2 ISPs, NAT and PBR

Unanswered Question
Jul 4th, 2008
User Badges:

Hello All,


I seem to hit the wall with something what should be pretty straight forward. We have 1 router and 2 ISP's connected to it.


I have configured PBR on the internal interface to forward some traffic to 2nd ISP and according to route-maps, the traffic gets policied.

But I'm unable to go anywhere beyond the gateways. If I put default gateway in place - traffic goes ok for the ISP where default gateway is set (and 2nd ISP doesn't go anywhere).


Am I missing something?


Thx, Serge.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
a.alekseev Fri, 07/04/2008 - 01:01
User Badges:
  • Gold, 750 points or more

try to use "set ip next-hop" instead of "set ip default next-hop"


route-map RM-PBR permit 10

match ip address ACL-PBR-isp2

set ip next-hop (default gateway of ISP2)

route-map RM-PBR permit 20

set ip next-hop (default gateway of ISP2)

sergeivanoff Fri, 07/04/2008 - 01:02
User Badges:

Thanks for the quick replied. I tried set ip next-hop as well but it didn't make any difference. There's a typo in the config as well, sorry about that. The correct part is:


route-map RM-PBR permit 10

match ip address ACL-PBR-isp2

set ip next-hop (default gateway of ISP2)

route-map RM-PBR permit 20

set ip next-hop (default gateway of ISP1)


a.alekseev Fri, 07/04/2008 - 01:15
User Badges:
  • Gold, 750 points or more

ip access-list extended ACL-NAT-isp2

permit ip host 10.100.12.161 any

ip access-list extended ACL-NAT-ips1

deny ip host 10.100.12.161 any

permit ip any any

sergeivanoff Fri, 07/04/2008 - 01:21
User Badges:

Looks like my cut'n'paste skills aren't the best today. I missed the internal LAN in NAT in the original configuration. I'm not sure if permit ip any any would work with NAT, so here's the correct ACL. The reason for deny private IP's in the beginning - we do have a VPN going over isp2, so we don't need to NAT that traffic


ip access-list extended ACL-NAT-ips1

remark Do not NAT towards Private IP

deny ip any 127.0.0.0 0.255.255.255

deny ip any 10.0.0.0 0.255.255.255

deny ip any 172.16.0.0 0.0.255.255

deny ip any 192.168.0.0 0.0.255.255

remark Deny single hosts

deny ip host 10.100.12.161 any

permit ip 10.100.0.0 0.0.255.255 any


Thx, Serge.

sergeivanoff Fri, 07/04/2008 - 02:43
User Badges:

So if I understand it correctly, PBR happens before NAT. Then how this suppose to look like?


Do I need to utilize default gateway somewhere? Without NAT PBR works like a charm but with NAT, it's not.


Thx, Serge.

a.alekseev Fri, 07/04/2008 - 04:31
User Badges:
  • Gold, 750 points or more

I think it shoud be

ip nat inside source route-map RM-NAT-isp1 interface FastEthernet0/0 overload


but in you config you have

ip nat inside source route-map RM-NAT-isp1 interface FastEthernet0/1 overload

sergeivanoff Fri, 07/04/2008 - 04:32
User Badges:

Yes, sorry about that. Noticed that as well in the config, but didn't update the posted one.


Still, it doesn't work. I removed all the extra NAT's, etc. Just want to PBR 1 host and it's not going anywhere beyond a default gateway.

a.alekseev Fri, 07/04/2008 - 04:39
User Badges:
  • Gold, 750 points or more

:))

show the actual configuration.

a.alekseev Fri, 07/04/2008 - 05:55
User Badges:
  • Gold, 750 points or more

I do not see any route for 10.100.12.161


sh ip route 10.100.12.161

sergeivanoff Fri, 07/04/2008 - 05:57
User Badges:

#sh ip route 10.100.12.161

Routing entry for 10.100.0.0/16

Known via "static", distance 1, metric 0

Routing Descriptor Blocks:

* 10.100.11.254

Route metric is 0, traffic share count is 1

a.alekseev Fri, 07/04/2008 - 06:04
User Badges:
  • Gold, 750 points or more

oops, sorry for this


could you try initiate traffic from the 10.100.12.161 and show the output "sh ip nat tr | i 10.100.12.161"


sergeivanoff Fri, 07/04/2008 - 07:00
User Badges:

#sh ip nat trans

Pro Inside global Inside local Outside local Outside global

icmp x.x.x.x:512 10.100.12.161:512 213.73.255.52:512 213.73.255.52:512

tcp x.x.x.x:80 10.100.12.161:80 --- ---


As far as I can see the NAT is correctly set on the interface I want it go and not appearing on the default interface.

a.alekseev Fri, 07/04/2008 - 07:18
User Badges:
  • Gold, 750 points or more

try to disable RPF


interface FastEthernet0/1

no ip verify unicast reverse-path


sergeivanoff Fri, 07/04/2008 - 07:27
User Badges:

That did it! Thanks a lot, shame on me, for not looking deep enough.

Actions

This Discussion