Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1306
Views
0
Helpful
2
Replies

2 WAN + 1 LAN -> Nat only works through 1 WAN

dektecdigital
Level 1
Level 1

‎10-12-2012 07:04 AM - edited ‎03-07-2019 09:25 AM

Hi all,

                 

We have 2 WAN interfaces:

- FasterEthernet8 (DHCP assigned fixed 192.168.1.10), routed through 192.168.1.1

- Dialer1 (direct external IP Negotiaded address).

The default route 0.0.0.0 is set to Dialer1 and FastEthernet8 (with metric 254), so we can internet, but all goes through Dialer1.

Packets arriving from outside (from WAN to LAN) through Dialer1 are forwarded to the correct internal IP-address (for example port 443 should be forwarded to our local IP 192.168.39.4). Also, the return packet is correctly send back through Dialer1.

But... when a packet arrives through FastEthernet8, it's correctly NAT-translated to 192.168.39.4, however the return
packet from our internal server goes back through Dialer1, instead of FastEthernet8.

Here are some syslog-events:

*Oct 12 14:18:21.380 PCTime: NAT*: o: tcp (69.163.149.200, 47883) -> (192.168.1.10, 443) [36630]    
*Oct 12 14:18:21.380 PCTime: NAT*: s=69.163.149.200, d=192.168.1.10->192.168.39.4 [36630]
*Oct 12 14:18:21.380 PCTime: NAT*: i: tcp (192.168.39.4, 443) -> (69.163.149.200, 47883) [5054]
*Oct 12 14:18:21.380 PCTime: NAT*: s=192.168.39.4->192.168.1.10, d=69.163.149.200 [5054]


As you can see, our server replies, but the packet is never sent out through 192.168.1.1.

Anybody an idea why? Thanks!

KR,

Peter    

Labels:
0 Helpful
2 Replies 2

Raju Sekharan
Cisco Employee
Cisco Employee

‎10-12-2012 07:16 AM

From your explanation, I understand that your default-route through Fastethernet 8 is with metric 254. So it is not there in routing table. So when return packet comes back via lan 1, it does trsnslation usign the existing ststic nat entry and send the packet via the dialer 1 route which is present in routing table

0 Helpful

dektecdigital
Level 1
Level 1
In response to Raju Sekharan

‎10-12-2012 01:22 PM

Hi Rajs,

Thanks for your reply, however I did try removing the metric, so both Dialer1 and FE8 are on metric 1, but in this case we can still internet from inside (although now it goes through FE8), but every port forward from outside->inside doesn't work anymore (neither to Dialer1 nor to FE8).

Maybe I should give some more details on the config. Here's part of it:

ip cef

interface FastEthernet8
description $ETH-WAN$
ip address dhcp
ip flow ingress
ip nat outside
ip virtual-reassembly
duplex auto
speed auto

interface GigabitEthernet0
description $ETH-WAN$
no ip address
ip flow ingress
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1

interface Vlan1
ip address 172.31.255.1 255.255.255.0 secondary
ip address 192.168.39.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452

interface Dialer1
ip address negotiated
ip mtu 1492
ip flow ingress
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username xxx password xxx
crypto map SDM_CMAP_1

ip nat pool MAIL 192.168.39.4 192.168.39.4 netmask 255.255.255.0 type rotary
ip nat inside source route-map COAX interface FastEthernet8 overload
ip nat inside source route-map FIBER interface Dialer1 overload
ip nat inside destination list Mail pool MAIL

ip route 0.0.0.0 0.0.0.0 Dialer1 track 1
ip route 8.8.4.4 255.255.255.255 FastEthernet8 192.168.1.1
ip route 8.8.8.8 255.255.255.255 Dialer1

ip access-list extended Mail
permit object-group Mail_Ports any any

ip sla 1
icmp-echo 8.8.8.8
timeout 1000
threshold 40
frequency 3
ip sla schedule 1 life forever start-time now

ip sla 2
icmp-echo 8.8.4.4
timeout 1000
threshold 40
frequency 3
ip sla schedule 2 life forever start-time now

track 1 ip sla 1 reachability
delay down 15 up 10

track 2 ip sla 2 reachability
delay down 15 up 10

access-list 100 remark CCP_ACL Category=16
access-list 100 permit ip 192.168.39.0 0.0.0.255 192.168.38.0 0.0.0.255
access-list 101 remark CCP_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny   ip 192.168.39.0 0.0.0.255 192.168.38.0 0.0.0.255
access-list 101 permit ip 192.168.39.0 0.0.0.255 any
access-list 101 permit ip 192.168.40.0 0.0.0.255 any
access-list 101 permit ip 172.31.255.0 0.0.0.255 any

dialer-list 1 protocol ip permit
no cdp run

route-map COAX permit 10
match ip address 101
match interface FastEthernet8

route-map FIBER permit 10
match ip address 101
match interface Dialer1

What I actually want is having Dialer1 as main internet route with FE8 as backup route (when Dialer1 drops), as well as accepting port-forwards from both interfaces, routing the answer from our server back the 'right' route... Is that possible?

Thanks again and kind regards,

Peter

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card