Static NAT fails with two public interfaces with different ISPs

Unanswered Question

Our client connects to our data center via RDP with a public address. They have two different ISPs and traffic is routed over each depending on its destination. Their RDP connections go out WAN1. When they are in their RDP sessions they cannot reach the static NAT for 172.18.127.10 which is on WAN1. Anyone can reach the static NAT when outside of the RDP connection. Am I missing a route or something?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
gojericho0 Tue, 07/22/2008 - 04:21
User Badges:
  • Bronze, 100 points or more

I do not see any static source mappings for RDP port 3389 connections? You may need this to assign a WAN1 address


Otherwise the source address you are trying to map looks like it may go out another interface based on your route-maps


Could you post a sh ip nat translation for with the Source IP you are trying this with?

a.alekseev Tue, 07/22/2008 - 06:42
User Badges:
  • Gold, 750 points or more



ip access-list extended Internet

deny ip 172.18.127.0 0.0.0.255 63.123.252.0 0.0.0.255

deny ip 172.18.127.0 0.0.0.255 10.11.0.0 0.0.255.255

permit ip 172.18.127.0 0.0.0.255 any

permit ip 192.168.2.0 0.0.0.255 any

gojericho0 Tue, 07/22/2008 - 09:56
User Badges:
  • Bronze, 100 points or more

Your NAT with the RDP server matches your first NAT statement and it is overloading to a WAN2 address. It also matches the more specific static translation, but will never see it since NAT goes top to bottom and matches the first route map.


To fix you can deny the specific RDP server IP on the first route map, then permit the whole network in order to reach the below static nat statement on port 80

gojericho0 Tue, 07/22/2008 - 10:30
User Badges:
  • Bronze, 100 points or more

It also looks like your 80 static nat entry is referring to source port and not destination port.


You may want to create a separate route-map for the RDP server in order to crate an extended access list for any destination to port 80

I changed the ACL for the first route map to what is below but it still fails.

ip access-list extended Internet

deny ip 172.18.127.0 0.0.0.255 host 63.123.252.123

deny ip 172.18.127.0 0.0.0.255 10.11.0.0 0.0.255.255

permit ip 172.18.127.0 0.0.0.255 any

permit ip 192.168.2.0 0.0.0.255 any


The static NAT to the web server is working from everywhere but within the RDP connection.

gojericho0 Tue, 07/22/2008 - 15:36
User Badges:
  • Bronze, 100 points or more

You should now see your NAT translation performing correctly


For the next part look at the static routes. The default routes are weighted so that anything non-specific will try to go through WAN2 connection first.


You could include in your rdp_server route map a next hop address pointing to WAN1 in order to force the connections.

Here is a trace from the router to the RDP server. The router is putting the traffic out the correct interface.

gem-nj_gem#trace

Protocol [ip]:

Target IP address: 63.123.252.123

Source address: 172.18.127.1

Numeric display [n]:

Timeout in seconds [3]:

Probe count [3]:

Minimum Time to Live [1]:

Maximum Time to Live [30]:

Port Number [33434]:

Loose, Strict, Record, Timestamp, Verbose[none]:

Type escape sequence to abort.

Tracing the route to 63.123.252.123


1 ool-60381e29.static.optonline.net (WAN1.WAN1.WAN1.41) 0 msec 4 msec 0 msec

a.alekseev Thu, 07/24/2008 - 09:54
User Badges:
  • Gold, 750 points or more

no ip nat inside source static tcp 172.18.127.10 80 WAN1.WAN1.WAN1.42 80 extendable

no ip nat inside source static tcp 172.18.127.41 2500 WAN1.WAN1.WAN1.42 2500 extendable

no ip nat inside source static tcp 172.18.127.42 3001 WAN1.WAN1.WAN1.42 3001 extendable

no ip nat inside source static tcp 172.18.127.48 2500 WAN1.WAN1.WAN1.42 5001 extendable

no ip nat inside source static tcp 172.18.127.49 2500 WAN1.WAN1.WAN1.42 8192 extendable

ip nat inside source static tcp 172.18.127.10 80 interface FastEthernet4 80 extendable

ip nat inside source static tcp 172.18.127.41 2500 interface FastEthernet4 2500 extendable

ip nat inside source static tcp 172.18.127.42 3001 interface FastEthernet4 3001 extendable

ip nat inside source static tcp 172.18.127.48 2500 interface FastEthernet4 5001 extendable

ip nat inside source static tcp 172.18.127.49 2500 interface FastEthernet4 8192 extendable

All of those NAT statements I have in the router work fine from outside of the RDP session. What is the benefit to pointing them to the interface name rather than the interface's IP? Yesterday I tried your suggestion with the 172.18.127.10 NAT and the result was the same - I can reach it from outside the RDP session but not inside.

gojericho0 Fri, 07/25/2008 - 06:19
User Badges:
  • Bronze, 100 points or more

I still think you will need the


ip nat inside source static tcp 172.18.127.10 80 WAN1.WAN1.WAN1.42 (or interface) 80 extendable


before the statement


ip nat inside source route-map Internet interface VLAN3 overload


If you do not I think Internet route-map will grab your traffic because of the permit 172.18.127.0 0.0.0.255 any and overload it to VLAN2 (WAN2) instead of FastEth4 (WAN1)

gojericho0 Fri, 07/25/2008 - 06:08
User Badges:
  • Bronze, 100 points or more

I'm sorry, i thought you were trying to get all internet traffic from RDP to go out WAN1 and not just to destination 63.123.252.123.


I printed out your new config and will get back to you shortly

Actions

This Discussion