cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1921
Views
0
Helpful
6
Replies

Dual ISP active active nat for users and mail server

teymur azimov
Level 1
Level 1

Hi Dears. configurated two isp at my router.    i want to make both  ISP the links as back up of each other.In case of one of the link goes my all the traffic will use the other link.

i have one subnet(192.168.10.0/24). subnet diveded 2 groups. one group is nat ISP1 and other group which is 7 ip address is nat ISP2 at same time. back each other.

i have no problem at this  dynamic nat translation.and i have one mail server which i do static nat. i have one server so i have one mail server  private ip 192.168.10.7.

i do static nat for mail server at one ISP1. now i want to do my mail server is do nat translation two ISP one of primary and one is backup for my mail server. this is my working config.

who can help me???? this is very interesting issue. please  help me.

Current configuration : 4301 bytes

!

version 15.0

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Primary

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

!

!

!

!

no ipv6 cef

ip source-route

ip cef

!

!

!

!

!

multilink bundle-name authenticated

!

!

!

!

!

redundancy

!

!

track timer interface 5

!

track 1 interface GigabitEthernet0/0 line-protocol

!

track 2 ip sla 1 reachability

delay down 15 up 10

!

track 3 ip sla 2 reachability

delay down 15 up 10

!

!

!

!

crypto dynamic-map dynmap 10

reverse-route

!

!

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

!

!

!

!

!

interface GigabitEthernet0/0

no ip address

duplex auto

speed auto

!

!

interface GigabitEthernet0/0.116

description connected to ISP1

encapsulation dot1Q 116

ip address 81.x.x.10 255.255.255.248

ip nat outside

ip virtual-reassembly

!

interface GigabitEthernet0/0.859

description connected to ISP2

encapsulation dot1Q 859

ip address 85.x.x.114 255.255.255.240

ip nat outside

ip virtual-reassembly

!

interface GigabitEthernet0/1

ip address 10.0.0.1 255.255.255.0

ip nat inside

ip virtual-reassembly

ip policy route-map Classify

duplex auto

speed auto

standby 1 ip 10.0.0.3

standby 1 priority 110

standby 1 preempt

standby 1 track 1 decrement 20

!

!

ip forward-protocol nd

ip forward-protocol udp isakmp

ip forward-protocol udp non500-isakmp

!

no ip http server

no ip http secure-server

!

ip nat translation timeout 30

ip nat inside source route-map ISP1 interface GigabitEthernet0/0.116 overload     that are working

ip nat inside source route-map ISP2 interface GigabitEthernet0/0.859 overload

ip nat inside source static 192.168.10.7 81.x.x.12 route-map MAIL-Server   this one is  working and  i want to add backup ISP to my mail server.

ip route 0.0.0.0 0.0.0.0 81.x.x.9

ip route 0.0.0.0 0.0.0.0 85.x.x.113

ip route 192.168.10.0 255.255.255.0 10.0.0.2

!

ip sla 1

icmp-echo 81.x.x.9 source-interface GigabitEthernet0/0.116

timeout 1000

threshold 1000

frequency 2

ip sla schedule 1 life forever start-time now

ip sla 2

icmp-echo 85.x.x.113 source-interface GigabitEthernet0/0.859

timeout 1000

threshold 1000

frequency 2

ip sla schedule 2 life forever start-time now

access-list 101 deny   ip host 192.168.10.7 any

access-list 101 permit ip 192.168.10.0 0.0.0.127 any

access-list 101 permit ip 192.168.10.128 0.0.0.63 any

access-list 101 permit ip 192.168.10.192 0.0.0.31 any

access-list 101 permit ip 192.168.10.224 0.0.0.15 any

access-list 101 permit ip 192.168.10.240 0.0.0.7 any

access-list 102 permit ip 192.168.10.248 0.0.0.7 any

access-list 103 permit ip 192.168.10.0 0.0.0.127 any

access-list 103 permit ip 192.168.10.128 0.0.0.63 any

access-list 103 permit ip 192.168.10.192 0.0.0.31 any

access-list 103 permit ip 192.168.10.224 0.0.0.15 any

access-list 103 permit ip 192.168.10.240 0.0.0.7 any

access-list 104 permit ip 192.168.10.248 0.0.0.7 any

access-list 105 permit ip host 192.168.10.7 any

!

!

!

!

route-map MAIL-Server permit 10

match ip address 105

match interface GigabitEthernet0/0.116

!

route-map Classify permit 10

match ip address 103

set ip next-hop verify-availability 81.x.x.9 1 track 2

set ip next-hop verify-availability 85.x.x.113 2 track 3

!

route-map Classify permit 20

match ip address 104

set ip next-hop verify-availability 85.x.x.113 1 track 3

set ip next-hop verify-availability 81.x.x.9 2 track 2

!

route-map ISP2 permit 20

match ip address 102 101

match interface GigabitEthernet0/0.859

!

route-map ISP1 permit 10

match ip address 101 102

match interface GigabitEthernet0/0.116

!

!

!

control-plane

!

!

!

line con 0

line aux 0

line vty 0 4

login

!

scheduler allocate 20000 1000

event manager applet Track2down

event track 2 state down

action 1 cli command "enable"

action 2 cli command "clear ip nat translation *"

event manager applet track2UP

event track 2 state up

action 1 cli command "enable"

action 2 cli command "clear ip nat translation *"

event manager applet Track3Down

event track 3 state down

action 1 cli command "enable"

action 2 cli command "clear ip nat translation *"

event manager applet Track3Up

event track 3 state up

action 1 cli command "enable"

action 2 cli command "clear ip nat translation *"

!

end

6 Replies 6

cadet alain
VIP Alumni
VIP Alumni

Hi,

Considering both ISPs are only on this router then just change this:

ip nat inside source static 192.168.10.7 81.x.x.12 route-map MAIL-Server

To:

ip nat inside source static 192.168.10.7 81.x.x.12 extendable

ip nat inside source static 192.168.10.7 85.x.x.x extendable

But you won't have stateful NAT with this config for this you would need 2 routers and use SNAT with ot without HSRP or use an ASA pair in Active/Standby or Active/Active mode.

Regards.

Alain.

Don't forget to rate helpful posts.

i do not think that  it is work if i add or change as you wrote me

ip nat inside source static 192.168.10.7 81.x.x.12 extendable

ip nat inside source static 192.168.10.7 85.x.x.x extendable

it is simple nat translation, i have dual isp and i want my mail server to do static nat to two isp redundancy. one isp is primary second isp is backup.

Hi,

why would it not work?

It will work because static nat entries only make dynamic entries when a coonection is made from outside to inside and so if the ISP1 is down people can still connect from outside through ISP2 and as the backup static route is inserted in the RIB the dynamic entry created will work without any problem.

Alain.

Don't forget to rate helpful posts.

Marwan ALshawi
VIP Alumni
VIP Alumni

Once you setup the pbr with ipsla for selecting the ISP and next hope you can have two static nat like below for nating per ISP

Access-list 100 permit ip x.x.x.x 255.255.255.255 any.   Where x.x.x.x is the mail server ip

Route-map ISP1

Match ip address 100

Match interface x/x.   Interface to ISP1

Route-map isp2

Match ip address 100

Match interface y/y.   Interface to ISP2

Ip nat static x.x.x.x y.y.y.y route-map isp1

Ip nat static x.x.x.x z.z.z.z route-map isp2

See the below link for an example

https://supportforums.cisco.com/docs/DOC-8313

Hope this help

If helpful rate

Sorry the ip nat command is

Ip nat inside source .... Then the rest

Martin Marino
Level 1
Level 1

Hi

You can also config a secondary ip on the server and do a static NAT map for each of the server's IPs.

Sent from Cisco Technical Support iPhone App

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco