random NAT working / not working with CEF load balancing

matej.pisek · ‎10-24-2011

I had a few static NAT problems last week when configuring CIsco 892.

I have 2 Dialers for PPPoE and CEF - per-destination load balancing. Everything is ok but static NAT which it doesn't work! Or... it work randomly... yes/no, yes/no,... sometimes i can't ping WAN's from the outside...

IOS is 15.0 tried 15.2, 12.4

Config is like this...

!

! No configuration change since last restart

!

version 15.0

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname mad-router1

!

boot-start-marker

boot-end-marker

!

no aaa new-model

!

clock timezone CET 1

clock summer-time CET recurring last Sun Mar 2:00 last Sun Oct 3:00

!

ip source-route

!

ip dhcp excluded-address 192.168.235.201 192.168.235.255

ip dhcp excluded-address 192.168.235.1 192.168.235.100

ip dhcp excluded-address 192.168.11.201 192.168.11.255

!

ip dhcp pool LAN

import all

network 192.168.235.0 255.255.255.0

default-router 192.168.235.3

domain-name office.mad.net

dns-server 192.168.235.3

lease 3

!

ip cef

ip domain name office.mad.net

ip name-server 217.237.151.142

no ipv6 cef

!

multilink bundle-name authenticated

license udi pid CISCO892-K9 sn FCZ1538C5Q2

!

ip ssh version 2

!

track 1 interface Dialer1 ip routing

!

track 2 interface Dialer2 ip routing

!

interface BRI0

no ip address

encapsulation hdlc

shutdown

isdn termination multidrop

!

interface FastEthernet0

description LAN

!

interface FastEthernet1

description VOIP

switchport access vlan 2

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

!

interface FastEthernet5

!

interface FastEthernet6

!

interface FastEthernet7

!

interface FastEthernet8

description WAN02

no ip address

duplex auto

speed auto

pppoe enable group global

pppoe-client dial-pool-number 2

no cdp enable

!

interface GigabitEthernet0

description WAN01

no ip address

duplex auto

speed auto

pppoe enable group global

pppoe-client dial-pool-number 1

no cdp enable

!

interface Vlan1

description LAN

ip address 192.168.235.3 255.255.255.0

ip nat inside

ip virtual-reassembly

!

interface Vlan2

description VOIP

ip address 192.168.11.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

interface Dialer1

description PPoE for T-Home modem (white)

ip address negotiated

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname xxx1

ppp chap password 0 xxxxxxx1

ppp pap sent-username xxx1 password 0 xxxxxxx1

!

interface Dialer2

description PPoE for Linksys/Cisco modem (black)

ip address negotiated

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 2

dialer-group 2

ppp authentication chap pap callin

ppp chap hostname xxx2

ppp chap password 0 xxxxxxx2

ppp pap sent-username xxx2 password 0 xxxxxxx1

!

ip forward-protocol nd

no ip http server

no ip http secure-server

!

ip dns server

ip nat inside source static tcp 192.168.235.9 80 interface Dialer1 80

ip nat inside source static tcp 192.168.235.3 23 interface Dialer1 23

ip nat inside source static tcp 192.168.235.10 9000 interface Dialer1 9000

ip nat inside source static tcp 192.168.235.10 443 interface Dialer1 443

ip nat inside source static tcp 192.168.235.10 3389 interface Dialer1 3389

ip nat inside source static tcp 192.168.235.3 22 interface Dialer1 22

ip nat inside source route-map dialer1-rm interface Dialer1 overload

ip nat inside source route-map dialer2-rm interface Dialer2 overload

ip route 0.0.0.0 0.0.0.0 Dialer1 track 1

ip route 0.0.0.0 0.0.0.0 Dialer2 track 2

!

access-list 121 permit ip 192.168.235.0 0.0.0.255 any

access-list 121 permit ip any any

access-list 151 permit ip 192.168.235.0 0.0.0.255 192.168.105.0 0.0.0.255

access-list 151 permit ip 192.168.235.0 0.0.0.255 192.168.234.0 0.0.0.255

access-list 151 permit ip 192.168.235.0 0.0.0.255 192.168.233.0 0.0.0.255

access-list 151 permit ip 192.168.235.0 0.0.0.255 192.168.240.0 0.0.0.255

!

route-map dialer1-rm permit 10

match ip address 121

match interface Dialer1

!

route-map dialer2-rm permit 10

match ip address 121

match interface Dialer2

!

control-plane

!

line con 0

logging synchronous

line aux 0

line vty 0 4

login

!

scheduler max-task-time 5000

end

Kishore Chennupati · ‎10-24-2011

Hi,

What error messages do you get? Also what IOS do you have? Did you try to see if there are any bugs with your existing IOS . Maybe its a buggy IOS

HTH

matej.pisek · ‎10-25-2011

I get no error message.... "ip show nat tran" shows everything is ok... i conected from random port from another ISP IP...

Pro Inside global Inside local Outside local Outside global

tcp 217.92.124.141:23 192.168.235.3:23 178.25.80.236:39377 178.25.80.236:39377

tcp 217.92.124.141:443 192.168.235.10:443 --- ---

tcp 217.92.124.141:3389 192.168.235.10:3389 --- ---

Kishore Chennupati · ‎10-25-2011

Hi,,

Maybe this thread can help you a bit?

https://supportforums.cisco.com/message/3299022#3299022

HTH

matej.pisek · ‎10-26-2011

tryed it not working for me...

i don't get it CEF should work... what am i doing wrong here!?!??!

matej.pisek · ‎10-26-2011

I've found another strange thing... if i first ping the static WAN interface that should have static NAT working and get no answer than NAT will work... if i restart the router and get ping reply the NAT won't work...

cadet alain · ‎10-26-2011

Hi,

You should be having 2 static PAT entries with the keyword extendable for each service you want to be accessible from outside each pointing to a different interface like this:

ip nat inside source static tcp 192.168.235.9 80 interface Dialer1 80 extendable

ip nat inside source static tcp 192.168.235.9 80 interface Dialer2 80 extendable

Alain.

Don't forget to rate helpful posts.

Kishore Chennupati · ‎10-26-2011

Hi Alain,

What happens in this case? His translations work but he can't ping the WAN interface??

ip nat inside source static tcp 192.168.235.10 443 interface Dialer1 443

ip nat inside source static tcp 192.168.235.10 3389 interface Dialer1 3389

Pro Inside global Inside local Outside local Outside global

tcp 217.92.124.141:23 192.168.235.3:23 178.25.80.236:39377 178.25.80.236:39377

tcp 217.92.124.141:443 192.168.235.10:443 --- ---

tcp 217.92.124.141:3389 192.168.235.10:3389 ---

matej.pisek · ‎10-27-2011

Hey Kishore...

Well I added ip nat enable to vlan1... still random NAT working/not working...

NAT translations still show a connection when i try to telnet, rdp, https,.... But connection still isn't made.

cadet alain · ‎10-27-2011

Hi,

I can't ping the global inside address in your NAT translation table and you haven't got any ACL applied or firewall configured so that's strange.

Can you do a debug ip icmp and debug ip pack detail 199 while pinging this address from outside

where 199 is an ACL permitting icmp traffic.

Alain.

Don't forget to rate helpful posts.

Giuseppe Larosa · ‎10-29-2011

Hello Matej,

I have given only a quick look to the thread, however there are some points:

in order to have NAT to co-exist with two routers and two PPPoE dialer WAN interfaces you need to solve any possible ambiguity:

given an internal server X serving on TCP port Y at a given time that server has to be reachead only by R1 or by R2 both directions

the random results look like to come out from your setup that does not provide per flow path choice (both directions)

this may require a lot of additional work or you can you use stateful NAT without any load balancing effect.

edit:

if the router is only one in your tests PBR could be of help.

is the second 892 in the same site or in another one?

the test should be done accessing server X on TCP port Y as in configuration everything else may be misleading

Hope to help

Giuseppe

matej.pisek · ‎11-09-2011

Hey! Giuseppe... But isn't statefull NAT used only with two physical routers for redundancy purpose?

This routers are on two totaly different locations. They are not ment to be used together for load balancing since 892 allready has two wan ports (GE0 and FE8).