I have a problem with the return path of NAT'd traffic on a Cisco 877W router. Here's the network setup:
gatekeeper1 (192.168.0.1) is a Cisco 857
gatekeeper2 (192.168.0.253) is a Cisco 857
gatekeeper3 (192.168.0.251) is a Cisco 877W
The default route is 192.168.0.1 on all devices, however there are some static route defined so that traffic to certain IP addresses bounce off to 192.168.0.253 and use that Internet connection instead. This new connection is designed so that traffic aimed for a certain internal IP address (192.168.0.190) comes via this third internet connection in order to take the load off of the main line. NAT is all configured and appears to be working when .251 is the default route but as soon as I set it back to .1, the traffic appears to come in but doesn't go out again. Here's what I mean:
gatekeeper3#sh ip nat tr
Pro Inside global Inside local Outside local Outside global
As you can see here, I'm trying to connect to port 80 on 82.x.y.10 (which is 192.168.0.190 internally) from 216.x.y.246 and that NAT rule seems to allow the traffic as expected plus the firewall is set to allow all traffic for the time being whilst I debug this issue. The external machine tries making the connection, the router appears to allow it but the connection never establishes. My suspicion is that the returning traffic is going out of the 'wrong' connection. How can I set this up so that the returning traffic goes out of the correct path?
I suspet you are right. The simple solution is to NAT the incoming source IPs (from the internet) to the .251 address so that the traffic is sent back to the correct router. However this isn't easy with an IOS router when you have ip nat outside on the WAN interface and ip nat inside on the LAN interface.
I'm not sure i have ever got it to work properly. Unfortunately my laptop with GNS3 on it at the moment is out of action so i can't test but you may want to have a go.
An alternative that may work (again would need testing) would be to use PBR on the 192.168.0.1 router ie.
access-list 101 permit ip 192.168.0.190 any
route-map PBR permit 10
match ip address 101
set ip next-hop 192.168.0.251
ip addresss 192.168.0.1 255.255.255.0
ip policy route-map PBR
the above would redirect traffic from 192.168.0.190 to the 192.168.0.251 router LAN interface. Couple of notes -
1) using PBR to send the traffic back out the interface it was received on - haven't tested this before but it should work
2) it assumes all traffic from 192.168.0.190 shoud use the 192.168.0.251 connection even traffic that originates from that server. You can be more specific with the acl and use tcp and port 80 to only send http traffic to the .251 router.
Apologies for not being able to give a definitive reply but this may help. Must get my GNS3 laptop fixed
Cisco DNA Software Demo Series - Cisco ThousandEyesRegister nowWednesday, May 12, 202110:00 am Pacific Daylight Time(San Francisco, GMT-07:00)SaaS applications and cloud-based services are increasingly critical for on-campus users, but they can be challen...