cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5388
Views
35
Helpful
14
Replies

NAT to 2 different ISP networks

dwyman41
Level 1
Level 1

I am currently trying to get NAT to work over two /27 routed links to an ISP.  We have connection to our ISP and into our internal network.  Our issue is when using NAT it uses one link or the other.  I have tried changing pool IPs and routes but we can only get one link to pass traffic at a time.  Are there any suggestions for someone who hasn't done NAT before?

1 Accepted Solution

Accepted Solutions

I thought you were trying the 2 first and the 2 last.

You don't need those 2 lines:

ip nat inside source route-map ISP1 interface FastEthernet0/0 overload
ip nat inside source route-map ISP2 interface FastEthernet0/1 overload

 

Only first two are ok


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

14 Replies 14

Francesco Molino
VIP Alumni
VIP Alumni
Hi

Can you share the config you've done?
To help you changing the config, what you want to achieve is being able to access internet through 2 ISP at the same time right? This is for outbound only

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Here is what we have in that router minus some of the random things like the banner.

 

ip cef load-sharing algorithm original
!

flow record NETFLOW
collect interface input
collect interface output
collect flow direction
collect flow sampler
collect application name
collect application smtp server
collect application http url
collect application http host
collect application http user-agent
collect application http referer
collect application nntp group-name
collect application rtsp host
!
!
flow exporter NETFLOW
destination 192.168.4.32
source GigabitEthernet0/0/1
transport udp 2055
!
!
flow monitor NETFLOW
exporter NETFLOW
statistics packet protocol
statistics packet size
record netflow-original
!
sampler NETFLOW
mode random 1 out-of 5000
!
multilink bundle-name authenticated
!
cdp run
!
ip ftp source-interface Loopback1
ip tftp source-interface Loopback1
ip ssh time-out 60
ip ssh source-interface Loopback1
ip ssh version 2
!
zone security LAN
description LAN
zone security INTERNET
description INTERNET
zone-pair security LAN-to-INTERNET source LAN destination INTERNET
service-policy type inspect LAN-to-INTERNET
!
interface Loopback1
ip address 172.16.0.105 255.255.255.255
no ip redirects
no ip unreachables
no ip proxy-arp
!
interface GigabitEthernet0/0/0
description ISP-1_External
bandwidth 7500000
ip address 195.39.171.194 255.255.255.224
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip flow monitor NETFLOW sampler NETFLOW input
ip flow monitor NETFLOW sampler NETFLOW output
zone-member security LAN
load-interval 60
negotiation auto
ip virtual-reassembly
!
interface GigabitEthernet0/0/1
description ISP-2_External
bandwidth 7500000
ip address 195.39.171.226 255.255.255.224
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip flow monitor NETFLOW sampler NETFLOW input
ip flow monitor NETFLOW sampler NETFLOW output
zone-member security LAN
load-interval 60
negotiation auto
ip virtual-reassembly
!
interface GigabitEthernet0/0/2
description DAWGNet-ITN-513-Core 2
ip address 172.16.0.19 255.255.255.254
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip flow monitor NETFLOW sampler NETFLOW input
ip flow monitor NETFLOW sampler NETFLOW output
zone-member security LAN
load-interval 60
negotiation auto
!
interface GigabitEthernet0/0/3
description DAWGNet-ITN-513-Core 1
ip address 172.16.0.17 255.255.255.254
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip flow monitor NETFLOW sampler NETFLOW input
ip flow monitor NETFLOW sampler NETFLOW output
zone-member security LAN
load-interval 60
negotiation auto
!
interface GigabitEthernet0/2/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
zone-member security INTERNET
shutdown
negotiation auto
ip virtual-reassembly
!
interface GigabitEthernet0/2/1
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/2/2
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/2/3
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
shutdown
negotiation auto
!
!
router eigrp 100
network 172.16.0.0
network 192.168.0.0 0.0.255.255
redistribute static
passive-interface default
no passive-interface GigabitEthernet0/0/2
no passive-interface GigabitEthernet0/0/3
!
ip nat translation timeout 120
ip nat translation tcp-timeout 120
ip nat translation udp-timeout 60
ip nat translation finrst-timeout 45
ip nat translation syn-timeout 45
ip nat translation dns-timeout 45
ip nat translation icmp-timeout 45
ip nat pool DAWG 195.39.171.227 195.39.171.255 netmask 255.255.255.224
ip nat pool DAWG-A 195.39.171.195 195.39.171.222 prefix-length 24
ip nat inside source list 1 pool DAWG overload
ip nat inside source list 11 pool DAWG-A overload
ip forward-protocol nd
!
ip flow-export source GigabitEthernet0/0/1
ip flow-export version 9
ip flow-export destination 192.168.4.32 2055
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 195.39.171.193
!
ip access-list standard NFL-GAME
permit 192.168.101.3
!
ip access-list extended BlockedIPs
permit ip any 108.61.0.0 0.0.255.255
permit ip 108.61.0.0 0.0.255.255 any
permit ip any 104.238.169.0 0.0.0.255
permit ip 104.238.169.0 0.0.0.255 any
permit ip any 173.239.198.0 0.0.0.255
permit ip 173.239.198.0 0.0.0.255 any
permit ip any 178.162.128.0 0.0.127.255
permit ip 178.162.128.0 0.0.127.255 any
permit ip any 46.166.136.0 0.0.7.255
permit ip 46.166.136.0 0.0.7.255 any
permit ip any 46.166.176.0 0.0.7.255
permit ip 46.166.176.0 0.0.7.255 any
permit ip any 46.166.184.0 0.0.7.255
permit ip 46.166.184.0 0.0.7.255 any
permit ip any 45.56.148.0 0.0.1.255
permit ip 45.56.148.0 0.0.1.255 any
permit ip any 104.207.136.0 0.0.3.255
permit ip 104.207.136.0 0.0.3.255 any
permit ip any 209.95.50.0 0.0.1.255
permit ip 209.95.50.0 0.0.1.255 any
ip access-list extended ISAKMP_IPSEC
permit esp any any
permit ahp any any
permit udp any any eq non500-isakmp
permit udp any any eq isakmp
permit gre any any
ip access-list extended Other_Streaming
permit tcp any any eq 32400
!
kron occurrence BACKUP_OCCURRENCE in 30:0:0 recurring
policy-list CONFIGURATION_BACKUP
!
kron policy-list CONFIGURATION_BACKUP
cli write memory
!
logging history informational
logging alarm critical
logging host 192.168.4.31
access-list 1 remark INSIDE-NAT Addresses
access-list 1 permit 192.168.0.0 0.0.255.255
access-list 1 permit 172.16.0.24 0.0.0.7 log
access-list 2 remark INSIDE-NAT2 Addresses
access-list 2 permit 192.168.0.0 0.0.255.255
access-list 2 permit 172.16.0.24 0.0.0.7 log
access-list 11 permit 195.39.171.0 0.0.0.255
access-list 21 permit 192.168.4.32
access-list 21 remark ALLOW NMS SNMP
access-list 21 permit 192.168.4.31
access-list 21 deny any log
access-list 23 remark ALLOW VTY Connections
access-list 23 permit 192.168.5.0 0.0.0.255 log
access-list 23 permit 192.168.13.0 0.0.0.255 log
access-list 23 deny any log
access-list 110 permit ip 172.16.0.0 0.0.0.255 any
!
route-map ISP1 permit 10
match ip address 110
!
line con 0
exec-timeout 5 0
logging synchronous
login local
stopbits 1
line aux 0
stopbits 1
line vty 0 4
access-class 23 in
access-class 23 out
privilege level 15
logging synchronous
login local
length 0
transport input ssh
transport output ssh
line vty 5 15
access-class 23 in
access-class 23 out
privilege level 15
logging synchronous
login local
transport input ssh
transport output ssh
!
ntp source Loopback1
ntp server 192.168.4.10 prefer
ntp server 192.168.4.11
!
end

Hi

Georg already answered you :-) Follow his config and everything will work.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Hello,

 

below is a basic sample configuration for NAT load balancing using two static default routes. In the example, you have static IP addresses configured on your ISP linked interfaces. If you don't (that is, if you use DHCP, or PPP negotiation), replace the section:

 

ip nat pool ISP1_POOL 100.100.100.2 100.100.100.2 prefix-length 30
ip nat pool ISP2_POOL 200.200.200.2 200.200.200.2 prefix-length 30
!
ip nat inside source route-map ISP1 pool ISP1_POOL overload
ip nat inside source route-map ISP2 pool ISP2_POOL overload

 

with

 

ip nat inside source route-map ISP1 interface FastEthernet0/0 overload
ip nat inside source route-map ISP2 interface FastEthernet0/1 overload

 

 

----------------

 

ip cef
!
interface FastEthernet0/0
description ISP1 Link
ip address 100.100.100.2 255.255.252
no ip redirects
no ip unreachables
ip nat outside
ip virtual-reassembly in
!
interface FastEthernet0/1
description ISP2 Link
ip address 200.200.200.2 255.255.255.252
no ip redirects
no ip unreachables
ip nat outside
ip virtual-reassembly in
!
interface GigabitEthernet0/0
description LAN Interface
ip address 192.168.1.1 255.255.255.0
ip nat inside
!
ip route 0.0.0.0 0.0.0.0 100.100.100.1
ip route 0.0.0.0 0.0.0.0 200.200.200.1
!
ip nat pool ISP1_POOL 100.100.100.2 100.100.100.2 prefix-length 30
ip nat pool ISP2_POOL 200.200.200.2 200.200.200.2 prefix-length 30
!
ip nat inside source route-map ISP1 pool ISP1_POOL overload
ip nat inside source route-map ISP2 pool ISP2_POOL overload
!
route-map ISP1 permit 10
match ip address NAT_ACL
match interface FastEthernet0/0
!
route-map ISP2 permit 10
match ip address NAT_ACL
match interface FastEthernet0/1
!
ip access-list extended NAT_ACL
permit ip 192.168.1.0 0.0.0.255 any

what exactly does the route-map parts do here we had one of the previous guys try this and it wasn't working but I'm not sure if he was doing it right either.  I'm not great with them but do you put that into your NAT addresses and then point to the ACL for the inside IP ranges and the route-map provides what port they should be leaving on?

Hello,

 

the route maps let you define the IP addresses that should be matched, as well as the outgoing interfaces. The configuration I posted is pretty standard and works in many routers. Try it out and let us know if it works...

ip nat inside source route-map ISP1 pool ISP1_POOL overload
ip nat inside source route-map ISP2 pool ISP2_POOL overload

 

with

 

ip nat inside source route-map ISP1 interface FastEthernet0/0 overload
ip nat inside source route-map ISP2 interface FastEthernet0/1 overload

 

I was unable to put both of these commands in because they both point to ip nat inside is one of them supposed to be something else?

Commands are correct.
What error you're getting when issuing into the router?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Dynamic NAT already in use, cannot reconfigure.

This means there is traffic going on. While doing that change nobody will have internet access anymore.

 

To reconfigure:

do a clear ip nat trans *

then remove old nat pool by issuing no ip nat pool xxxx

 

And you're ready to reconfigure


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

i did that and had the outbound ports shut when i was configuring this.  It accepts one command or the other.

I thought you were trying the 2 first and the 2 last.

You don't need those 2 lines:

ip nat inside source route-map ISP1 interface FastEthernet0/0 overload
ip nat inside source route-map ISP2 interface FastEthernet0/1 overload

 

Only first two are ok


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

That worked, thank you.

You're welcome


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Review Cisco Networking for a $25 gift card