Re: Single Multihomed sent a single host out a different ISP

Wan_Whisperer · ‎07-23-2021

Hi,

I have one host with an internal IP that leaves the Core and heads to the Edge. I want this single host (172.21.250.50) to exit to ISP 2 all other traffic is and will exit ISP1

As you can see in my diagram the single host 172.21.250.50 will be natted and its nat overload will the the IP address of my interface leading to ISP2 (192.168.1.2)

What is the best way to make this happen?

Thanks!

WW

balaji.bandi · ‎07-23-2021

You need PBR

https://community.cisco.com/t5/networking-documents/how-to-configure-pbr/ta-p/3122774

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

paul driver · ‎07-23-2021

Hello
You will require policy based routing and NAT to accomplish this:

Example:
Host 172.21.250.50 PBR & NAT ISP2

access-list 101 permit ip host 172.21.250.50 any

route-map PBR
match ip address 101
set ip next hop <ISP2 nexthop>

int x/x
description Lan facing to core
ip nat inside
ip policy route-map PBR

route-map natisp2
match ip address 101
match interface <ISP2 interface)

ip nat inside source route-map inatsp2 interface <ISP2 interface>

All other traffic -inc NAT
access-list 100 deny ip host 172.21.250.50 any
access-list 100 permit ip 172.21.250.0 0.0.0.255 any

route-map natisp1
match ip address 100
match interface <isp1 interface)

ip nat inside source route-map inatsp1 interface <ISP1 interface>

ip route 0.0.0.0 0.0.0.0 <ISP1 interface> <ISP1 nexthop>

int x/x
description ISP1 facing
ip nat ouside

int x/x
description ISP2 facing
ip nat ouside

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Wan_Whisperer · ‎07-23-2021

Paul,

Thanks for the input. I have been working on this(see below).....there will be no nat for any other IP addresses on ISP1 and ISP2 besides the IP listed

I am using NAT overload vs one to one because of security

ip access e Test_ACL
permit ip host 172.21.250.50 any

ip nat pool Pool1 192.168.1.2 192.168.1.2 netmask 255.255.255.0

ip nat inside source list Test_ACL pool Pool1 overload

int GigabitEthernet0/0/1
ip nat inside

ip policy route-map Test_RM

int GigabitEthernet0/0/3

description ISP2
ip nat outside

route-map Test_RM permit 10
match ip address Test_ACL
set ip next-hop 192.168.1.2

int g0/0/1 //////this is the interface leading to the core////////
ip policy route-map Test_RM

paul driver · ‎07-23-2021

Hello

Looks okay, as long as your PBR policy is applied to the interface thats sourcing 172.21.250.50, Also an alternative you could also use a static translation instead of a nat pool

ip nat source static 172.21.250.50 interface GigabitEthernet0/0/3

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Richard Burts · ‎07-24-2021

I like the suggestion to use static nat. It avoids the complexity of configuring policy based routing. But there are some things about this environment that we do not know which might impact this suggested solution. For example is there any intention to use ISP2 as a backup in case of problems with ISP1? This would be problematic with the static nat.

HTH

Rick

Wan_Whisperer · ‎07-26-2021

Paul,

I did not want to do static NAT for security reasons. I don't want outside access unless traffic is initiated inside.

Thanks,

WW

Richard Burts · ‎07-26-2021

WW

If you have concerns about the static nat solution then the Policy Based Routing (with nat) is what you need to implement. I believe that the static nat would be an elegant solution, and more simple. But security concerns trump elegance and simplicity. PBR would not expose you to access initiated from outside.

HTH

Rick