NAT, Routed Subnet and OSPF

johnelliot6 · ‎02-16-2009

Hi,

We have an 1841 with 2 WAN Ints (Ethernet + SHDSL) - Both connected with /30 and running OSPF(Eth Interface has lower cost than SHDSL) and NAT. Failover works if eth is disconnected, but we have an additional /28 routed to the 1841....currently the /28 is statically routed to Ethernet Int, and also statically routed to SHDSL Int(But with a higher cost)....the /28 is used for PAT's to Internal Servers. When the Eth(WAN) Int is disconnected, the static route to the SHDSL Int does not take over....Therefore, to dynamically re-roure the /28 I think I would need to assign it to a Loopback Int, and have "redistribure connected subnets" enabled on ospf....How would I then use the /28 in PAT's?

Giuseppe Larosa · ‎02-17-2009

Hello John,

actually having a loopback representing a NAT pool in a routing protocol for advertisement is a common practice.

You should be able to use your PAT statements.

I would suggest to use a network .. area command instead of a red conn in OSPF

add ip ospf network point-to-point to have OSPF advertise the correct mask under the loop interface

use for the loopback an ip address in the /28 that you are not using for the PATs this should be enough to have your PATs working.

Hope to help

Giuseppe

johnelliot6 · ‎02-17-2009

Thanks Giuseppe.

I have implemented what you suggested, but loop1's subnet is not being advertised by ospf - I have the following:

interface Loopback1

description LOOP_NAT

ip address 192.168.77.81 255.255.255.240

ip ospf network point-to-point

interface FastEthernet0/0

description WAN link$ETH-WAN$$FW_OUTSIDE$

ip address 192.168.75.130 255.255.255.252

ip verify unicast reverse-path

no ip redirects

no ip unreachables

ip nat outside

interface ATM0/3/0.96 point-to-point

description _FAILOVER

ip address 192.168.75.70 255.255.255.252

ip nat outside

router ospf 25

router-id 192.168.75.130

log-adjacency-changes

redistribute connected

redistribute static

passive-interface default

no passive-interface FastEthernet0/0

no passive-interface ATM0/3/0.96

no passive-interface Loopback1

network 192.168.75.68 0.0.0.3 area 25

network 192.168.75.128 0.0.0.3 area 25

network 192.168.77.80 0.0.0.15 area 25

Any help is greatly appreciated.

Peter010101 · ‎02-17-2009

That looks right.

Perhaps you are filtering somewhere? Or try clear ip ospf proc (this will reset your ospf connections)

johnelliot6 · ‎02-17-2009

Hi,

No - no filtering.

I reset ospf process - Still no good.

Also tried removing ospf conf, and re-adding - Still no good.

This is what I currently have:

router ospf 25

router-id 192.168.75.130

log-adjacency-changes

passive-interface default

no passive-interface FastEthernet0/0

no passive-interface ATM0/3/0.96

no passive-interface Loopback1

network 192.168.75.68 0.0.0.3 area 25

network 192.168.75.128 0.0.0.3 area 25

network 192.168.77.80 0.0.0.15 area 25

#sh ip protocols

Routing Protocol is "ospf 25"

Outgoing update filter list for all interfaces is not set

Incoming update filter list for all interfaces is not set

Router ID 192.168.75.130

Number of areas in this router is 1. 1 normal 0 stub 0 nssa

Maximum path: 4

Routing for Networks:

192.168.75.68 0.0.0.3 area 25

192.168.75.128 0.0.0.3 area 25

192.168.77.80 0.0.0.15 area 25

#sh ip ospf database self-originate

OSPF Router with ID (192.168.75.130) (Process ID 25)

Router Link States (Area 25)

Link ID ADV Router Age Seq# Checksum Link count

192.168.75.130 192.168.75.130 323 0x80000003 0x00B1DE 4

Giuseppe Larosa · ‎02-17-2009

Hello John,

I don't see anything wrong here.

First of all, from sh ip protocols you see the router declares

Routing for Networks:

192.168.77.80 0.0.0.15 area 25

Then when you look at the OSPF database be aware that the router LSA is a single data structure with a label = OSPF router-id but that inside has information for multiple links

see

Link ID ADV Router Age Seq# Checksum Link count

192.168.75.130 192.168.75.130 323 0x80000003 0x00B1DE 4

link count is 4 (point-to-point links count for two):

two for the ATM

one for lan

one for loopback

you need to check if the prefix 192.168.77.80/28 is seen on other routers

or also you need to look at the details of this router LSA

Everything looks like fine and removing the redistribute connected can have helped.

Hope to help

Giuseppe