cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6519
Views
15
Helpful
40
Replies

Dual ISP: Nat Problem

jcartier
Level 1
Level 1

Greetings,

I'm trying to achieve a failover scenario using a multi-homed connection to the same ISP. The problem I'm having is that the Nat translations are not clearing after the primary link fails...then comes back online. When the primary link recovers I'm still seeing traffic going over the back-up link. Any suggestions or comments?

ip sla monitor 1

type echo protocol ipIcmpEcho 192.168.1.1

frequency 5

ip sla monitor schedule 1 life forever start-time now

!

!

!

!

username admin privilege 15 secret xxx

!

!

!

track 1 rtr 1 reachability

!

!

!

!

interface FastEthernet0/0

desc ISP 2 - Backup Connection

ip address 192.168.2.2 255.255.255.252

ip nat outside

ip virtual-reassembly

ip route-cache flow

load-interval 30

duplex auto

speed auto

!

interface FastEthernet0/1

desc ISP 1 - Primary Connection

ip address 192.168.1.2 255.255.255.252

ip nat outside

ip virtual-reassembly

ip route-cache flow

load-interval 30

duplex auto

speed auto

!

interface FastEthernet0/3/0

!

interface FastEthernet0/3/1

!

interface FastEthernet0/3/2

!

interface FastEthernet0/3/3

!

interface FastEthernet0/3/4

!

interface FastEthernet0/3/5

!

interface FastEthernet0/3/6

!

interface FastEthernet0/3/7

!

interface FastEthernet0/3/8

description LAN

spanning-tree portfast

!

interface Vlan1

desc LAN Subnet

ip address 192.168.0.1 255.255.255.0

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1000

!

ip route 0.0.0.0 0.0.0.0 192.168.1.1 track 1

ip route 0.0.0.0 0.0.0.0 192.168.2.1 5

!

ip http server

no ip http secure-server

!

ip nat inside source route-map primary-nat interface FastEthernet0/0 overload

!

ip nat inside source route-map backup-nat2 interface FastEthernet0/1 overload

!

ip access-list extended nat

permit ip 192.168.0.0 0.0.0.255 any

!

route-map backup-nat2 permit 10

match ip address nat

set interface FastEthernet0/1

!

route-map primary-nat permit 10

match ip address nat

set interface FastEthernet0/0

1 Accepted Solution

Accepted Solutions

I got a config that works. The only caveat is that you need the T train for oer support in the ip nat translation.

You will also need to play around with the 'ip nat translation time-out'

_______________________

ip sla 1

icmp-echo 192.168.1.2

frequency 5

ip sla schedule 1 life forever start-time now

track 1 rtr 1 reachability

interface Ethernet0/0

ip address 192.168.0.1 255.255.255.0

ip nat inside

ip virtual-reassembly

interface Ethernet1/0

ip address 192.168.1.1 255.255.255.0

ip nat outside

ip virtual-reassembly

interface Ethernet2/0

ip address 192.168.2.1 255.255.255.0

ip nat outside

ip virtual-reassembly

ip route 0.0.0.0 0.0.0.0 192.168.1.2 track 1

ip route 0.0.0.0 0.0.0.0 192.168.2.2 5

ip nat inside source route-map backup-nat interface Ethernet2/0 overload oer

ip nat inside source route-map primary-nat interface Ethernet1/0 overload oer

ip nat translation timeout 2

ip nat translation tcp-timeout 2

ip nat translation udp-timeout 2

ip nat translation icmp-timeout 2

ip access-list extended nat

permit ip 192.168.0.0 0.0.0.255 any

route-map primary-nat permit 10

match ip address nat

set ip next-hop verify-availability 192.168.1.2 1 track 1

!

route-map backup-nat permit 10

match ip address nat

set ip next-hop 192.168.2.2

____________________

Verification:

First going over the primary ISP

R2#show trac

Track 1

Response Time Reporter 1 reachability

Reachability is Up

7 changes, last change 00:00:10

Latest operation return code: OK

Latest RTT (millisecs) 1

Tracked by:

ROUTE-MAP 0

STATIC-IP-ROUTING 0

R2#show ip nat tr

Pro Inside global Inside local Outside local Outside global

icmp 192.168.1.1:15 192.168.0.2:15 10.10.10.2:15 10.10.10.2:15

Now going over the backup ISP

R2#show trac

Track 1

Response Time Reporter 1 reachability

Reachability is Down

8 changes, last change 00:00:00

Latest operation return code: Timeout

Tracked by:

ROUTE-MAP 0

STATIC-IP-ROUTING 0

R2#show ip nat tr

Pro Inside global Inside local Outside local Outside global

icmp 192.168.2.1:16 192.168.0.2:16 10.10.10.2:16 10.10.10.2:16

View solution in original post

40 Replies 40

Edison Ortiz
Hall of Fame
Hall of Fame

I'm afraid the router is doing what is told.

Let's see the logic:

a) packet comes into the Vlan1 and see the ip nat inside command

b) routes goes to the ip nat inside and see two entries. One for F0/0 and F0/1 associated to a route-map.

c) Both route-maps are valid so it round-robin the selection, some addresses will be NAT'd using route-map backup-nat2 and some addresses will use primary-nat. The route-maps are both matching the same source-destination based on the extended ACL 'nat'.

_____

The only way to make this work is to /somehow/ make the backup-nat2 route-map 'invalid' while the primary interface is up but at the moment, I don't have a suggestion.

So no idea how I could make this scenario work? I know what your saying, but I don't foresee a solution. Anyone?

I found something but I don't have the gear to lab it up so please test it in your lab before implementing.

Modify your route-maps with

route-map backup-nat2 permit 10

match ip address nat

set ip next-hop verify-availability [Backup-ISP IP] track

!

route-map primary-nat permit 10

match ip address nat

set ip next-hop verify-availability [Primary-ISP IP] track

http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t/123t_4/gtpbrtrk.htm#wp1057830

HTH,

Thanks EdisonOrtiz. I will try this tomorrow and let you know how it works out.

Hi Edison,

Actually, i disagree with you a little bit on the logic that this NAT configuration will do, when NAT uses a route map to decide to create a translation entry, it will always create a "fully extended" translation entry. This translation entry will contain both the inside and outside (local and global) address entries and any TCP or UDP port information, and as long as the primary link is up the first NAT statement is only used (since the backup one is using floating static route, and the 2 route-map are matching on the outgoing interfaces), when the primary link fails, the primary route is withdrawn from the routing table and the floating static route is insterted into the routing table and the second NAT statement will be used according to the route-map (matching the outgoing second interface), the point here is when the primary interface gets up again the secondary route should be removed (floating static) and the router should use the first NAT statement once again, can we discuss this logic, and after wards we can see why isn't it working as it should be.

BR,

Mohammed Mahmoud.

I've noticed that the order/placement of the 'nat statements' does make a difference in the configuration. I'll be trying some changes to the configuration this morning and will re-post my findings.

I've heard trying to configure a router for this type of scenario has been a problem in every help/forum website I've encountered.

Mohammed,

Jeff is using a route-map with a set statement. NAT will never examine the routing table to determine how the packet is going to exit the router. If the route-map is valid, the packet will be translated and its egress interface will be the one within the corresponding route-map.

Your explanation is quite correct when using nat source list or route-map without a set command.

I wonder that if Jeff removes the set command within the route-map, would NAT perform its logic based on the current routing table ?

My suggestion will also work, because the route-map will become invalid once a predefined track is entered along with the set ip next hop command.

One thing I forgot to mention, we need to take into account the NAT timeout. If a src/dst was translated while 'ISP Backup' was up, this traffic will remain until the whole conversation is broken due to NAT timeout.

Hi Edison,

You are correct about that, sorry i missed that it is a set and not a match, but don't you think that it would work out if he used a match interface in the route-map instead of the set, in this way the router will examine the routing table, and takes its decision based upon the valid route.

Mentioning the NAT timeout, when i read this thread at start, this is what i thought is the problem, don't you think that we need to manipulate it in this scenario.

Always nice having discussions with you Edison.

BR,

Mohammed Mahmoud.

Mohammed,

He has a match against an ACL which is working as intended. The router will use the routing table if the set is missing or invalid, for instance if the interface specified in the set is down.

The NAT timeout definitely plays a part of this problem and I should've asked about the output from the NAT translation table.

Another question is, is the router selecting the backup-nat after the primary ISP has been up for a long time ? If that's the case, the route-map is being round-robin'd.

Your contribution to this thread is appreciated and I hope your CCIE studies are going well.

Edison,

Thank you very much, my studies are going well, but i am starting to lose the little me inside, to be replaced with commands and router tricks for the exam, you understand how it goes :)

Back to the original poster, what i meant is that he can use 2 matches in his route-map to match both the ACL and the appropriate outgoing interface:

!

route-map backup-nat2 permit 10

match ip address nat

match interface FastEthernet0/1

!

route-map primary-nat permit 10

match ip address nat

match interface FastEthernet0/0

In this way according to the available route in the routing table the appropriate nat will be used (according to the outgoing interface), and as for the NAT timeout issue, we can reduce the timers to enhance it, what do you think about this.

BR,

Mohammed Mahmoud.

That would work if the actual interface goes down. As this connection is ethernet based, the router only knows the connection is down when is unable to send packets to the next hop.

For the match interface to make the route-map 'invalid' the interface must be 'hard-down'.

That's the reason Jeff is implementing tracking via reachability, because the interfaces remain up/up even when the ISP is down.

You also have to be careful on a match being referenced by an ip nat within a route-map as this will be used on the translation.

__________

As for your CCIE studies, don't focus too much on router tricks. That's great to learn those tricks from workbooks but you won't be tested on that. You will be tested on routing/switching fundamentals, not how to ICMP request from a loopback interface :)

Edison,

Yes i think that we are converging right now :), why don't he use SLA to track both routes, and use the 2 matches as i've said, having the match interface inside the route-map would only have effect if the route in the routing table points to that interface and wouldn't have effect if the interface is up or down, and accordingly it should work this way.

--------

As for studying i understand what you are saying, and that's what i am trying to do, i was just kidding about these router tricks stuff as the Brians do :), i am starting the workbooks this weekend, and we shall see, wish me luck please, and thank you very much.

BR,

Mohammed Mahmoud.

He is using SLA for the static route. Using the match interface in the route-map will force the router to use the ip address of that interface as the src nat ip.

Keep in mind, this route-map is using NAT on the match statement and PBR for the set statement.

___________

I truly believe you will do well but don't be disappointed if you fail in the first try. It's a learning experience that only those who 've taken the Lab, can understand.

When it's your Lab ?

Please correct me if i am wrong:

!

route-map primary-nat permit 10

match ip address nat

match interface FastEthernet0/0

!

Will match the ACL named nat for the src nat ip, and match FastEthernet0/0 as the outgoing interface, which should be controlled according to the routing table, and thus if the main route is valid, then the appropriate route map is matched and accordingly the appropriate nat statement is used, and the same if the other route is valid, and controlling the routes via SLA will solve the fastethernet interface issue.

----------

I never get disappointed by God's will, but i got the feeling that i can do it :) Its by the end of November.

BR,

Mohammed Mahmoud.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: