Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
769
Views
4
Helpful
6
Replies

Static NAT translations and ACLs with dual failover ISP config

Go to solution
DazOG
Level 1
Level 1

‎11-13-2023 10:27 AM - last edited on ‎11-14-2023 04:02 PM by Community Manager

Hi

I'm building a dual ISP failover config, which I believe I have got sorted out (second to-be-primary ISP isn't online yet to test, but the "ip sla" etc stuff is using the correct failback route).

Where I'm a bit confused is how to handle static NAT translations for services behind the router. 

On my existing single ISP setup this is simple - an ip nat inside source static tcp 10.0.0.1 100 2.2.2.2 100 extendable entry along with a corresponding permit tcp any host 2.2.2.2 eq 100 ACL entry to allow the traffic inbound.  This is all working.

When the second ISP comes online, I presume I will have to do a second static translation to the corresponding external IP (as I understand it "extendable" is for this exact purpose) ?  In terms of the ACL, do I just create an object-group network with both external IPs in, and change the ACL to permit tcp any host object-group ISP1-ISP2-EXT-IP eq 100, or do I do each line separately, or something else entirely?

Is this the correct way to do it?  e.g. the config would end up looking something like this:

object-group network ISP1-ISP2-EXT-IP
host 2.2.2.2
host 3.3.3.3

ip nat inside source static tcp 10.0.0.1 100 2.2.2.2 100 extendable
ip nat inside source static tcp 10.0.0.1 100 3.3.3.3 100 extendable

ip access-list extended INCOMING
permit tcp any object-group ISP1-ISP2-EXT-IP eq 100

 Does that sound right?  Thanks in advance!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
MHM Cisco World
VIP
VIP

‎11-13-2023 11:17 AM

you need to ACL one for each IP 
INCOMING-ISP1 and INCOMING-ISP2 
and apply each one under the ISP interface the traffic come from.

Thanks A Lot
MHM

View solution in original post

6 Replies 6

Go to solution
DazOG
Level 1
Level 1

‎11-13-2023 10:29 AM

I forgot to add - DNS failover will be done externally so that a FQDN that people access will point to the currently available IP.

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎11-13-2023 11:17 AM

you need to ACL one for each IP 
INCOMING-ISP1 and INCOMING-ISP2 
and apply each one under the ISP interface the traffic come from.

Thanks A Lot
MHM

Go to solution
DazOG
Level 1
Level 1
In response to MHM Cisco World

‎11-13-2023 11:53 AM - edited ‎11-13-2023 11:53 AM

Thanks. Both ISP facing Ethernet interfaces are in the same “OUTSIDE” zone, which has an ACL applied via a class-map & policy-map.

 

So I can’t use an object-group to cover both IPs, I have to have two unique and explicit lines in the ACL?

Go to solution
MHM Cisco World
VIP
VIP
In response to DazOG

‎11-14-2023 01:45 AM

NO you can use object-group but this make CPU check two line (or more) for each traffic. 
that not need. 
make two ACL make CPU check only one line. 

Go to solution
DazOG
Level 1
Level 1

‎11-14-2023 01:47 AM

Clever, thanks

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card