how to make NAT working in a router with two ISPs ?

nlariguet · ‎11-12-2009

10.10.1.0 is my internal network which I want grant access to the internet

(IntraNet) 10.10.1.0 ---> 10.10.1.1 (privateRouter) 10.10.2.1 ---> (PIX) ---> 10.10.2.2 (edgeRouter#2) DHCP ---> InterNet

(IntraNet) 10.10.1.0 ---> 10.10.1.1 (privateRouter) 10.10.3.1 ---> (PIX) ---> 10.10.3.2 (edgeRouter#3) DHCP ---> InterNet

10.10.1.0 is the IntraNet

10.10.1.1 is the private router inside interface (one interface only)

10.10.2.1 is the private router outside#2 interface connected to ISP#2 via edgeRouter#2

10.10.3.1 is the private router outside#3 interface connected to ISP#3 via edgeRouter#3

... and for simplicity let's forget the firewall; what I want is:

IntraNet to ISP#2 (via edgeRouter#2) NATed to 10.10.2.1 (private outside#2)

IntraNet to ISP#3 (via edgeRouter#3) NATed to 10.10.3.1 (private outside#3)

and I want both connections to operate simultaneously so I can selectively route traffic to ISP#1 or ISP#2

WITHIN THE PRIVATE ROUTER depending on traffic type or final destination

Jon Marshall · ‎11-12-2009

"and for simplicity let's forget the firewall; what I want is: ..."

Do you mean the firewalls won't actually be there ?

It makes a difference because routers support PBR but pix firewalls do not so if you want to selectively route traffic the pix firewalls will get in the way - can you confirm ?

Jon

nlariguet · ‎11-12-2009

yes, I'm afraid it's there and will stay there

Actually it's there NATing 10.10.1.0 to edgeRouter#1 inside's because I have one ISP only, but since the other ISP got involved I started thinking a NAT scenario on the private router which actually is not doing any kind of NAT.

Although you say the PIX does not support it (I don't know what is PBR); I'll research it :)

Jon Marshall · ‎11-12-2009

PBR = Policy Based routing which allows you to route traffic based on something other than just the destination address which is how packets are normally routed.

You may be able to use the PBR recursive next-hop feature to get round this but that would mean you would need to allow ICMP from the internal router to the edge routers. If you are happy to do that let me know and we can come up with a config. The config would still need testing so no guarantees as yet.

What IOS version is your internal router running, what hardware router is it and what version of software is the pix running.

Jon

nlariguet · ‎11-12-2009

I was just reading that, although I was aware of route maps (using them on another non-related setup) I completely forgot it is called PBR.

Current config does not allow to ping outside the firewall.

private routers relevant commands (current):

boot system flash:c1841-advsecurityk9-mz.124-15.T11.bin

PIX515UR relevant commands (current):

boot system flash:/pix804.bin

icmp unreachable rate-limit 1 burst-size 1

icmp deny any outside2

icmp deny any outside3

edge routers (both identical) relevant commands (current):

boot system flash:c1841-advsecurityk9-mz.124-15.T11.bin

You mean something like tagging the packets on the private router (these for edge#1 and these for edge#2) and then routing them based on the tags regardless of the destination (or source) address right ?

nlariguet · ‎11-12-2009

I was researching a bit and got the following:

iOutside2

description going NATed to PIX's inside#2 ... or to edgeRouter#2's inside ... then to ISP#2

ip address 10.10.2.1 255.255.255.0

ip virtual-reassembly

ip nat outside

exit

route-map rmOutside2 permit 10

set ip next-hop 10.10.2.2

exit

ip nat pool poolOutside2 10.10.2.1 ... normal traffic should get NATed to this address

ip nat pool poolOutside2exception1 10.10.2.3 ... with a few exceptions to the following addreess; think some management ports

ip nat pool poolOutside2exception2 10.10.2.4

ip nat pool poolOutside2exception3 10.10.2.5

iOutside3

description going NATed to PIX's inside#3 ... or to edgeRouter#3's inside ... then to ISP#3

ip address 10.10.3.1 255.255.255.0

ip virtual-reassembly

ip nat outside

exit

route-map rmOutside3 permit 10

set ip next-hop 10.10.3.2

exit

ip nat pool poolOutside2 10.10.3.1 ... normal traffic should get NATed to this address

ip nat pool poolOutside3exception1 10.10.3.3 ... with a few exceptions to the following addreess; think some management ports

ip nat pool poolOutside3exception2 10.10.3.4

ip nat pool poolOutside3exception3 10.10.3.5

iInside

description IntraNet

ip address 10.10.1.0 255.255.255.0

ip policy route-map rmOutside[2|3] ... can choose only one at a time; but something better than nothing to begin with

ip virtual-reassembly

ip nat inside

exit

... now I need to actually NAT the inside to the outsides:

ip nat inside source list aclNAToutside poolOutside2 overload ... many-to-one NAT

ip nat inside source list aclNAToutside poolOutside3 overload ... many-to-one NAT

ip access-list standard aclNAToutside

permit 10.10.1.0 0.0.0.255

exit

... adding a few exceptions:

ip nat inside source list aclNAToutsideException1 poolOutside2exception1 overload ... many-to-one NAT

ip nat inside source list aclNAToutsideException1 poolOutside3exception1 overload ... many-to-one NAT

ip access-list standard aclNAToutsideException1

permit 10.10.1.X ... eq whatever

exit

... and thus far I came; ip nat only allows standard ACLs so I have no way to add an exception because for this I need an extended one

... any other way ?

ip nat inside source also accepts route-map which in turn accepts match ip address which accepts standard or extended ACLs; should I follow this path ?

... supposing I find a way to use extended ACLs with the nat command and if (a big IF) I can find a way to get the two route maps simultaneously associated with the inside interface the I can place match commands on those route maps to divert traffic as desired without any need to ping the edge routers like in those SLA scenarios which verify the availability of the target routers, because I will only be NATing to the firewall inside interfaces and what come after that is not relevant from the point of view of this private (IntraNet) router am I right ?