I need a suggestion about GLBP+NAT

marianodt · ‎01-21-2008

Hi, I need a suggestion to solve an issue I'm having with a GLBP topology.

I have two routers connected to different internet links (different IP ranges, different ISPs). These routers run GLBP in the private LAN to provide redundancy and load balance. I also have a web server in the private LAN wich is accessed from the internet trough a static NAT in both routers. So it has two public addresses it can be reach from the internet.

The â€œproblemâ€ is that can't reach the web server using the public address from the first router (ISP 1) if the server is using the virtual mac address of the second router (ISP 2) as the default gateway.

Does anyone have any ideas to solve this?

Many thanks!!!

Mariano

Edison Ortiz · ‎01-21-2008

I'm afraid it can't be done as ISP1 can't advertise the network from ISP2.

I'm surprised that's the only problem you have. The ideal solution is having a block of public IP addresses and have both ISPs advertise this block via BGP.

__

Edison.

Joseph W. Doherty · ‎01-21-2008

You might want to look at:

http://www.cisco.com/warp/public/105/nat_routemap.html

http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00801fce09.html

http://www.cisco.com/en/US/docs/ios/12_2t/12_2t4/feature/guide/ftnatrt.html

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a0080093f8e.shtml

ariesc_33 · ‎01-21-2008

Hi,

from the router connected to ISP1, can you ping the web server? can you also see the web server on the ARP table of router1?

experts, correct me if im wrong, when you access the web server using the ISP1 IP address, the web server will reply using the router2 (ISP2) in the current GLBP setup. if router 2 can reach the source, there should be no problem right? unless RPF is enabled?

BR,

Aries

Joseph W. Doherty · ‎01-22-2008

What I suspect is the problem is when an outside request comes in on RtrA the request it correctly forwarded to the "public" web server but if it returns via RtrB (either by a default path or in this case GLBP) the NAT translation is different between RtrA and RtrB making for a different public source address coming from the web server; different from the destination address the outside host originally used. If the traffic transits the same router both in and out, NAT translations remain the same and it works.

If the public address block was the same between ISP providers, there wouldn't be a problem. Since they're not, one has to insure the same path is used for both directions or NAT is aware of different public addresses and handles that. The prior references I provided details some features in the later IOSs that can handle multihomed with different public address blocks.

marianodt · ‎01-22-2008

Thank you all for your reply.!!!

Ediortiz, I'm sorry but I can't use BGP nor I have my own address poolâ€¦

Ariesc_33, Yes I can ping the server. Everything works fine, it even works if I use the public address from the same router the server is using as the gateway.

Josephdoherty, Thank you for the information; stateful NAT looks very promising.

I also had this same problem with the VPN clients. (the routers are also VPN servers) The vpn clients, once connected to the servers, did not reach the internal hosts if these hosts were using the other router as the gateway. I fixed this using a reverse route injection and an IGP to inform both routers of the source addresses. Unfortunately, it is a very different story with the connections from the Internetâ€¦ I'll keep trying and I will tell you if I get it to work.

Thanks again!!!

Mariano

RaulMorales · ‎03-17-2008

Mariano I got the same problem, And I make It work today using SNAT commands, if you still interested let me know so i can post the router configuration examples..

stephan.binder · ‎07-02-2012

Hi Raul,

I do know, this is a very old thread... but is it possible to get your config examples???

Tank you!

alex · ‎10-23-2014

Hi Raul,

I have exactly the same setup and the same issue, I would really appreciate it if you can help me out by providing some details or a working config file.

Thanks

houtan haddadlarijani · ‎10-24-2014

Hi Alex

Check attachment,

HTH

Houtan

alex · ‎10-25-2014

Thanks Houtan,

Its working fine now. Your config helped me find the missing pieces and its all good now.

Thank You

houtan haddadlarijani · ‎10-25-2014

I'm glad it helps you. Therefore, rate it and mark it as correct. It helps others to identify the right solution.

Houtan