Solved: Re: Source NAT using wrong outside interface

Antonio Macia · ‎05-16-2024

Hi,

I have a router with two WAN interfaces towards to different ISPs. Each ISP is in active/stand-by using floating default routes so, there is only one active default route in the routing table.

For the nat I have two NAT overload statements using the interface IP.

The issue is that the router is using the public IP of the standby interface even when the only default route points towards the other ISP. Per my understanding, the order of operations made by the router is first routing and then, based on the outgoing interface, then apply the corresponding source NAT.

The router uses the wrong public IP even if the stand-by WAN interface is down. The only way to force the router to use the public IP of the active upstream ISP is by removing the NAT statement in the configuration.

Any ideas.

MHM Cisco World · ‎05-17-2024

ip nat inside route-map ISP1 interface GigabitEthernet0/0/1 overload

ip nat inside route-map ISP2 interface GigabitEthernet0/0/0 overload

Route-map ISP1 permit 10

Match ip address 10

Match interface g0/0/0

Route-map ISP2 permit 20

Match ip address 10

Match interface g0/0/1

That what you need

MHM

View solution in original post

MHM Cisco World · ‎05-16-2024

I must see config first to know issue

MHM

Antonio Macia · ‎05-16-2024

Hi MHM,

The configuration is quite straightforward:

interface GigabitEthernet0/0/0

description Active ISP

ip address 1.1.1.2 255.255.255.255

ip nat outside

ip access-group 1 in

load-interval 30

negotiation auto

ip virtual-reassembly

!

interface GigabitEthernet0/0/1

description Backup ISP

ip address 2.2.2.2 255.255.255.255

ip nat outside

ip access-group 1 in

load-interval 30

negotiation auto

ip virtual-reassembly

!

ip nat inside source list 100 interface GigabitEthernet0/0/1 overload

ip nat inside source list 101 interface GigabitEthernet0/0/0 overload

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 1.1.1.1

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/1 2.2.2.1 10

The default route in the routing table is pointing towards the active ISP but the backup ISP is being used instead.

Hope it is clearer now.

MHM Cisco World · ‎05-17-2024

ip nat inside route-map ISP1 interface GigabitEthernet0/0/1 overload

ip nat inside route-map ISP2 interface GigabitEthernet0/0/0 overload

Route-map ISP1 permit 10

Match ip address 10

Match interface g0/0/0

Route-map ISP2 permit 20

Match ip address 10

Match interface g0/0/1

That what you need

MHM

Dan Frey · ‎05-16-2024

I have seen this issue in the past as well. Say a host on the network is using ntp and the source/dest ports are 123/123. When the packet is going through the standby path with this NAT entry present, the primary comes back up and the new default route comes in and now this traffic is going out the primary. There is already a NAT entry in the table using ports 123/123 for the ntp connection and the router continues to use it even when going out the primary path. An EEM script was built to clear the NAT table when traffic changes paths so that a new translation is built using the correct IP for the WAN network.

Antonio Macia · ‎05-16-2024

Hi Dan,

So you mean that at some point the backup link came active and the NAT entries were created and, when the original active ISP came back as primary again, since the NAT entries are already present, the traffic keep using the backup ISP even if the default route in the routing table uses the active WAN interface as outgoing interface?

Thanks

Dan Frey · ‎05-17-2024

@antonio Marcia if a NAT translation is already created the router is going to use it and it does this independent of routing. Routing will work as expected for failover but if a NAT translation is built for a connection over standy and routing says use primary, then routing happens over primary and NAT continues to use the translation that is already built. There has to be separation between NAT and routing.

Another example would be if you own registered address space and assign registered address a.b.c.d/32 to a loopback and advertise this address to both ISPs and use the loopback for NAT on both ISPs. When a connection is built it gets NATTED to the loopback and routing can failover/failback and continue to use the translation over both ISPs. This works.

What if the router built a new translation each time routing failover/failback now you have multiple translations built for a single connection. Which one does the router use? This will break the connection and why routing and NAT work independently.

Richard Burts · ‎05-16-2024

This is an interesting suggestion, and a creative suggested solution. And it could potentially address the issue of the OP. But I agree with MHM that I would like to see the configuration. In particular I would like to see whether the NAT uses the route map approach (with match statements for both the interface and the acl) or just the simple statement for nat.

HTH

Rick

Antonio Macia · ‎05-16-2024

Hi Richard,

As you can see in the configuration I pasted above, the NAT are simple statements.

Richard Burts · ‎05-17-2024

Thank you for posting the configuration. Yes it is quite simple and that is the issue. When you have 2 outbound interfaces and you want to do different translation depending on the interface then the simple one line config for NAT does not work - as you are experiencing. With 2 outbound interfaces your NAT configuration must specify the correct translation for each interface. And the way to do that is to use a route map. MHM has provided a nice example of how to do that.

HTH

Rick