I need a suggestion about GLBP+NAT

Unanswered Question
Jan 21st, 2008

Hi, I need a suggestion to solve an issue I'm having with a GLBP topology.

I have two routers connected to different internet links (different IP ranges, different ISPs). These routers run GLBP in the private LAN to provide redundancy and load balance. I also have a web server in the private LAN wich is accessed from the internet trough a static NAT in both routers. So it has two public addresses it can be reach from the internet.

The “problem” is that can't reach the web server using the public address from the first router (ISP 1) if the server is using the virtual mac address of the second router (ISP 2) as the default gateway.

Does anyone have any ideas to solve this?

Many thanks!!!


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.6 (5 ratings)
Edison Ortiz Mon, 01/21/2008 - 15:15

I'm afraid it can't be done as ISP1 can't advertise the network from ISP2.

I'm surprised that's the only problem you have. The ideal solution is having a block of public IP addresses and have both ISPs advertise this block via BGP.



ariesc_33 Mon, 01/21/2008 - 23:44


from the router connected to ISP1, can you ping the web server? can you also see the web server on the ARP table of router1?

experts, correct me if im wrong, when you access the web server using the ISP1 IP address, the web server will reply using the router2 (ISP2) in the current GLBP setup. if router 2 can reach the source, there should be no problem right? unless RPF is enabled?



Joseph W. Doherty Tue, 01/22/2008 - 04:31

What I suspect is the problem is when an outside request comes in on RtrA the request it correctly forwarded to the "public" web server but if it returns via RtrB (either by a default path or in this case GLBP) the NAT translation is different between RtrA and RtrB making for a different public source address coming from the web server; different from the destination address the outside host originally used. If the traffic transits the same router both in and out, NAT translations remain the same and it works.

If the public address block was the same between ISP providers, there wouldn't be a problem. Since they're not, one has to insure the same path is used for both directions or NAT is aware of different public addresses and handles that. The prior references I provided details some features in the later IOSs that can handle multihomed with different public address blocks.

marianodt Tue, 01/22/2008 - 12:57

Thank you all for your reply.!!!

Ediortiz, I'm sorry but I can't use BGP nor I have my own address pool…

Ariesc_33, Yes I can ping the server. Everything works fine, it even works if I use the public address from the same router the server is using as the gateway.

Josephdoherty, Thank you for the information; stateful NAT looks very promising.

I also had this same problem with the VPN clients. (the routers are also VPN servers) The vpn clients, once connected to the servers, did not reach the internal hosts if these hosts were using the other router as the gateway. I fixed this using a reverse route injection and an IGP to inform both routers of the source addresses. Unfortunately, it is a very different story with the connections from the Internet… I'll keep trying and I will tell you if I get it to work.

Thanks again!!!


RaulMorales Mon, 03/17/2008 - 13:26

Mariano I got the same problem, And I make It work today using SNAT commands, if you still interested let me know so i can post the router configuration examples..

stephan.binder Mon, 07/02/2012 - 05:58

Hi Raul,

I do know, this is a very old thread... but is it possible to get your config examples???

Tank you!

houtan haddadla... Sat, 10/25/2014 - 13:56

I'm glad it helps you. Therefore, rate it and mark it as correct. It helps others to identify the right solution.




This Discussion