Solved: Connecting two different MPLS circuits to a single network

mohammed asif suleman · ‎12-30-2012

hi all,

Please can any one help me with this configuration......

i am connecting two ISP links which are MPLS connections to a single router so that the DMZ servers can be accessed from the Remote Clients.

my network design apart from my main network is

ISP1 connects to different clients and servers from ISP2, but the total 10.10.10.0 network should be accessbile for both.

i enabled natting for the ISP1 and it is working fine but now i have to connect to ISP2.

now my difficulty is i have to create subinterfaces for the two ISPs and perform nat for them

my doubt is can i nat single network for two ISPs? will it work.

instead of default route can i configure static route of same subnet to two diffrent ISP routers?

please can any one help me with this....?

Peter Paluch · ‎12-30-2012

Hello Mohammed,

You do not have any static mappings here. This would mean that the internal network 10.10.10.0/24 can reach outside internet thanks to NAT but the outside internet can not initiate connections to this network - it may only respond. Is this what you want?

In any case, if your current configuration is to be rewritten for two ISPs, it would look like this:

interface FastEthernet0/0.1

encapsulation dot1q X

ip nat outside

ip address 172.18.4.130 ...

!

interface FastEthernet0/0.2

encapsulation dot1q Y

ip nat outside

ip address 172.30.30.2 ...

!

access-list 10 permit 10.10.10.0 0.0.0.255

!

route-map ISP1 permit 10

match interface FastEthernet0/0.1

match ip address 10

!

route-map ISP2 permit 10

match interface FastEthernet0/0.2

match ip address 10

!

ip nat inside source route-map ISP1 interface FastEthernet0/0.1 overload

ip nat inside source route-map ISP2 interface FastEthernet0/0.2 overload

!

ip route 0.0.0.0 0.0.0.0 172.18.4.129

ip route 0.0.0.0 0.0.0.0 173.30.30.Z

What is really new here is the route-map. This is a more complex filtering tool than just an ACL because it allows you to perform matching on more criteria than just IP addresses. Here, we are using two route-maps, ISP1 and ISP2, to match not only the source IP address of packets to be translated (by referencing the ACL 10) but we also match the outgoing interface. If the Fa0/0.1 interface is matched then the traffic will be NATted to the Fa0/0.1 IP address. If the Fa0/0.2 interface is matched then the traffic will be NATted to the Fa0/0.2 IP address. As I do not know your current VLAN numbers, netmasks and the IP address of the ISP2 gateway, I have omitted them in my configuration or replaced them by letters X, Y and Z - please fill in the correct values.

Best regards,

Peter

View solution in original post

Peter Paluch · ‎12-30-2012

Hello,

Oh, you are very much welcome - and thank you very much for your kind words!

Just for curiosity can be please exlpain when the interface matching will come into picture.

The interface matching will take place in the moment the inside-to-outside NAT will be processed for a packet. The document "NAT Order of Operation" at

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml#topic1

explains that when packets flow from inside to outside interface, this sequence of steps is performed:

If IPSec then check input access list
decryption - for CET (Cisco Encryption Technology) or IPSec
check input access list
check input rate limits
input accounting
redirect to web cache
policy routing
routing
NAT inside to outside (local to global translation)
crypto (check map and mark for encryption)
check output access list
inspect (Context-based Access Control (CBAC))
TCP intercept
encryption
Queueing

So as the packet comes from an inside network, it is first routed, and after the routing table lookup is done and the egress interface has been identified, the individual ip nat inside source commands are evaluated. At this point, each ip nat inside source command refers either to an ACL or to a route-map. To my practical experience, the IOS will evaluate the ip nat inside source commands in the sequence they appear in the configuration file, perform the necessary matching using either the ACL or the route-map on the packet and possibly the egress interface, and uses the first match it finds.

Please feel welcome to ask further!

Best regards,

Peter

View solution in original post

Peter Paluch · ‎12-31-2012

Hello Mohammed,

Your current configuration is missing the ip nat inside command on the FastEthernet0/1 interface. Just add it there and test the connectivity again.

On a different note, I see you have BGP routing protocol configured. Are the ISPs going to send any routes to you? Most probably, you should configure the BGP to prevent routes from one ISP to leak to the other ISP. Are there any routes you will be sending to these ISPs?

Best regards,

Peter

View solution in original post

Peter Paluch · ‎01-01-2013

Hello Mohammed,

Your current problem is that you are using an incorrect command - the "ip nat source" instead of "ip nat inside source". This is a common mistake because the two commands are very similar but serve different purposes - the "ip nat source" is a newer way of configuring NAT that uses a different approach to configuration. It is currently not suitable for you.

The immediate solution is to remove the "ip nat source" commands and replace them with identical "ip nat inside source" commands. Please try it out and let us know!

Best regards,
Peter

Sent from Cisco Technical Support iPad App

View solution in original post

Peter Paluch · ‎01-01-2013

Hello Mohammed,

I have a feeling that your Policy Based Routing is not entirely correct. It makes all traffic coming from 10.10.10.0/25 to be routed out through the first ISP and the traffic coming from 10.10.10.128/25 to be routed out through the second ISP. It does not take the destination of the traffic into account. That means that even if the DMZ1 wants to communicate with DMZ2, your PBR configuration sends all traffic out to internet.

This is my suggested correct configuration (just the relevant modified part):

access-list 101 deny ip 10.10.10.0 0.0.0.127 10.10.10.128 0.0.0.127

access-list 101 permit ip 10.10.10.0 0.0.0.127 any

!

access-list 102 deny ip 10.10.10.128 0.0.0.127 10.10.10.0 0.0.0.127

access-list 102 permit ip 10.10.10.128 0.0.0.127 any

!

route-map POLICY1 permit 101

match ip address 101

set ip next-hop 172.18.4.129

!

route-map POLICY1 permit 102

match ip address 102

set ip next-hop 172.30.30.1

!

ip nat inside source list 101 pool p1 overload

ip nat inside source list 102 pool p2 overload

Try this configuration please.

Best regards,

Peter

View solution in original post

Peter Paluch · ‎12-30-2012

Hi Mohammed,

Depending on your needs, this should be possible using route-maps to properly select the appropriate translation based on the egress interface either to ISP1 or to ISP2.

Can you post your current NAT configuration to see how it is set up? I assume that the DMZ shall be accessible from outside using a set of static mappings. Thanks!

Best regards,

Peter

mohammed asif suleman · ‎12-30-2012

Thankyou very much Peter for your reply...

i configured it for single ISP, the cofiguration is as below

ip nat pool p1 172.18.4.130 172.18.4.130 netmask 255.255.255.0

ip nat inside source list 10 pool p1 overload

ip route 0.0.0.0 0.0.0.0 172.18.4.129

!

access-list 10 permit 10.10.10.0 0.0.0.255

there are no subinterfaces configured for now....as i had a single connection from isp1

so i have to reconfigure it from scratch now...please guide

Peter Paluch · ‎12-30-2012

Hello Mohammed,

You do not have any static mappings here. This would mean that the internal network 10.10.10.0/24 can reach outside internet thanks to NAT but the outside internet can not initiate connections to this network - it may only respond. Is this what you want?

In any case, if your current configuration is to be rewritten for two ISPs, it would look like this:

interface FastEthernet0/0.1

encapsulation dot1q X

ip nat outside

ip address 172.18.4.130 ...

!

interface FastEthernet0/0.2

encapsulation dot1q Y

ip nat outside

ip address 172.30.30.2 ...

!

access-list 10 permit 10.10.10.0 0.0.0.255

!

route-map ISP1 permit 10

match interface FastEthernet0/0.1

match ip address 10

!

route-map ISP2 permit 10

match interface FastEthernet0/0.2

match ip address 10

!

ip nat inside source route-map ISP1 interface FastEthernet0/0.1 overload

ip nat inside source route-map ISP2 interface FastEthernet0/0.2 overload

!

ip route 0.0.0.0 0.0.0.0 172.18.4.129

ip route 0.0.0.0 0.0.0.0 173.30.30.Z

What is really new here is the route-map. This is a more complex filtering tool than just an ACL because it allows you to perform matching on more criteria than just IP addresses. Here, we are using two route-maps, ISP1 and ISP2, to match not only the source IP address of packets to be translated (by referencing the ACL 10) but we also match the outgoing interface. If the Fa0/0.1 interface is matched then the traffic will be NATted to the Fa0/0.1 IP address. If the Fa0/0.2 interface is matched then the traffic will be NATted to the Fa0/0.2 IP address. As I do not know your current VLAN numbers, netmasks and the IP address of the ISP2 gateway, I have omitted them in my configuration or replaced them by letters X, Y and Z - please fill in the correct values.

Best regards,

Peter

mahmoodmkl · ‎12-30-2012

Hi Peter,

I apologise for getting in this thread n i really appreciate your knowledge.

Just for curiosity can be please exlpain when the interface matching will come into picture.

Thanks

Peter Paluch · ‎12-30-2012

Hello,

Oh, you are very much welcome - and thank you very much for your kind words!

Just for curiosity can be please exlpain when the interface matching will come into picture.

The interface matching will take place in the moment the inside-to-outside NAT will be processed for a packet. The document "NAT Order of Operation" at

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml#topic1

explains that when packets flow from inside to outside interface, this sequence of steps is performed:

If IPSec then check input access list
decryption - for CET (Cisco Encryption Technology) or IPSec
check input access list
check input rate limits
input accounting
redirect to web cache
policy routing
routing
NAT inside to outside (local to global translation)
crypto (check map and mark for encryption)
check output access list
inspect (Context-based Access Control (CBAC))
TCP intercept
encryption
Queueing

So as the packet comes from an inside network, it is first routed, and after the routing table lookup is done and the egress interface has been identified, the individual ip nat inside source commands are evaluated. At this point, each ip nat inside source command refers either to an ACL or to a route-map. To my practical experience, the IOS will evaluate the ip nat inside source commands in the sequence they appear in the configuration file, perform the necessary matching using either the ACL or the route-map on the packet and possibly the egress interface, and uses the first match it finds.

Please feel welcome to ask further!

Best regards,

Peter

mohammed asif suleman · ‎12-30-2012

Hi Peter thank you very much for the efforts you are putting in.....

but after configuring the above commands also i am not able to reach the isp

i am pasting the running config here , can you please tell me where i am going wrong....

------------------------------------------------------------------------------------------------------------------------------------------------

Current configuration : 1612 bytes

!

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Router

!

boot-start-marker

boot-end-marker

!

no aaa new-model

ip subnet-zero

!

ip cef

!

interface FastEthernet0/0

no ip address

duplex auto

speed auto

!

interface FastEthernet0/0.10

encapsulation dot1Q 10

ip address 172.18.4.130 255.255.255.252

ip nat outside

!

interface FastEthernet0/0.20

encapsulation dot1Q 20

ip address 172.30.30.2 255.255.255.252

ip nat outside

!

interface FastEthernet0/1

ip address 10.10.10.100 255.255.255.0

ip nat inside

duplex auto

speed auto

!

interface Serial1/0

no ip address

shutdown

serial restart-delay 0

!

interface Serial1/1

no ip address

shutdown

serial restart-delay 0

!

interface Serial1/2

no ip address

shutdown

serial restart-delay 0

!

interface Serial1/3

no ip address

shutdown

serial restart-delay 0

!

router bgp 64500

no synchronization

no bgp log-neighbor-changes

neighbor 172.18.4.129 remote-as 64000

neighbor 172.30.30.1 remote-as 65000

no auto-summary

!

ip nat inside source route-map ISP1 interface FastEthernet0/0.10 overload

ip nat inside source route-map ISP2 interface FastEthernet0/0.20 overload

ip http server

ip classless

ip route 0.0.0.0 0.0.0.0 172.18.4.129

ip route 0.0.0.0 0.0.0.0 173.30.30.1

!

access-list 10 permit 10.10.10.0 0.0.0.255

!

route-map ISP2 permit 10

match ip address 10

match interface FastEthernet0/0.20

!

route-map ISP1 permit 10

match ip address 10

match interface FastEthernet0/0.10

!

line con 0

line aux 0

line vty 0 4

!

end

Peter Paluch · ‎12-31-2012

Hello Mohammed,

Your current configuration is missing the ip nat inside command on the FastEthernet0/1 interface. Just add it there and test the connectivity again.

On a different note, I see you have BGP routing protocol configured. Are the ISPs going to send any routes to you? Most probably, you should configure the BGP to prevent routes from one ISP to leak to the other ISP. Are there any routes you will be sending to these ISPs?

Best regards,

Peter

mohammed asif suleman · ‎12-31-2012

Hi Peter...

yes i noticed that before posting and added ip nat inside on fa 0/1

eventhough there was no connectivity...

actually before going to production i want it test on GNS3 so the above configuration is from my GNS3 Router.

I am very sorry for making the things complicated

my headec is not only routing the 10.0 network to two isps but also connect the subnet with internal network also

objectives

1) the servers of another organization should be connected with my DMZ server over MPLS connection.

2) vpn sould be connected to remote single user outlets with hardware based VPN device from this router.

3)the servers in DMZ should be accessible from internal network.

the DMZ servers can be accessible from internal network but the router 10.10.10.100 is not reacheble from internetwork

configured 10.100 to access dmz servers but if the gateway must be 10.10.10.100 for the servers then they can't be reached from internal network.

and if the gateway is 10.10.10.1 then they can't be accessed from the router.

they should be accessbile from bot 10.100 and 10.1

please help....

........................................

mahmoodmkl · ‎01-01-2013

Hi Peter,

Let me try to explain my understanding of how NAT works and i need your comments on this==.

1.The packet arrives at the router from the host with source IP as its and destination as Public IP.

2.The router lookups the routing table and does a route lookup if it finds the route for the destination recurses to the exit interface...I need to know when the ip nat inside command comes in picture.Is it before the routing or after the routing.

3.Now coming to the use of routemaps where we have multiple entires i.e to match the interface and then access-list.

I want to know whether this route map comes in to picture after the routing that is after deciding the exit interface..?

Please clarify.

Thanks

mohammed asif suleman · ‎01-01-2013

Hi peter....hi Mahmood

good question mahmood...at present struggling with that only....

i configured router on a stick on both sides

1) for 2 ISP connections

2) subnetted the DMZ and configured subinterfaces on router

now I configured NAT on both the sub interface of router for DMZ1 and DMZ 2.and routemaps to seprate the traffice of DMZ1 to ISP1 and DMZ2 to ISP2 but the NAT is not working now after subinterfaces i can reach my inside global address from DMZ devices but cant reach the outside global address.i am pasting the ruuning config.....

--------------------------------------------------------------------------------------------------------------------------------------------------

!

interface GigabitEthernet0/0.10

encapsulation dot1Q 10

ip address 172.18.4.130 255.255.255.252

ip nat outside

ip virtual-reassembly in

!

interface GigabitEthernet0/0.20

encapsulation dot1Q 20

ip address 172.30.30.2 255.255.255.252

ip nat outside

ip virtual-reassembly in

!

interface GigabitEthernet0/1

no ip address

duplex auto

speed auto

!

interface GigabitEthernet0/1.101

encapsulation dot1Q 101

ip address 10.10.10.100 255.255.255.128

ip nat inside

ip virtual-reassembly in

ip policy route-map POLICY1

!

interface GigabitEthernet0/1.102

encapsulation dot1Q 102

ip address 10.10.10.200 255.255.255.128

ip nat inside

ip virtual-reassembly in

ip policy route-map POLICY1

!

router bgp 65412

bgp log-neighbor-changes

neighbor 172.18.4.129 remote-as 65000

!

ip forward-protocol nd

!

ip http server

ip http access-class 10

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat pool p1 172.18.4.130 172.18.4.130 netmask 255.255.255.0

ip nat pool p2 172.30.30.2 172.30.30.2 netmask 255.255.255.0

ip nat source list 10 pool p1 overload

ip nat source list 20 pool p2 overload

ip route 0.0.0.0 0.0.0.0 172.18.4.129

ip route 0.0.0.0 0.0.0.0 172.30.30.1

!

access-list 10 permit 10.10.10.0 0.0.0.127

access-list 20 permit 10.10.10.128 0.0.0.127

!

route-map POLICY1 permit 101

match ip address 10

set ip next-hop 172.18.4.129

!

route-map POLICY1 permit 102

match ip address 20

set ip next-hop 172.30.30.1

!

--------------------------------------------------------------------------------------------------------------------------------------------------------------------

Please guide me where i am going wrong....................

Peter Paluch · ‎01-01-2013

Hello Mohammed,

Your current problem is that you are using an incorrect command - the "ip nat source" instead of "ip nat inside source". This is a common mistake because the two commands are very similar but serve different purposes - the "ip nat source" is a newer way of configuring NAT that uses a different approach to configuration. It is currently not suitable for you.

The immediate solution is to remove the "ip nat source" commands and replace them with identical "ip nat inside source" commands. Please try it out and let us know!

Best regards,
Peter

Sent from Cisco Technical Support iPad App

mohammed asif suleman · ‎01-01-2013

hurray....................

Thank you very much peter.....

i am very dumb to spot that silly mistake.....

anyway all is well....happy new year to all

one more question..

when i am connected to dmz1 then i can't reach dmz2 servers or gateway.vice vesa......

same problem with internal network that is 192.168.0.0

Peter Paluch · ‎01-01-2013

Hello Mohammed,

I have a feeling that your Policy Based Routing is not entirely correct. It makes all traffic coming from 10.10.10.0/25 to be routed out through the first ISP and the traffic coming from 10.10.10.128/25 to be routed out through the second ISP. It does not take the destination of the traffic into account. That means that even if the DMZ1 wants to communicate with DMZ2, your PBR configuration sends all traffic out to internet.

This is my suggested correct configuration (just the relevant modified part):

access-list 101 deny ip 10.10.10.0 0.0.0.127 10.10.10.128 0.0.0.127

access-list 101 permit ip 10.10.10.0 0.0.0.127 any

!

access-list 102 deny ip 10.10.10.128 0.0.0.127 10.10.10.0 0.0.0.127

access-list 102 permit ip 10.10.10.128 0.0.0.127 any

!

route-map POLICY1 permit 101

match ip address 101

set ip next-hop 172.18.4.129

!

route-map POLICY1 permit 102

match ip address 102

set ip next-hop 172.30.30.1

!

ip nat inside source list 101 pool p1 overload

ip nat inside source list 102 pool p2 overload

Try this configuration please.

Best regards,

Peter

mohammed asif suleman · ‎01-02-2013

Hi Peter,

Thanks a ton for your intrest to solve my problem....

yours configuration is perfect but i removed the route maps and added ACLs to that config

my config is

if there are any mistakes please correct me

----------------------------------------------------------------------------------------------------------------------------------

interface GigabitEthernet0/0.10

encapsulation dot1Q 10

ip address 172.18.4.130 255.255.255.252

ip access-group internal out

ip nat outside

ip virtual-reassembly in

!

interface GigabitEthernet0/0.20

encapsulation dot1Q 20

ip address 172.30.30.2 255.255.255.252

ip access-group internal out

ip nat outside

ip virtual-reassembly in

!

interface GigabitEthernet0/1

no ip address

duplex auto

speed auto

!

interface GigabitEthernet0/1.101

encapsulation dot1Q 101

ip address 10.10.10.100 255.255.255.128

ip access-group Internal in

ip nat inside

ip virtual-reassembly in

!

interface GigabitEthernet0/1.102

encapsulation dot1Q 102

ip address 10.10.10.200 255.255.255.128

ip access-group Internal in

ip nat inside

ip virtual-reassembly in

!

router bgp 65412

bgp log-neighbor-changes

neighbor 172.18.4.129 remote-as 65000

!

ip forward-protocol nd

!

ip http server

ip http access-class 10

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat pool p1 172.18.4.130 172.18.4.130 netmask 255.255.255.0

ip nat pool p2 172.30.30.2 172.30.30.2 netmask 255.255.255.0

ip nat inside source list DMZ1 pool p1 overload

ip nat inside source list DMZ2 pool p2 overload

ip route 0.0.0.0 0.0.0.0 10.10.10.1

!

ip access-list extended DMZ1

permit ip 10.10.10.0 0.0.0.127 any

ip access-list extended DMZ2

permit ip 10.10.10.128 0.0.0.127 any

ip access-list extended Internal

permit ip 192.168.0.0 0.0.255.255 10.10.10.0 0.0.0.255

---------------------------------------------------------------------------------------------------------------------------------------------------------