07-23-2021 07:56 AM
Hi,
I have one host with an internal IP that leaves the Core and heads to the Edge. I want this single host (172.21.250.50) to exit to ISP 2 all other traffic is and will exit ISP1
As you can see in my diagram the single host 172.21.250.50 will be natted and its nat overload will the the IP address of my interface leading to ISP2 (192.168.1.2)
What is the best way to make this happen?
Thanks!
WW
07-23-2021 08:59 AM
07-23-2021 09:43 AM
Hello
You will require policy based routing and NAT to accomplish this:
Example:
Host 172.21.250.50 PBR & NAT ISP2
access-list 101 permit ip host 172.21.250.50 any
route-map PBR
match ip address 101
set ip next hop <ISP2 nexthop>
int x/x
description Lan facing to core
ip nat inside
ip policy route-map PBR
route-map natisp2
match ip address 101
match interface <ISP2 interface)
ip nat inside source route-map inatsp2 interface <ISP2 interface>
All other traffic -inc NAT
access-list 100 deny ip host 172.21.250.50 any
access-list 100 permit ip 172.21.250.0 0.0.0.255 any
route-map natisp1
match ip address 100
match interface <isp1 interface)
ip nat inside source route-map inatsp1 interface <ISP1 interface>
ip route 0.0.0.0 0.0.0.0 <ISP1 interface> <ISP1 nexthop>
int x/x
description ISP1 facing
ip nat ouside
int x/x
description ISP2 facing
ip nat ouside
07-23-2021 11:13 AM - edited 07-23-2021 11:27 AM
Paul,
Thanks for the input. I have been working on this(see below).....there will be no nat for any other IP addresses on ISP1 and ISP2 besides the IP listed
I am using NAT overload vs one to one because of security
ip access e Test_ACL
permit ip host 172.21.250.50 any
ip nat pool Pool1 192.168.1.2 192.168.1.2 netmask 255.255.255.0
ip nat inside source list Test_ACL pool Pool1 overload
int GigabitEthernet0/0/1
ip nat inside
ip policy route-map Test_RM
int GigabitEthernet0/0/3
description ISP2
ip nat outside
route-map Test_RM permit 10
match ip address Test_ACL
set ip next-hop 192.168.1.2
int g0/0/1 //////this is the interface leading to the core////////
ip policy route-map Test_RM
07-23-2021 04:44 PM
Hello
Looks okay, as long as your PBR policy is applied to the interface thats sourcing 172.21.250.50, Also an alternative you could also use a static translation instead of a nat pool
ip nat source static 172.21.250.50 interface GigabitEthernet0/0/3
07-24-2021 07:55 AM
I like the suggestion to use static nat. It avoids the complexity of configuring policy based routing. But there are some things about this environment that we do not know which might impact this suggested solution. For example is there any intention to use ISP2 as a backup in case of problems with ISP1? This would be problematic with the static nat.
07-26-2021 05:48 AM
Paul,
I did not want to do static NAT for security reasons. I don't want outside access unless traffic is initiated inside.
Thanks,
WW
07-26-2021 01:34 PM
WW
If you have concerns about the static nat solution then the Policy Based Routing (with nat) is what you need to implement. I believe that the static nat would be an elegant solution, and more simple. But security concerns trump elegance and simplicity. PBR would not expose you to access initiated from outside.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide