Multiple Connections with NAT

Unanswered Question
Jul 8th, 2009

I have an issue after attempting to use the same configuration to what is used in the following example.

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a0080950834.shtml

the load balance seems to work fine.

However i am attmepting to forward ports back into various locations. These do not work so well.

I have something liek the following.

ip nat inside source static tcp 192.168.1.2 25 1.2.3.4 25 extendable

ip nat inside source static tcp 192.168.1.2 25 1.2.3.6 25 extendable

When i telnet to port 25 from outside the network. Only one of these will work at any one time. Not both.

There are also more post forwards to other computer and these appear ot randomly work / dont work. I belive the issue is because the packets are being sent back out the wrong interfaces. Does anyone have any suggestions to get around this?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Mistralol Wed, 07/08/2009 - 03:55

This can be ignored. I have solved it by using source based policy routing.

gnich Thu, 07/16/2009 - 03:19

Hi Mistralol,

Ive got the same problem how did you fix it?

Graham

Mistralol Thu, 07/16/2009 - 03:26

The fix i have is not fully working. It still has issues.

Pritty much the cisco seems to have the same issue's and most other routers when trying todo this. It leaks packets out the wrong wan interfaces. eg packet comes in dialer 1 but goes out dialer 2.

So you create 2 route-map's eg

route-map Redirect permit 10

match ip address 152

set interface Dialer1

!

route-map Redirect permit 11

match ip address 153

set interface Vlan2

on the inside interface. Matching the source ip's after the nat and redirect them out the correct interface.

eg

access-list 153 permit ip host 192.168.4.2 any

where 192.168.4.2 is the isp ip address

this however only partially works as things still seem to get stuck in a cache. so it still leaks packets just not to many.

bflseanny Sat, 07/18/2009 - 04:08

What if instead of using two different ip nat inside statements with two different external IPs, you create a single external address in your NAT statement.

I assume from your post that you have two interfaces with IPs of 1.2.3.4 and 1.2.3.6. Could you create a NAT statement like this:

ip nat inside source static tcp 192.168.1.2 25 1.2.3.100 25

I think that what this would do is to forward any traffic for SMTP to the 192.168.1.25 address. Upon replying, this inside host traffic would be translated back to 1.2.3.100.

So, no matter which outside interface the reply goes out of, it would send the traffic with a destination address of 1.2.3.100.

You don't have to use IPs associated with a physical interface in NAT. You just have to own the IP that you are using in the NAT translation. And, routers would need to know how to get to the IP (1.2.3.100 in this case).

I think that what is happening in your case is that if you telnet to 1.2.3.4:25 it is hitting that interface but the reply can be translated with an address 1.2.3.6 and this just won't work because the host is expecting a response from 1.2.3.4.

Let me know your thoughts.

Mistralol Mon, 07/20/2009 - 00:32

Unfortunatly that wont work as the 2 external addresses are with different isp's which have rougue packet filters and both isp's only provide a single ip address each.

The ip nat inside statements are using the hard coded ip's otherwise you cannot create them on both external interfaces as ios will say that it is already in use.

Or a easyier way to trigger the problem.

From a remote host. telent to external ip1 the connection will work. Then telnet to external ip2 the connection will not work.

Disconnect / clear the router cache.

telnet to external ip2 and the connection will work. But the conneciton to external ip1 will now not work.

this is 100% reproducable ;)

k.hariharan1 Mon, 07/20/2009 - 02:30

hi,

your router configuration seems to be correct.

my only concern about your conf is that you have enabled per-port cef load sharing , can u disable that one and try again.

no ip cef load-sharing algorithm include-ports

regards,

Hariharan k

Mistralol Mon, 07/20/2009 - 02:31

Its more stable with it on than off. Which would seem correct since the routing cache is both per port and host instead of just by host.

Actions

This Discussion