Route a specific VLANs internet traffic out using a different wan IP from my primary wan IP

Chris Bailey · ‎03-16-2016

I have a Cisco 3725 as my core router and have my WAN assigned to Fa0/0 and LAN on FA0/1 as well as VLANs on FA0/1.1,1.2, 1.3, and 1.4. I have a series of SLM2024s and Catalyst 3750s and all VLANs are behaving as they should. I also have a block of WAN IP addresses. I have my default route out listed as 0.0.0.0 0.0.0.0 x.x.x.x<my wan ip. I'd like to direct all outbound internet traffic originating from the VLAN on FA0/1.4 to use y.y.y.y as it's outbound wan ip instead of x.x.x.x which is my primary wan ip.

I've been searching but have not found anything directly related to this. I have NAT running and ACLs in place. I do not have any NAT configured inbound for the FA0/1.4 VLAN. I'm sure this can be done and was thinking that creating a sub interface on the WAN interface FA0/0 (call it FA0/0.1) and then somehow linking FA0/1.4 out to FA0/0.1 would accomplish this but couldn't find anything in my searches like this.

Any help is greatly appreciated.

milan.kulik · ‎03-16-2016

Hi,

wouldn't Policy Based Routing be a solution for you?

See http://www.cisco.com/c/en/us/support/docs/security/web-security-appliance/118156-configure-wsa-00.html

and

http://www.cisco.com/c/en/us/support/docs/ip/ip-routed-protocols/47121-pbr-cmds-ce.html

Best regards,

Milan

Chris Bailey · ‎03-17-2016

Hi Milan,

I see where this would solve part of the issue however I don't see how this would allow me to use a secondary wan IP as my next hop if there isn't an interface on the router assigned the IP I'd like to use. If I'm sitting anywhere on the network presently and access the web for any and all services anyone from the outside can see my traffic coming from 99.99.99.2<fake wan IP.

What I'm looking for is to have anything sitting on one of my VLANs(VLAN 300 on subinterface FA0/1.4) that initiates outbound traffic to show the originating as one of my other WAN IPs say 99.99.99.5.

Here is my config which is pertinent to this.

interface FastEthernet0/0
description WAN
ip address 99.99.99.2 255.255.255.224
ip flow ingress
ip nat outside
ip virtual-reassembly
speed 100
full-duplex
!
interface FastEthernet0/1
description COR_LAN
ip address 10.1.0.2 255.255.0.0
ip flow ingress
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
no mop enabled
!
interface FastEthernet0/1.1
description GUEST_INT
encapsulation dot1Q 100
ip address 10.3.1.254 255.255.255.0
ip access-group 176 in
ip flow ingress
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/1.2
description innRoad_int
encapsulation dot1Q 150
ip address 10.10.1.254 255.255.255.0
ip access-group 177 in
ip flow ingress
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/1.3
description FUEL_READ
encapsulation dot1Q 200
ip address 10.5.1.254 255.255.255.0
ip access-group 178 in
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/1.4
description CNW
encapsulation dot1Q 300
ip address 10.20.1.1 255.255.255.0
ip access-group 179 in
ip nat inside
ip virtual-reassembly
!
ip default-gateway 99.99.99.1
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 99.99.99.1
!
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 175 interface FastEthernet0/0 overload
!
access-list 175 deny ip 10.1.0.0 0.0.255.255 10.2.0.0 0.0.255.255
access-list 175 permit ip 10.1.0.0 0.0.255.255 any
access-list 175 permit ip 10.3.1.0 0.0.0.255 any
access-list 175 permit icmp 10.3.1.0 0.0.0.255 any echo
access-list 175 permit ip 10.10.1.0 0.0.0.255 any
access-list 175 permit icmp 10.10.1.0 0.0.0.255 any echo
access-list 175 permit ip 10.5.1.0 0.0.0.255 any
access-list 175 permit icmp 10.5.1.0 0.0.0.255 any echo
access-list 175 permit gre any any
access-list 175 permit ip 10.20.1.0 0.0.0.255 any
access-list 175 permit icmp 10.20.1.0 0.0.0.255 any echo
access-list 176 permit ip 10.3.1.0 0.0.0.255 host 10.1.99.99
access-list 176 permit ip 10.3.1.0 0.0.0.255 host 10.1.99.10
access-list 176 permit ip 10.3.1.0 0.0.0.255 host 10.1.40.101
access-list 176 deny ip 10.3.1.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 176 permit ip 10.3.1.0 0.0.0.255 any
access-list 176 permit icmp 10.3.1.0 0.0.0.255 any echo
access-list 177 permit ip 10.10.1.0 0.0.0.255 host 10.1.99.99
access-list 177 permit ip 10.10.1.0 0.0.0.255 host 10.1.99.10
access-list 177 permit ip 10.10.1.0 0.0.0.255 host 10.1.40.101
access-list 177 deny ip 10.10.1.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 177 permit ip 10.10.1.0 0.0.0.255 any
access-list 177 permit icmp 10.10.1.0 0.0.0.255 any echo
access-list 178 permit ip 10.5.1.0 0.0.0.255 host 10.1.99.99
access-list 178 permit ip 10.5.1.0 0.0.0.255 host 10.1.99.10
access-list 178 permit ip 10.5.1.0 0.0.0.255 host 10.1.99.105
access-list 178 permit ip 10.5.1.0 0.0.0.255 host 10.1.40.101
access-list 178 deny ip 10.5.1.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 178 permit ip 10.5.1.0 0.0.0.255 any
access-list 178 permit icmp 10.5.1.0 0.0.0.255 any echo
access-list 179 permit ip 10.20.1.0 0.0.0.255 host 10.1.99.99
access-list 179 permit ip 10.20.1.0 0.0.0.255 host 10.1.99.10
access-list 179 permit ip 10.20.1.0 0.0.0.255 host 10.1.40.101
access-list 179 deny ip 10.20.1.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 179 permit ip 10.20.1.0 0.0.0.255 any
access-list 179 permit icmp 10.20.1.0 0.0.0.255 any echo

I hope this clarifies what I'm trying to do.

Jon Marshall · ‎03-17-2016

In addition to the PBR you need to remove these lines from acl 175 -

access-list 175 permit ip 10.20.1.0 0.0.0.255 any
access-list 175 permit icmp 10.20.1.0 0.0.0.255 any echo

and then -

access-list 101 permit ip 10.20.1.0 0.0.0.255 any <-- IP includes ICMP so need for other line

ip nat pool NAT 99.99.99.5 99.99.99.5 netmask 255.255.255.252
ip nat inside source list 101 pool NAT overload

the above assumes 99.99.99.5 is not actually assigned to any physical device in your network and you can use any name that makes sense to you for the NAT pool.

Jon

Chris Bailey · ‎03-17-2016

Thanks Jon,

So if I remove the 2 acl175 lines and add the following all traffic originating from VLAN300 will be see as coming from my other WAN IP of 99.99.99.5 to anyone on the web correct?

interface FastEthernet0/1.4
ip address 10.20.1.1 255.255.255.0
ip policy route-map VLAN300

route-map VLAN300 permit 10
match ip address 101
set ip default next-hop 99.99.99.1 <<ISP cable modem/gateway

ip nat pool NAT 99.99.99.5 99.99.99.5 netmask 255.255.255.252
ip nat inside source list 101 pool NAT overload

access-list 101 permit ip 10.20.1.0 0.0.0.255 any

and you are correct I do not have 99.99.99.5 assigned to any interfaces.

Jon Marshall · ‎03-17-2016

Chris

Yes all traffic should appear as though it is coming from 99.99.99.5

Just to clarify, you have set the next hop IP in your PBR to be 99.99.99.1 which is the same next hop as your default route.

Is that a typo because I thought you wanted to use a different gateway for these clients ?

Or did we misunderstand your original question ie. do you want to use the same gateway but just use a different IP address for NAT ?

Jon

Chris Bailey · ‎03-17-2016

Jon,

It's not a typo...there is one gateway. I want to use the same gateway just have vlan300 use an different external IP.

Jon Marshall · ‎03-17-2016

Then you don't need the PBR configuration.

Must admit I read the original question same way as Milan :)

Jon

Chris Bailey · ‎03-17-2016

Ok so I just enter the above commands without this...

route-map VLAN300 permit 10
match ip address 101
set ip default next-hop 99.99.99.1 <<ISP cable modem/gateway

and all should be good correct?

Jon Marshall · ‎03-17-2016

Forgot to mention when you set this up you may already have 10.20.1.x IPs that are translated to 99.99.99.2 in the NAT translation table.

You may need to clear these out ie.

"clear ip nat translation <IP address>"

don't do -

"clear ip nat translation *"

because this will clear all translations unless you are doing this out of hours.

Jon

Jon Marshall · ‎03-17-2016

Yes and remove "ip policy route-map VLAN300" from the fa0/1.4 interface.

Jon

Chris Bailey · ‎03-17-2016

In doing this do I also have to apply this acl to an interface to get it all to work?

Jon Marshall · ‎03-17-2016

No, the acl is just used in your NAT statement.

Like I say if you do add the configuration and the 10.20.1.x IPs are still being translated to 99.99.99.2 then check the translation table ie.

"sh ip nat translations"

because you will need to clear any existing translations for those IPs.

Jon

Chris Bailey · ‎03-17-2016

Jon this seems to have done the trick. Thank you very much sir!

Jon Marshall · ‎03-17-2016

No problem, thanks for letting me know.

Jon