Help for NAT & match detailed explanation

srikanth ath · ‎12-08-2011

Hi all

was in a mess as i have worked mostly on switches never worked on router.

we have bought 2911 router recently has to set up VOIP line seperately for the network

we have two two broadband service provider:

1. how can i use 1 line as an active and other line as a failover(when 1 line is down other line should automatically bear the traffic).

clear config wil help me a lot. NATTING using MAtch address objects

( roughly )

broadband service provider 1: 97.89.X.X 255.255.252.0

broadband service provider 2: 10.0.x.x 255.255.240.0

2. there are only 20 users to set up a voip line now.

here we have telecom provider where they should route the traffic to make any international calls( say telecom public ip 200.200.109.110)

from lan - wan everything is allowed

from wan -lan we have to allow only telcom provider IP(200.200.109.110)

Carlo Poggiarelli · ‎12-09-2011

Hi.

For First question you can use track objects to verify if a connection is up or down and use route-map based Nat to use right interface ip address to be natted.

Ok let's see the regarding config

Verify if one provider is up..

Assume our internet connections are

Interface Fa0/0

ip add 200.200.100.2 255.255.255.252

Description Provider 1

Interface Fa0/1

ip add 200.200.200.2 255.255.255.252

Description Backup Provider

ip sla 1 (With this we ping an external ip always reachable)

icmp echo 8.8.8.8 (ie. google dns always reachable)

frequency 5

timeout 5000

ip sla schedule 1 starttime now lifetime forever

track 1 rtr 1 (We define a track object which will monitor the ip sla 1 status and will be used in later config)

ip route 8.8.8.8 255.255.255.255 200.200.100.1

ip route 0.0.0.0 0.0.0.0 200.200.100.1 track 1 (default route to main provider tracking ip sla 1 status)

ip route 0.0.0.0 0.0.0.0 200.200.200.1 200 (a second default route with an higher metric will be used only if first provider is down)

rote-map Provider1

match interface fastEthernet 0/0

match ip address NAT

rote-map Provider2

match interface fastEthernet 0/1

match ip address NAT

access-list NAT

permit ip 192.168.0.0 0.0.0.255 any (assuming your internal lan is 192.168.0.0/24)

ip nat inside source route-map Provider1 interface Fastethernet0/0 overload

ip nat inside source route-map Provider2 interface Fastethernet0/1 overload

Hope This Helps

Regards

Carlo

Please rate all helpful posts "The more you help the more you learn"

Latchum Naidu · ‎12-09-2011

Hi Srikanth,

Please see the below example config for failover between two ISP's and also NAT failover.
You need to change the IP address and internal address at necessary places.

interface FastEthernet0/0
bandwidth 2048
ip address 200.200.109.110 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 206.206.206.2 255.255.255.248
ip nat outside
duplex auto
speed auto

!
interface Vlan1
description to LAN
ip address 10.100.100.1 255.255.255.0
ip flow ingress
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!

ip route 0.0.0.0 0.0.0.0 200.200.109.110
ip route 0.0.0.0 0.0.0.0 206.206.206.2 10
!

ip nat inside source route-map NAT interface FastEthernet0/0 overload
ip nat inside source route-map NAT interface FastEthernet0/1 overload

!
ip sla 1
icmp-echo 206.206.206.2 source-interface FastEthernet0/0
timeout 1000
threshold 2
frequency 3
ip sla schedule 1 life forever start-time now

access-list 101 permit ip 10.100.100.0 0.0.0.255 any

!
route-map NAT permit 10
match ip address 101
match interface FastEthernet0/0
!
route-map NAT permit 10
match ip address 101
match interface FastEthernet0/1

Please rate the helpfull posts.
Regards,
Naidu.

Carlo Poggiarelli · ‎12-09-2011

Hi Naidu.

Your config is silmilar to what I posted.

The problem in you config is that ip route to the next provider will not be used until fastethernet remains up.

So you have ,necessarily, to verify the internet connectivity.

That's why I used a track object to obtain a valid check.

Regards

Carlo

Please rate all helpful posts "The more you help the more you learn"

Latchum Naidu · ‎12-09-2011

Hi Carlo,

Huff, I didnt have my cup of tea....

I forgot that command.

track 1 ip sla 1 reachability

Please rate the helpfull posts.

Regards,

Naidu.

Carlo Poggiarelli · ‎12-09-2011

Hi Naidu.

Another cup of tea

You cannot config two route-maps with the same name

Regards

Carlo

Please rate all helpful posts "The more you help the more you learn"

srikanth ath · ‎12-09-2011

HI carlo/naidu

Thanks a lot guys. I can relax and have a cup of tea now with ur help as i went through Number of documents online couldnt find the way ur config luks.will have to work out on this on monday and if i face any problem wil defenetely update it.

and in the mean while can you give me a link, which helpsme to have an idea on each and every command purpose..

thanks & regards

srikanth

Carlo Poggiarelli · ‎12-09-2011

Hi Srilkanth.

These two links lead to what yuo need to know about what me and Naidu suggested you.

1- Backup Routing using track object

http://www.cisco.com/en/US/docs/ios/12_3/12_3x/12_3xe/feature/guide/dbackupx.html

2- Load Balancig/ Failover Nat

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a00808d2b72.shtml

HTH

Regards

Carlo

Please rate all helpful posts "The more you help the more you learn"