cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1444
Views
3
Helpful
4
Replies

static NAT with two outside interfaces

sergey.klusov
Level 1
Level 1

I have a router, which performs NAT on two outside interfaces with load balancing and had a task to allow inbound connection to be forwarded to the specific host inside on a well known port.

here is example

interface Fas0/0

ip nat outside

interface Fas0/1

ip nat outside

interface Vlan1

ip nat inside

ip nat inside source route-map rm_isp1 pool pool_isp1

ip nat inside source route-map rm_isp2 pool pool_isp2

...

all worked fine

then i tried to add static nat

ip nat inside source static tcp 10.0.0.1 25 interface Fas0/0 25

ip nat inside source static tcp 10.0.0.1 25 interface Fas0/1 25

and in result only last static NAT line appeared in config.

the solution was to use interface's IPs instead of names. that helped but isn't that a bug?

4 Replies 4

sergey.klusov
Level 1
Level 1

That didn't work. Load balancing makes packets coming back to exit interfaces, based on load balancing, not state table.

And what about this config?

ip nat inside source static tcp 10.0.0.1 25 25 extendable

ip nat inside source static tcp 10.0.0.1 25 25 extendable

You will not be able to make this work in such a way that it provides full redundancy.

The router has no means to decide to which interface a packet from 10.0.0.1 must be sent.

The required setup for redundancy is more complex:

You need to host your own range of public ip addresses and peer with at least two providers.

regards,

Leo

Amit Aneja
Level 3
Level 3

In this scenario, we are trying to access a mail server located at

10.0.0.1 from outside and we have two outside IP, let's say, 71.1.1.1 and

69.1.1.1.

With CEF Enabled

Packet comes in to Fa0/0 interface with Source IP 66.x.x.x and

Destination IP 71.1.1.1. Our NAT rule translates this to 10.0.0.1.

Packet goes to 10.0.0.1. The return packet goes to the LAN interface

first and the routing rule is determined *before* the packet is

translated.

Packet source IP at this point is 10.0.0.1 and destination is

66.x.x.x. Now, based on CEF, it will go out via Fa0/0 or Fa0/1,

irrespective of the way it came in. Because of this, with CEF enabled

this will not work. CEF is per-destination.

So, let's say somebody on outside tried to access this server using 71.1.1.1, then he would

expect a reply from 71.1.1.1 which may or may not be true as the traffic could be Nat'd to 69.1.1.1 or 71.1.1.1.

If it gets reply packet from 71.1.1.1, it should work.

If it gets it from 69.1.1.1, it will simply drop it as it never sent a

packet to 69.1.1.1.

With CEF and Fast Switching Disabled

Same steps as above, only that the packet is sent to the process level

to be routed. At this point, the packets will be sent out in a round

robin fashion. One packet will go out via the Fa0/0 and the other via the

Fa0/0. This will have a constant 50% packet loss and is also not a

viable solution.

So, what are you trying to achieve is not possible on Cisco router.

HTH,

Amit Aneja