100.3 16500 3.3.3.4 16500 extendable
ip nat source static tcp 172.16.128.105 442 2.2.2.2 442 extendable
ip nat source static tcp 172.16.128.105 443 2.2.2.2 443 extendable
ip nat source static tcp 172.16.128.105 1756 2.2.2.2 1756 extendable
ip nat source static tcp 172.16.128.105 442 1.1.1.2 442 extendable
ip nat source static tcp 172.16.128.105 443 1.1.1.2 443 extendable
ip nat source static tcp 172.16.128.105 1756 1.1.1.2 1756 extendable
ip route 0.0.0.0 0.0.0.0 1.1.1. 10 track 1
ip route 0.0.0.0 0.0.0.0 2.2.2.1 10 track 2
ip route 0.0.0.0 0.0.0.0 3.3.3.1 20 track 3
!
ip access-list standard secure_vty
permit 10.10.10.0 0.0.0.127
permit 192.168.16.0 0.0.0.255
permit 192.168.252.0 0.0.0.255
remark Secure VTY Access
deny any
!
ip access-list extended BoschNat
permit tcp any host 172.16.128.105 eq 442 443 1756
ip access-list extended FiberCorp_Local
permit ip host 1.1.1.2 any
permit icmp host 1.1.1.2 any
ip access-list extended LinuxServerNat
permit tcp any host 172.16.100.100 eq 22
ip access-list extended Telecentro_Local
permit ip host 2.2.2.2 any
permit icmp host 2.2.2.2 any
ip access-list extended Telecom_Local
permit ip host 3.3.3.3 any
permit icmp host 3.3.3.3 any
ip access-list extended WindowsServerNat
permit tcp any host 172.16.100.3 eq www 443 16001 16500
ip access-list extended always-telecom-pbr
deny ip object-group AlwaysThroughTelecom object-group LocalNetworks
deny icmp object-group AlwaysThroughTelecom object-group LocalNetworks
deny ip object-group AlwaysThroughTelecom object-group EasyVPNNetworks
deny icmp object-group AlwaysThroughTelecom object-group EasyVP


permit ip host 1.1.1.2 any
permit icmp host 1.1.1.2 any
ip access-list extended LinuxServerNat
permit tcp any host 172.16.100.100 eq 22
ip access-list extended Telecentro_Local
permit ip host 2.2.2.2 any
permit icmp host 2.2.2.2 any
ip access-list extended Telecom_Local
permit ip host 3.3.3.3 any
permit icmp host 3.3.3.3 any
ip access-list extended WindowsServerNat
permit tcp any host 172.16.100.3 eq www 443 16001 16500
ip access-list extended always-telecom-pbr
deny ip object-group AlwaysThroughTelecom object-group LocalNetworks
deny icmp object-group AlwaysThroughTelecom object-group LocalNetworks
deny ip object-group AlwaysThroughTelecom object-group EasyVPNNetworks
deny icmp object-group AlwaysThroughTelecom object-group EasyVP


zone security management
zone-pair security sdm-zp-inside-outside source inside destination outside
service-policy type inspect ccp-policy-ccp-cls--1
zone-pair security sdm-zp-public-wifi-outside source public-wifi destination outside
service-policy type inspect ccp-policy-ccp-cls--2
zone-pair security sdm-zp-management-outside source management destination outside
service-policy type inspect ccp-policy-ccp-cls--3
zone-pair security sdm-zp-management-inside source management destination inside
service-policy type inspect ccp-policy-ccp-cls--4
zone-pair security sdm-zp-inside-management source inside destination management
service-policy type inspect ccp-policy-ccp-cls--5
zone-pair security sdm-zp-outside-inside source outside destination inside
service-policy type inspect ccp-policy-ccp-cls--6
!
!
crypto isakmp client configuration group management
key BLAH
dns 192.168.252.1
pool SDM_POOL_1
acl roamers
pfs
netmask 255.255.255.0
!
crypto isakmp client configuration group development
key BLAH
dns 192.168.253.1
pool SDM_POOL_2
acl devel-roamers
pfs
netmask 255.255.255.0
crypto isakmp profile ciscocp-ike-profile-1
description Management privileged VPN
match identity group management
client authentication list ciscocp_vpn_xauth_ml_1
isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address initiate
client configuration address respond
virtual-template 1
crypto isakmp profile ciscocp-ike-profile-2
description Development access to local LANs except management
match identity group development
client authentication list ciscocp_vpn_xauth_ml_2
isakmp authorization list ciscocp_vpn_group_ml_2
client configuration address initiate
client configuration address respond
virtual-template 2
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode tunnel
!
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA
set pfs group2
set isakmp-profile ciscocp-ike-profile-1
!
crypto ipsec profile CiscoCP_Profile2
set transform-set ESP-3DES-SHA
set pfs group2
set isakmp-profile ciscocp-ike-profile-2
!
!
!
!
!
!
!
interface Loopback0
ip address 192.168.252.1 255.255.255.0
!
interface Loopback1
ip address 192.168.253.1 255.255.255.0
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description FiberCorp$ETH-WAN$
ip address 1.1.1.2 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat enable
ip virtual-reassembly in
zone-member security outside
duplex auto
speed auto
!
interface GigabitEthernet0/1
description Telecentro$ETH-WAN$
ip address 2.2.2.2 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat enable
ip virtual-reassembly in
zone-member security outside
duplex auto
speed auto
!
interface GigabitEthernet0/0/0
description snlc-s02-roo-r6a/24
switchport mode trunk
no ip address
!
interface GigabitEthernet0/0/1
description snlc-s06-roo-r6a/25
switchport mode trunk
no ip address
!
interface GigabitEthernet0/0/2
no ip address
!
interface GigabitEthernet0/0/3
description Telecom Simetrico
switchport access vlan 100
no ip address
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
zone-member security management
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
interface Virtual-Template2 type tunnel
ip unnumbered Loopback1
zone-member security inside
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile2
!
interface Vlan1
description Administrative
ip address 192.168.16.1 255.255.255.0
ip nat enable
ip virtual-reassembly in
zone-member security management

ip policy route-map AlwaysTelecom
!
interface Vlan10
description Servers
ip address 192.168.20.1 255.255.255.0
ip nat enable
ip virtual-reassembly in
zone-member security inside

ip policy route-map AlwaysTelecom
!
interface Vlan11
description Telephony
ip address 192.168.24.1 255.255.255.0
ip helper-address 192.168.20.2
ip nat enable
ip virtual-reassembly in
zone-member security inside
!
interface Vlan12
description Public WiFi
ip address 192.168.28.1 255.255.255.0
ip nat enable
ip virtual-reassembly in
zone-member security public-wifi
!
interface Vlan13
description Cameras
ip address 192.168.32.1 255.255.255.0
ip virtual-reassembly in
zone-member security inside
!
interface Vlan20
description Private LAN & WiFi
ip address 172.16.100.1 255.255.255.0
ip nat enable
ip virtual-reassembly in
zone-member security inside
ip policy route-map AlwaysTelecom
!
interface Vlan21
description Development
ip address 172.16.128.1 255.255.255.0
ip helper-address 192.168.20.2
ip nat enable
ip virtual-reassembly in
zone-member security inside

ip policy route-map AlwaysTelecom
!
interface Vlan100
description Telecom$ETH-WAN$
ip address 3.3.3.3 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat enable
ip virtual-reassembly in
zone-member security outside
!
ip local policy route-map router-local
ip local pool SDM_POOL_1 192.168.252.10 192.168.252.254
ip local pool SDM_POOL_2 192.168.253.10 192.168.253.255
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat pool FiberCorp-pool 1.1.1.2 1.1.1.2 prefix-length 24
ip nat pool Telecentro-pool 2.2.2.2 2.2.2.2 prefix-length 24
ip nat pool Telecom-pool 3.3.3.2 3.3.3.3 prefix-length 29
ip nat source route-map FiberCorp-nat pool FiberCorp-pool overload
ip nat source route-map Telecentro-nat pool Telecentro-pool overload
ip nat source route-map Telecom-nat pool Telecom-pool overload
ip nat source static tcp 172.16.100.100 22 3.3.3.4 22 extendable
ip nat source static tcp 172.16.100.3 80 3.3.3.4 80 extendable
ip nat source static tcp 172.16.100.3 443 3.3.3.4 443 extendable
ip nat source static tcp 172.16.100.3 16001 3.3.3.4 16001 extendable
ip nat source static tcp 172.16.100.3 16500 3.3.3.4 16500 extendable
ip nat source static tcp 172.16.128.105 442 2.2.2.2 442 extendable
ip nat source static tcp 172.16.128.105 443 2.2.2.2 443 extendable
ip nat source static tcp 172.16.128.105 1756 2.2.2.2 1756 extendable
ip nat source static tcp 172.16.128.105 442 1.1.1.2 442 extendable
ip nat source static tcp 172.16.128.105 443 1.1.1.2 443 extendable
ip nat source static tcp 172.16.128.105 1756 1.1.1.2 1756 extendable
ip route 0.0.0.0 0.0.0.0 1.1.1. 10 track 1
ip route 0.0.0.0 0.0.0.0 2.2.2.1 10 track 2
ip route 0.0.0.0 0.0.0.0 3.3.3.1 20 track 3
!
ip access-list standard secure_vty
permit 10.10.10.0 0.0.0.127
permit 192.168.16.0 0.0.0.255
permit 192.168.252.0 0.0.0.255
remark Secure VTY Access
deny any
!
ip access-list extended BoschNat
permit tcp any host 172.16.128.105 eq 442 443 1756
ip access-list extended FiberCorp_Local
permit ip host 1.1.1.2 any
permit icmp host 1.1.1.2 any
ip access-list extended LinuxServerNat
permit tcp any host 172.16.100.100 eq 22
ip access-list extended Telecentro_Local
permit ip host 2.2.2.2 any
permit icmp host 2.2.2.2 any
ip access-list extended Telecom_Local
permit ip host 3.3.3.3 any
permit icmp host 3.3.3.3 any
ip access-list extended WindowsServerNat
permit tcp any host 172.16.100.3 eq www 443 16001 16500
ip access-list extended always-telecom-pbr
deny ip object-group AlwaysThroughTelecom object-group LocalNetworks
deny icmp object-group AlwaysThroughTelecom object-group LocalNetworks
deny ip object-group AlwaysThroughTelecom object-group EasyVPNNetworks
deny icmp object-group AlwaysThroughTelecom object-group EasyVP


deny icmp object-group LocalNetworks object-group LocalNetworks
permit ip object-group NatEnabled any
permit icmp object-group NatEnabled any
deny ip any any
deny icmp any any
ip access-list extended roamers
remark CCP_ACL Category=4
permit ip 172.16.100.0 0.0.0.255 any
permit ip 172.16.128.0 0.0.0.255 any
permit ip 192.168.16.0 0.0.0.255 any
permit ip 192.168.20.0 0.0.0.255 any
permit ip 192.168.24.0 0.0.0.255 any
permit ip 192.168.32.0 0.0.0.255 any
ip access-list extended static-nat-telecom-pbr
remark CCP_ACL Category=18
deny ip object-group NatedThroughTelecom object-group LocalNetworks
deny ip object-group NatedThroughTelecom object-group EasyVPNNetworks
permit tcp host 172.16.100.3 eq www 443 16001 16500 any established
permit tcp host 172.16.100.100 eq 22 any established
ip access-list extended wifi-nav
remark CCP_ACL Category=128
permit ip 192.168.28.0 0.0.0.255 any
!
ip sla 1
icmp-echo 8.8.8.8 source-interface GigabitEthernet0/0
threshold 40
timeout 1000
frequency 3
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo 8.8.8.8 source-interface GigabitEthernet0/1
threshold 40
timeout 1000
frequency 3
ip sla schedule 2 life forever start-time now
ip sla 3
icmp-echo 8.8.8.8 source-interface Vlan100
threshold 40
timeout 1000
frequency 3
ip sla schedule 3 life forever start-time now
!
route-map Telecom-nat permit 10
match ip address navigation-nat
match interface Vlan100
!
route-map FiberCorp-nat permit 10
match ip address navigation-nat
match interface GigabitEthernet0/0
!
route-map router-local permit 10
match ip address FiberCorp_Local
set ip next-hop 1.1.1.1
!
route-map router-local permit 20
match ip address Telecentro_Local
set ip next-hop 2.2.2.1
!
route-map router-local permit 30
match ip address Telecom_Local
set ip next-hop 3.3.3.1
!
route-map AlwaysTelecom permit 5
match ip address static-nat-telecom-pbr
set ip next-hop verify-availability 3.3.3.1 10 track 3
!
route-map AlwaysTelecom permit 10
match ip address always-telecom-pbr
set ip next-hop verify-availability 3.3.3.1 10 track 3
!
route-map Telecentro-nat permit 10
match ip address navigation-nat
match interface GigabitEthernet0/1
!
control-plane
!
!
!

scheduler allocate 20000 1000

event manager applet CLEAR_NAT_ISP1_DOWN
event track 1 state down
action 1.0 cli command "enable"
action 2.0 cli command "clear ip nat nvi translation forced"
event manager applet CLEAR_NAT_ISP1_UP
event track 1 state up
action 1.0 cli command "enable"
action 2.0 cli command "clear ip nat nvi translation forced"
event manager applet CLEAR_NAT_ISP2_DOWN
event track 2 state down
action 1.0 cli command "enable"
action 2.0 cli command "clear ip nat nvi translation forced"
event manager applet CLEAR_NAT_ISP2_UP
event track 2 state up
action 1.0 cli command "enable"
action 2.0 cli command "clear ip nat nvi translation forced"
event manager applet CLEAR_NAT_ISP3_DOWN
event track 3 state down
action 1.0 cli command "enable"
action 2.0 cli command "clear ip nat nvi translation forced"
event manager applet CLEAR_NAT_ISP3_UP
event track 3 state up
action 1.0 cli command "enable"
action 2.0 cli command "clear ip nat nvi translation forced"
!
end

 

Labels:
0 Helpful
1 Reply 1

Georg Pauwen
VIP
VIP

‎06-24-2018 02:28 PM

Hello,

 

I'll have a look...

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card