cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2156
Views
5
Helpful
21
Replies

NAT and multiple ISP

jquintard
Level 1
Level 1

Hi,

Currently my NAT configuration is like this :

interface FastEthernet1/0

  description ISP

  ip address 172.16.10.2 255.255.255.0

  ip nat outside

interface FastEthernet2/0

  description Lan

  ip address 10.10.10.1 255.255.255.0

  ip nat inside

ip route 0.0.0.0 0.0.0.0 172.16.10.1

ip nat inside source list 10 interface FastEthernet1/0 overload

access-list 10 permit 10.10.10.0 0.0.0.255

That work but I don't understand why the default route is required. Without that doesn't work. Why ?

I wand to add another ISP to used with IP addresses below 10.10.10.51. So I try to use an accesslist to capture trafic and change the route like this :

interface FastEthernet1/0

  description ISP1

  ip address 172.16.10.2 255.255.255.0

  ip nat outside

interface FastEthernet2/0

  description Lan

  ip address 10.10.10.1 255.255.255.0

  ip nat inside

interface FastEthernet3/0

  description ISP2

  ip address 172.16.20.2 255.255.255.0

  ip nat outside

ip route 0.0.0.0 0.0.0.0 172.16.10.1

ip nat inside source list 10 interface FastEthernet1/0 overload

ip nat inside source list 20 interface FastEthernet3/0 overload

access-list 10 permit 10.10.10.0 0.0.0.50

access-list 20 permit 10.10.10.51 0.0.0.204

But with this configuration it's impossible with an IP address (like 10.10.10.20 or 10.10.10.100) to reach outside ?

Why that doesnt work, I dont understand ?

Is this possible tu use NAT like this ?

Must I use an ACL or RouteMap ?

Is this possible to use each ISP as backup to the other ?

Thanks for your help

Jerome

2 Accepted Solutions

Accepted Solutions

just to add to the discussion, have a look at the bellow document which i posted before in CSC that address requirements similar to yours

by the way you do not need PBR or IPSLA unless you want

https://supportforums.cisco.com/docs/DOC-8313

HTH

if helpful Rate

View solution in original post

access-list 101 permit ip 192.168.0.51 0.0.0.127 any

access-list 101 permit ip 192.168.0.179 0.0.0.31 any

access-list 101 permit ip 192.168.0.211 0.0.0.31 any

access-list 101 permit ip 192.168.0.243 0.0.0.7 any

access-list 101 permit ip 192.168.0.250 0.0.0.3 any

access-list 101 permit ip host 192.168.0.254 any

No the above is not correct. See my previous post for the correct answer.

You cannot simply use the first address and apply a wildcard mask to it. You have to work out where the subnet would begin. So if you type

access-list 101 permt ip 192.168.0.51 0.0.0.127 any

the router will actually change that to

access-list 101 permit ip 192.168.0.0 0.0.0.127 any

which would include hosts 192.168.0.1 -> 126 with a broadcast of 192.168.0.127 which is not what you want. So what you need to do is look at that table you posted and see where the subnet would start.

So a class C address could be subnetted as follows

255.255.255.128  0.0.0.127   gives 126 hosts + broadcast

255.255.255.192  0.0.0.63     gives 62 hosts + b

255.255.255.224  0.0.0.31      gives 30 + b

255.255.255.240  0.0.0.15      gives 14 + b

255.255.255.248  0.0.0.7        gives 6 + b

255.255.255.252  0.0.0.3        gives 2 +b

so you need to understand that with a 0.0.0.127 you can have 2 subnets -

192.168.0.0 0.0.0.127 which is 192.168.0.1 -> 126 +b

192.168.0.128 0.0.0.127 which is 192.168.129 -> 254 + b

with 0.0.0.63 you can have 4 subnets -

192.168.0.0 0.0.0.63  ->  192.168.0.1 -> 62 + b

192.168.0.64 0.0.0.63  ->  192.168.0.65 -> 126 + b

192.168.0.128 0.0.0.63 -> 192.168.0.129 -> 190 + b

192.168.0.192. 0.0.0.63 -> 192.168.0.193 -> 254 + b

so the key is to understand that -

0.0.0.127 = subnets go up in 128

0.0.0.63 =  subnets go up in 64

0.0.0.31 =   subnets go up in 32

0.0.0.15 =  subnets go up in 16

0.0.0.7 =    subnets go up in 8

0.0.0.3 =    subnets go up in 4

so for your acl you need to work out where to start. 192.168.0.51 does not fall into any subnet without including hosts that you don't want ie. hosts less than .51  so you include it as a host ie.

access-list 101 permit ip 192.168.0.51 any

then  52 onwards. If you look at the above examples you will see that

0.0.0.127  would be 192.168.0.1 -> 127 which is too many hosts.

0.0.0.63 would be 192.168.0.1 -> 63 which is again too many hosts

0.0.0.31 would be  192.168.0.1 -> 31 which doesn't cover .52

                              192.168.0.32 -> 63 does cover .52 but again this is too many hosts

0.0.0.15 would be  192.168.0.1 -> 192.168.0.15     

                            192.168.0.16 -> 192.168.0.31

                            192.168.0.32 -> 192.168.0.47

                            192.168.0.48 -> 63 -  this covers .52 but is still too may hosts

0.0.0.7 would be   192.168.0.1 -> 192.168.0.7

                           192.168.0.8 -> 192.168.0.15

                           192.168.0.16 -> 192.168.0.23

                           192.168.0.24 -> 192.168.0.31

                           192.168.0.32 -> 192.168.0.39

                           192.168.0.40 -> 192.168.0.47

                           192.168.0.48 -> 55  - this covers .52 but too many hosts

0.0.0.3 would be   192.168.0.1 -> 192.168.0.3

                           192.168.0.4 -> 192.168.0.7

                           192.168.0.8 -> 192.168.0.11

                           etc...

                           192.168.0.48 -> 192.168.0.51

                           192.168.0.52 -> 55 which would work so next line of acl is

access-list 101 permit ip 192.168.0.52 0.0.0.3 any

that gets you to 192.168.0.56

we do the same thing again but this time we stop at -

0.0.0.7  which is 192.168.0.56 -> 63

etc.. for the rest of the acl.

So to work it out you have to break it down into available subnets and then see where your hosts fit into that.

I appreciate this is a long explanation but it's worth understanding both for subnetting and for wildcard masks. Have a read of it and perhaps try writing it out if it helps to make more sense and if you have further questions or need clarification then come back.

Jon

View solution in original post

21 Replies 21

Antonio Knox
Level 7
Level 7

That work but I don't understand why the default route is required. Without that doesn't work. Why ?

The default route tells your traffic what the next hop is when it is destined for a network that your router does not have a route to.

Must I use an ACL or RouteMap ? AND Must I use an ACL or RouteMap ?

You could use that or you could use IP SLA to track a primary route and switch to a secondary route should it fail (sub 4.2.2.2 with your default next hop):  http://www.inacom-sby.net/Shawn/post/2007/11/Cisco-IP-SLA-for-failover.aspx

Message was edited by: Antonio Knox

Ok thanks antonio

But there are allways one thing I dont understand. I want a routing like this :

10.10.10.0 to 50 use Fa1/0 as route

10.10.10.51 to 254 use Fa2/0 as route

I have try to set two route-map for this :

ip nat inside source route-map NAT-ADSL interface FastEthernet1/0 overload

ip nat inside source route-map NAT-SDSL interface FastEthernet3/0 overload

ip access-list extended ADSL

permit ip 10.10.10.0 0.0.0.50 any

ip access-list extended SDSL

permit ip 10.10.10.51 0.0.0.204 any

route-map NAT-ADSL permit 10

match ip address ADSL

route-map NAT-SDSL permit 10

match ip address SDSL

But I can't reach any destination with this conf. Why ? I dont see any problem In my conf...

Jerome

Your acls won't work because you are using incorrect wildcard masks. Also you need to apply route-map. I'm assuming you meant to wanted to use fa1/0 and fa3/0 to route traffic out to your ISPs. Use the below config -

access-list 101 permit ip 10.10.10.0 0.0.0.31 any

access-list 101 permit ip 10.10.10.32 0.0.0.15 any

access-list 101 permit ip host 10.10.10.49 any

access-list 101 permit ip host 10.10.10.50 any

access-list 102 permit ip host 10.10.10.51 any

access-list 102 permit ip 10.10.10.52 0.0.0.3 any

access-list 102 permit ip 10.10.10.56 0.0.0.7 any

access-list 102 permit ip 10.10.10.64 0.0.0.63 any

access-list 102 permit ip 10.10.10.128 0.0.0.127 any

ip nat inside source list 101 interface fa1/0 overload

ip nat inside source list 102 interface fa3/0 overload

route-map PBR permit 10

match ip address 101

set ip next-hop 172.16.10.1

route-map PBR permit 20

match ip address 102

set ip next-hop 172.16.20.1

int fa2/0  

ip policy route-map PBR

Ok john

But why :

access-list 102 permit ip host 10.10.10.51 any

access-list 102 permit ip 10.10.10.52 0.0.0.3 any

access-list 102 permit ip 10.10.10.56 0.0.0.7 any

access-list 102 permit ip 10.10.10.64 0.0.0.63 any

access-list 102 permit ip 10.10.10.128 0.0.0.127 any

And not simpy :

acess-list 102 permit ip 10.10.10.51 0.0.0.203 any

51+203=254

Because wildcard masks just don't work like that unfortunately. It would be very handy if they did

Do you know where I can found a correct explaination to use wildcard mask ?

Have a look at this link which covers subnetting and wildcards -

http://www.rhyshaden.com/ipadd.htm

if you have further questions then come back for clarification.

Jon

Jon,

If I understand you split the size wanted in multiple wildcard. So if I want to capture packets from 192.168.0.1 to 192.168.0.24 you don't use 0.0.0.24 as wildcard but with the help of this magic table :

Cidr   Addr   Mask   Wildcard

24   256   0          255

25   128      128     127

26   64      192      63

27   32       224   31

28   16         240  15

29   8           248  7

30  4          252   3

31    2           254  1

access-list 101 permit ip 192.168.0.1 0.0.0.15 any

access-list 101 permit ip 192.168.0.16 0.0.0.7 any

access-list 101 permit ip host 192.168.0.24 any

Is this correct ? So for 192.168.0.51 to 192.168.0.254 (203 addresses ) I suppose this wildcards correct :

access-list 101 permit ip 192.168.0.51 0.0.0.127 any

access-list 101 permit ip 192.168.0.179 0.0.0.31 any

access-list 101 permit ip 192.168.0.211 0.0.0.31 any

access-list 101 permit ip 192.168.0.243 0.0.0.7 any

access-list 101 permit ip 192.168.0.250 0.0.0.3 any

access-list 101 permit ip host 192.168.0.254 any

It's correct ?

just to add to the discussion, have a look at the bellow document which i posted before in CSC that address requirements similar to yours

by the way you do not need PBR or IPSLA unless you want

https://supportforums.cisco.com/docs/DOC-8313

HTH

if helpful Rate

Thank for this perfect article !

Jon,

My reply about wildcard is correct or not ?

Do you know a tools for doing this calcul ?

access-list 101 permit ip 192.168.0.51 0.0.0.127 any

access-list 101 permit ip 192.168.0.179 0.0.0.31 any

access-list 101 permit ip 192.168.0.211 0.0.0.31 any

access-list 101 permit ip 192.168.0.243 0.0.0.7 any

access-list 101 permit ip 192.168.0.250 0.0.0.3 any

access-list 101 permit ip host 192.168.0.254 any

No the above is not correct. See my previous post for the correct answer.

You cannot simply use the first address and apply a wildcard mask to it. You have to work out where the subnet would begin. So if you type

access-list 101 permt ip 192.168.0.51 0.0.0.127 any

the router will actually change that to

access-list 101 permit ip 192.168.0.0 0.0.0.127 any

which would include hosts 192.168.0.1 -> 126 with a broadcast of 192.168.0.127 which is not what you want. So what you need to do is look at that table you posted and see where the subnet would start.

So a class C address could be subnetted as follows

255.255.255.128  0.0.0.127   gives 126 hosts + broadcast

255.255.255.192  0.0.0.63     gives 62 hosts + b

255.255.255.224  0.0.0.31      gives 30 + b

255.255.255.240  0.0.0.15      gives 14 + b

255.255.255.248  0.0.0.7        gives 6 + b

255.255.255.252  0.0.0.3        gives 2 +b

so you need to understand that with a 0.0.0.127 you can have 2 subnets -

192.168.0.0 0.0.0.127 which is 192.168.0.1 -> 126 +b

192.168.0.128 0.0.0.127 which is 192.168.129 -> 254 + b

with 0.0.0.63 you can have 4 subnets -

192.168.0.0 0.0.0.63  ->  192.168.0.1 -> 62 + b

192.168.0.64 0.0.0.63  ->  192.168.0.65 -> 126 + b

192.168.0.128 0.0.0.63 -> 192.168.0.129 -> 190 + b

192.168.0.192. 0.0.0.63 -> 192.168.0.193 -> 254 + b

so the key is to understand that -

0.0.0.127 = subnets go up in 128

0.0.0.63 =  subnets go up in 64

0.0.0.31 =   subnets go up in 32

0.0.0.15 =  subnets go up in 16

0.0.0.7 =    subnets go up in 8

0.0.0.3 =    subnets go up in 4

so for your acl you need to work out where to start. 192.168.0.51 does not fall into any subnet without including hosts that you don't want ie. hosts less than .51  so you include it as a host ie.

access-list 101 permit ip 192.168.0.51 any

then  52 onwards. If you look at the above examples you will see that

0.0.0.127  would be 192.168.0.1 -> 127 which is too many hosts.

0.0.0.63 would be 192.168.0.1 -> 63 which is again too many hosts

0.0.0.31 would be  192.168.0.1 -> 31 which doesn't cover .52

                              192.168.0.32 -> 63 does cover .52 but again this is too many hosts

0.0.0.15 would be  192.168.0.1 -> 192.168.0.15     

                            192.168.0.16 -> 192.168.0.31

                            192.168.0.32 -> 192.168.0.47

                            192.168.0.48 -> 63 -  this covers .52 but is still too may hosts

0.0.0.7 would be   192.168.0.1 -> 192.168.0.7

                           192.168.0.8 -> 192.168.0.15

                           192.168.0.16 -> 192.168.0.23

                           192.168.0.24 -> 192.168.0.31

                           192.168.0.32 -> 192.168.0.39

                           192.168.0.40 -> 192.168.0.47

                           192.168.0.48 -> 55  - this covers .52 but too many hosts

0.0.0.3 would be   192.168.0.1 -> 192.168.0.3

                           192.168.0.4 -> 192.168.0.7

                           192.168.0.8 -> 192.168.0.11

                           etc...

                           192.168.0.48 -> 192.168.0.51

                           192.168.0.52 -> 55 which would work so next line of acl is

access-list 101 permit ip 192.168.0.52 0.0.0.3 any

that gets you to 192.168.0.56

we do the same thing again but this time we stop at -

0.0.0.7  which is 192.168.0.56 -> 63

etc.. for the rest of the acl.

So to work it out you have to break it down into available subnets and then see where your hosts fit into that.

I appreciate this is a long explanation but it's worth understanding both for subnetting and for wildcard masks. Have a read of it and perhaps try writing it out if it helps to make more sense and if you have further questions or need clarification then come back.

Jon

Marwan ALshawi
VIP Alumni
VIP Alumni

Also for quick subneting you can use the bellow link

http://www.subnet-calculator.com/

Jon, 5+ very nice and thorough explanation

Plz rate the helpful posts

HTH

Sent from Cisco Technical Support iPhone App

Marwan

Thanks, it was one of those that as i was writing it i was wondering whether it would create more confusion rather than simplify things

Jon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: