cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2176
Views
25
Helpful
7
Replies

Single Multihomed sent a single host out a different ISP

Wan_Whisperer
Level 1
Level 1

Hi,

 

I have one host with an internal IP that leaves the Core and heads to the Edge.  I want this single host (172.21.250.50) to exit to ISP 2 all other traffic is and will exit ISP1 

 

As you can see in my diagram the single host 172.21.250.50 will be natted and its nat overload will the the IP address of my interface leading to ISP2 (192.168.1.2)

 

What is the best way to make this happen? 

 

 

Thanks!

WW

7 Replies 7

balaji.bandi
Hall of Fame
Hall of Fame

Hello
You will require policy based routing and NAT to accomplish this:

 

Example:
Host 172.21.250.50 PBR & NAT ISP2

access-list 101 permit ip host 172.21.250.50 any

route-map PBR
match ip address 101
set ip next hop <ISP2 nexthop>

int x/x
description Lan facing to core
ip nat inside
ip policy route-map PBR

route-map natisp2
match ip address 101
match interface <ISP2 interface)

ip nat inside source route-map inatsp2 interface <ISP2 interface>



All other traffic -inc NAT
access-list 100 deny ip host 172.21.250.50 any
access-list 100 permit ip 172.21.250.0 0.0.0.255 any

route-map natisp1
match ip address 100
match interface <isp1 interface)

ip nat inside source route-map inatsp1 interface <ISP1 interface>

ip route 0.0.0.0 0.0.0.0 <ISP1 interface> <ISP1 nexthop>

int x/x
description ISP1 facing
ip nat ouside

int x/x
description ISP2 facing
ip nat ouside

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Paul,

 

Thanks for the input.  I have been working on this(see below).....there will be no nat for any other IP addresses on ISP1 and ISP2 besides the IP listed

 

I am using NAT overload vs one to one because of security 

 

ip access e Test_ACL
permit ip host 172.21.250.50 any


ip nat pool Pool1 192.168.1.2 192.168.1.2 netmask 255.255.255.0

ip nat inside source list Test_ACL pool Pool1 overload

 

int GigabitEthernet0/0/1
ip nat inside

ip policy route-map Test_RM

 

int GigabitEthernet0/0/3

description ISP2
ip nat outside

 


route-map Test_RM permit 10
match ip address Test_ACL
set ip next-hop 192.168.1.2

int g0/0/1                                       //////this is the interface leading to the core////////
ip policy route-map Test_RM

Hello

Looks okay, as long as your PBR policy is applied to the interface thats sourcing 172.21.250.50, Also an alternative you could also use a static translation instead of a nat pool

ip nat source static 172.21.250.50 interface GigabitEthernet0/0/3


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

I like the suggestion to use static nat. It avoids the complexity of configuring policy based routing. But there are some things about this environment that we do not know which might impact this suggested solution. For example is there any intention to use ISP2  as a backup in case of problems with ISP1? This would be problematic with the static nat.

HTH

Rick

Paul,

 

I did not want to do static NAT for security reasons.  I don't want outside access unless traffic is initiated inside. 

 

Thanks,

WW

WW

If you have concerns about the static nat solution then the Policy Based Routing (with nat) is what you need to implement. I believe that the static nat would be an elegant solution, and more simple. But security concerns trump elegance and simplicity. PBR would not expose you to access initiated from outside.

HTH

Rick
Review Cisco Networking for a $25 gift card