Solved: Route-map and Multiple NAT Inside/Outside Interface Question

danmartinnorhrop · ‎08-03-2015

Hello,

I am building a network environment where we have VOIP on VLAN 20 and Data on VLAN 30. Then I have a router on a stick virtual interface configuration which needs to then route to an ASA which stands in front of the WAN. The router I am working with is Cisco 2921 ISR with 3 interfaces.

Basically my problem is I have the VOIP and DATA VLANS coming on router interface 0. Now I have to route all DATA traffic to interface 2 and all VOIP traffic to interface 1 and I am not sure what the best method of doing this is. Currently I am using route-map and multiple NAT Inside/Outside interfaces. It is to note I had this working for the data VLAN with just one source NAT inside/Outside interface specified. Then I went to complete the task and added another source NAT inside/Outside interface for VOIP and now neither can connect to the Net. I am not sure if I made a typo, missed something obvious or if I am doing something fundamentally wrong. I am mainly trying to fallow the advice from this link http://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/13739-nat-routemap.html#routemap. Any help would be appreciated. Thanks

Joe

!
interface GigabitEthernet0/0.20
 encapsulation dot1Q 20
 ip address 10.20.0.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface GigabitEthernet0/0.30
 encapsulation dot1Q 30
 ip address 10.20.10.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface GigabitEthernet0/1
 ip address 172.20.62.2 255.255.255.0

 ip nat outside
 ip virtual-reassembly in


 duplex auto
 speed auto
!
interface GigabitEthernet0/2
 ip address 192.168.63.3 255.255.255.0
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat pool pool-30 192.168.63.128 192.168.63.254 prefix-length 25
ip nat pool pool-20 172.20.62.128 172.20.62.254 prefix-length 25
ip nat inside source route-map MAP-20 pool pool-20
ip nat inside source route-map MAP-30 pool pool-30
!
!
route-map MAP-30 permit 10
 match ip address 130
 set ip next-hop 192.168.63.1
!
route-map MAP-20 permit 10
 match ip address 120
 set ip next-hop 172.20.62.1
!
!
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 120 permit ip 10.20.0.0 0.0.0.255 172.20.62.0 0.0.0.255
access-list 130 permit ip 10.20.10.0 0.0.0.255 192.168.63.0 0.0.0.255

Peter Paluch · ‎08-03-2015

Daniel,

I am afraid you are confusing the Policy Based Routing (PBR) with route-map based NAT. Each one of them is different. PBR is a tool that allows you to perform routing decisions based on other criteria than just the destination IP address. Route-map based NAT is an extension to NAT to select appropriate translation rule depending not only on the source address but also depending on the outgoing interface for the traffic. There is a similarity between them but they are in fact independent.

You have said that you want to route the data traffic out Gi0/2 and the voice traffic out Gi0/1. This is an application for the PBR. I will make one assumption here: I will consider the entire address space 10.0.0.0/8 to be used internally in your network, and packets both sourced and destined in this address space will not be subject to PBR. However, packets from this address space going to destinations outside 10.0.0.0/8 will be subject to PBR.

ip access-list extended NotLocal
 deny   ip 10.0.0.0 0.255.255.255  10.0.0.0 0.255.255.255
 permit ip 10.0.0.0 0.255.255.255  any
!
route-map PBR-Data permit 10
 match ip address NotLocal
 set ip next-hop 192.168.63.1
!
route-map PBR-Voice permit 10
 match ip address NotLocal
 set ip next-hop 172.20.62.1
!
interface GigabitEthernet0/0.20
 ip policy route-map PBR-Voice
!
interface GigabitEthernet0/0.30
 ip policy route-map PBR-Data

This alone will make sure that if data traffic enters Gi0/0.30 and is destined somewhere out the 10.0.0.0/8 range, it will be routed through the next hop 192.168.63.1. Similarly, if the voice traffic enters Gi0/0.20 and goes to targets outside the 10.0.0.0/8 network, it will be forwarded via 172.20.62.1.

While I am not entirely certain why you want to do it this way, that would be the configuration to accomplish that.

Now, obviously, doing NAT on top of this PBR-ed traffic is another task you need to accomplish. What you need to do is to make sure that the voice traffic is NATted behind the range from the pool-20 while the data traffic is NATted behind the range from the pool-30. However, because the PBR is set up so that data traffic will always go out Gi0/2 and voice traffic will always go out Gi0/1, there is no further need to use route-maps in the NAT to verify the outgoing interface. The only thing is to simply write the NAT rules as usual:

ip access-list standard Voice
 permit 10.20.0.0 0.0.0.255
!
ip access-list standard Data
 permit 10.20.10.0 0.0.0.255
!
ip nat inside source list Voice pool pool-20
ip nat inside source list Data  pool pool-30

Remove the existing ip nat inside source commands from your config, please, and you can also remove the ACLs 120, 130, and route-maps MAP-20 and MAP-30.

Feel welcome to ask further!

Best regards,
Peter

View solution in original post

Peter Paluch · ‎08-03-2015

Hi Daniel,

In your last posted configuration, you are missing the ip nat inside command on Gi0/0.20 and Gi0/0.30, and ip nat outside on Gi0/1 and Gi0/2. Please add them.

Best regards,
Peter

View solution in original post

Peter Paluch · ‎08-03-2015

Daniel,

I am afraid you are confusing the Policy Based Routing (PBR) with route-map based NAT. Each one of them is different. PBR is a tool that allows you to perform routing decisions based on other criteria than just the destination IP address. Route-map based NAT is an extension to NAT to select appropriate translation rule depending not only on the source address but also depending on the outgoing interface for the traffic. There is a similarity between them but they are in fact independent.

You have said that you want to route the data traffic out Gi0/2 and the voice traffic out Gi0/1. This is an application for the PBR. I will make one assumption here: I will consider the entire address space 10.0.0.0/8 to be used internally in your network, and packets both sourced and destined in this address space will not be subject to PBR. However, packets from this address space going to destinations outside 10.0.0.0/8 will be subject to PBR.

ip access-list extended NotLocal
 deny   ip 10.0.0.0 0.255.255.255  10.0.0.0 0.255.255.255
 permit ip 10.0.0.0 0.255.255.255  any
!
route-map PBR-Data permit 10
 match ip address NotLocal
 set ip next-hop 192.168.63.1
!
route-map PBR-Voice permit 10
 match ip address NotLocal
 set ip next-hop 172.20.62.1
!
interface GigabitEthernet0/0.20
 ip policy route-map PBR-Voice
!
interface GigabitEthernet0/0.30
 ip policy route-map PBR-Data

This alone will make sure that if data traffic enters Gi0/0.30 and is destined somewhere out the 10.0.0.0/8 range, it will be routed through the next hop 192.168.63.1. Similarly, if the voice traffic enters Gi0/0.20 and goes to targets outside the 10.0.0.0/8 network, it will be forwarded via 172.20.62.1.

While I am not entirely certain why you want to do it this way, that would be the configuration to accomplish that.

Now, obviously, doing NAT on top of this PBR-ed traffic is another task you need to accomplish. What you need to do is to make sure that the voice traffic is NATted behind the range from the pool-20 while the data traffic is NATted behind the range from the pool-30. However, because the PBR is set up so that data traffic will always go out Gi0/2 and voice traffic will always go out Gi0/1, there is no further need to use route-maps in the NAT to verify the outgoing interface. The only thing is to simply write the NAT rules as usual:

ip access-list standard Voice
 permit 10.20.0.0 0.0.0.255
!
ip access-list standard Data
 permit 10.20.10.0 0.0.0.255
!
ip nat inside source list Voice pool pool-20
ip nat inside source list Data  pool pool-30

Remove the existing ip nat inside source commands from your config, please, and you can also remove the ACLs 120, 130, and route-maps MAP-20 and MAP-30.

Feel welcome to ask further!

Best regards,
Peter

danmartinnorhrop · ‎08-03-2015

Hi Peter,

First of all thanks a bunch for your help, I will say what you said made sense, I had to read it a few times but it made sense. So all the changes I made today I deleted and started clean with your suggestions and then I added my ip nat pools. It now looks like it is trying to route fine now which is good. "I have tcpdump running on the next hop and a ping command confirmed it is getting to next hop". However, for some reason it still is not NATing "I only tested Data side". I am willing to guess it is something simple but so far I have not caught it. My current configuration is below, thanks again.



interface GigabitEthernet0/0.20

 encapsulation dot1Q 20

 ip address 10.20.0.1 255.255.255.0

 ip policy route-map PBR-Voice

!        

interface GigabitEthernet0/0.30

 encapsulation dot1Q 30

 ip address 10.20.10.1 255.255.255.0

 ip policy route-map PBR-Data

!        

interface GigabitEthernet0/1

 ip address 172.20.62.2 255.255.255.0

 duplex auto

 speed auto

!        

interface GigabitEthernet0/2

 ip address 192.168.63.3 255.255.255.0

 duplex auto

 speed auto

!        

ip forward-protocol nd

!        

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!        

ip nat pool pool-30 192.168.63.0 192.168.63.254 prefix-length 24

ip nat pool pool-20 172.20.62.0 172.20.62.254 prefix-length 24

ip nat inside source list Data pool pool-30

ip nat inside source list Voice pool pool-20

!        

ip access-list standard Data

 permit 10.20.10.0 0.0.0.255

ip access-list standard Voice

 permit 10.20.0.0 0.0.0.255

!        

ip access-list extended NotLocal

 deny   ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255

 permit ip 10.0.0.0 0.255.255.255 any

!        

!        

route-map PBR-Voice permit 10

 match ip address NotLocal

 set ip next-hop 172.20.62.1

!        

route-map PBR-Data permit 10

 match ip address NotLocal

 set ip next-hop 192.168.63.1

!

Peter Paluch · ‎08-03-2015

Hi Daniel,

In your last posted configuration, you are missing the ip nat inside command on Gi0/0.20 and Gi0/0.30, and ip nat outside on Gi0/1 and Gi0/2. Please add them.

Best regards,
Peter

danmartinnorhrop · ‎08-04-2015

Hey Peter,

Just wanted to say thanks for your help. I tested a phone and a couple workstations and it does seem to work fine.

Peter Paluch · ‎08-04-2015

Hi Daniel,

Good to hear - thanks for letting me know!

Best regards,
Peter