cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1719
Views
0
Helpful
1
Replies

Return Path for NAT'd Traffic (857 and 877)

puffinrub
Level 1
Level 1

Hello,

I have a problem with the return path of NAT'd traffic on a Cisco 877W router. Here's the network setup:

  • gatekeeper1 (192.168.0.1) is a Cisco 857
  • gatekeeper2 (192.168.0.253) is a Cisco 857
  • gatekeeper3 (192.168.0.251) is a Cisco 877W

The default route is 192.168.0.1 on all devices, however there are some static route defined so that traffic to certain IP addresses bounce off to 192.168.0.253 and use that Internet connection instead. This new connection is designed so that traffic aimed for a certain internal IP address (192.168.0.190) comes via this third internet connection in order to take the load off of the main line. NAT is all configured and appears to be working when .251 is the default route but as soon as I set it back to .1, the traffic appears to come in but doesn't go out again. Here's what I mean:

gatekeeper3#sh ip nat tr

Pro Inside global Inside local Outside local Outside global

--- 82.x.y.10 192.168.0.2 --- ---

tcp 82.x.y.9:80 192.168.0.190:80 216.x.y.246:51653 216.x.y.246:51653

--- 82.x.y.9 192.168.0.190 --- ---

As you can see here, I'm trying to connect to port 80 on 82.x.y.10 (which is 192.168.0.190 internally) from 216.x.y.246 and that NAT rule seems to allow the traffic as expected plus the firewall is set to allow all traffic for the time being whilst I debug this issue. The external machine tries making the connection, the router appears to allow it but the connection never establishes. My suspicion is that the returning traffic is going out of the 'wrong' connection. How can I set this up so that the returning traffic goes out of the correct path?

Thanks in advance for any help you can offer.

Regards, Ade.

1 Reply 1

Jon Marshall
Hall of Fame
Hall of Fame

Ade

I suspet you are right. The simple solution is to NAT the incoming source IPs (from the internet) to the .251 address so that the traffic is sent back to the correct router. However this isn't easy with an IOS router when you have ip nat outside on the WAN interface and ip nat inside on the LAN interface.

I'm not sure i have ever got it to work properly. Unfortunately my laptop with GNS3 on it at the moment is out of action so i can't test but you may want to have a go.

An alternative that may work (again would need testing) would be to use PBR on the 192.168.0.1 router ie.

access-list 101 permit ip 192.168.0.190 any

route-map PBR permit 10

match ip address 101

set ip next-hop 192.168.0.251

int

ip addresss 192.168.0.1 255.255.255.0

ip policy route-map PBR

the above would redirect traffic from 192.168.0.190 to the 192.168.0.251 router LAN interface. Couple of notes -

1) using PBR to send the traffic back out the interface it was received on - haven't tested this before but it should work

2) it assumes all traffic from 192.168.0.190 shoud use the 192.168.0.251 connection even traffic that originates from that server. You can be more specific with the acl and use tcp and port 80 to only send http traffic to the .251 router.

Apologies for not being able to give a definitive reply but this may help. Must get my GNS3 laptop fixed

Jon

Review Cisco Networking for a $25 gift card