how to nat on the 2 WAN interfaces?

Unanswered Question
Jan 29th, 2010

hello,

I have a 2811 router with 2 FastEthernet interfaces connected to two ISPs.

FA0 / 1 is connected to ISP-1

FA0 / 2 is connected to ISP-2,

I created two access-list ACL1 (for isp1) and ACL2 (for isp2) for 2 to nat differents range of two network connection.

Now, I plan configration for a PBR to automatically switch network ACL1 to isp2 out when the ISP-1 is down and vis-versa.

My problem is how to configure the "ip nat inside source list .. .." That when the PBR selected next-hop ISP-2, may also be ACL1 by nat in interface FA0 / 2 of the ISP-2.

How do I configure nat for that when the automatic failover to perform, the different network are accept in the "ip nat inside ..."?

Or it is there another way to do it?

This is a sample of initial config :

interface fastethernet 0/1
description ISP-1
ip address X.X.X.X 255.255.255.252
ip nat outside

interface fastethernet 0/2
description ISP-2
ip address X.X.X.X 255.255.255.252
ip nat outside

ip access-list standart ACL1
    permit 192.168.1.0 0.0.0.255

ip access-list standart ACL2
    permit 192.168.2.0 0.0.0.255

ip nat inside source list ACL1 interface fastethernet 0/1 overload

ip nat inside source list ACL2 interface fastethernet 0/2 overload

Thanks in advance.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Ganesh Hariharan Fri, 01/29/2010 - 02:16

hello,

I have a 2811 router with 2 FastEthernet interfaces connected to two ISPs.

FA0 / 1 is connected to ISP-1

FA0 / 2 is connected to ISP-2,

I created two access-list ACL1 (for isp1) and ACL2 (for isp2) for 2 to nat differents range of two network connection.

Now, I plan configration for a PBR to automatically switch network ACL1 to isp2 out when the ISP-1 is down and vis-versa.

My problem is how to configure the "ip nat inside source list .. .." That when the PBR selected next-hop ISP-2, may also be ACL1 by nat in interface FA0 / 2 of the ISP-2.

How do I configure nat for that when the automatic failover to perform, the different network are accept in the "ip nat inside ..."?

Or it is there another way to do it?

This is a sample of initial config :

interface fastethernet 0/1
description ISP-1
ip address X.X.X.X 255.255.255.252
ip nat outside

interface fastethernet 0/2
description ISP-2
ip address X.X.X.X 255.255.255.252
ip nat outside

ip access-list standart ACL1
    permit 192.168.1.0 0.0.0.255

ip access-list standart ACL2
    permit 192.168.2.0 0.0.0.255

ip nat inside source list ACL1 interface fastethernet 0/1 overload

ip nat inside source list ACL2 interface fastethernet 0/2 overload

Thanks in advance.

Hi,

Jose for your requirement with natting and PBR to workin single router create a route map permmitting those specific source and mark their destination as next hop interface in route map,check out the below sample config hope that clear out your query !!

ip policy route-map Nat-loop

ip nat inside source list 10 interface fastethernet 0/1 overload

ip nat inside source list 10 interface fastethernet 0/2 overload


access-list 102 permit ip any 192.168.2.0 0.0.0.255

route-map Nat-loop permit 10
match ip address 102
set ip next-hop first link ip

route-map Nat-loop permit 20
  match ip address 102
  set ip next-hop second link ip

Hope to help

Ganesh.H

josedunet Fri, 01/29/2010 - 04:18

thanks Ganesh.H,

If I understand you offered me the following config:

interface fastethernet 0/1
description ISP-1
ip address X.X.X.X 255.255.255.252
ip nat outside

interface fastethernet 0/2
description ISP-2
ip address X.X.X.X 255.255.255.252
ip nat outside

ip access-list standart ACL1
    permit 192.168.1.0 0.0.0.255

ip access-list standart ACL2
    permit 192.168.2.0 0.0.0.255

ip nat inside source list ACL1 interface fastethernet 0/1 overload
ip nat inside source list ACL2 interface fastethernet 0/1 overload

ip nat inside source list ACL2 interface fastethernet 0/2 overload
ip nat inside source list ACL1 interface fastethernet 0/2 overload

ip policy route-map Nat-loop

route-map Nat-loop permit 10
match ip address ACL1
set ip next-hop ISP-1 (ip address)


route-map Nat-loop permit 20
  match ip address ACL2
  set ip next-hop ISP-2 (ip address)

 
route-map Nat-loop permit 30
match ip address ACL1
set ip next-hop ISP-2 (ip address)

route-map Nat-loop permit 40
match ip address ACL2
set ip next-hop ISP-1 (ip address)

is ok?

Thanks.

Ganesh Hariharan Fri, 01/29/2010 - 21:24

Hi,

The configuration is for active/active use for ISP's.Route maps are executed in the order of the lowest sequence number to the highest. You can edit or modify maps by using the sequence number.If a match is found within a route map instance, execution of further route map instances stops.

So what i would suggest you to change the set criterea in route map and match only two route maps for you acls,check out the below sample config with explanation.

route-map PBR_LAN permit 10
  match ip address ACL1
  set interface Serial2/1 Serial2/0

in the same fashion create for acl2 and set next hop first as seril2/o (i mean secondary link first then primary link)

then we apply it to the LAN facing interface:

interface FastEthernet0/0
  description LAN
  ip policy route-map PBR_LAN

Note that we used two interface names in the set interface command: if S2/1 is down, IOS will use S2/0, so we have a small level of redundancy and WAN side fault-tolerance for Mission Critical Traffic. We can achieve fault-tolerance for LAN to WAN traffic too by adding an higher metric default route:

ip route 0.0.0.0 0.0.0.0 Serial2/1 10

Hope that clear your query !!

If helpful do rate !!

Ganesh.H

josedunet Wed, 03/03/2010 - 08:34

Thanks ganeshh.iyer

Indeed, I would like to make the dual homing  with 2 ISP1 and my local area network divide in 2  and making automatic fallover when one isp failed.

My current confi:

ip sla 1
icmp-echo ISP1-IP source-ip 192.168.10.1
frequency 10
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo ISP2-IP source-ip 192.168.20.1
frequency 10
ip sla schedule 2 life forever start-time now

track 122 rtr 2 reachability
delay down 10 up 30
!
track 111 rtr 1 reachability
delay down 10 up 30

interface GigabitEthernet0/0
description LAN
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip policy route-map test
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/1.10
description ISP1
encapsulation dot1Q 10
ip address 192.168.10.1 255.255.255.0
ip nat outside
!
interface GigabitEthernet0/1.20
description ISP2
encapsulation dot1Q 20
ip address 192.168.20.1 255.255.255.0
ip nat outside
!
ip route 0.0.0.0 0.0.0.0 192.168.10.2
ip route 0.0.0.0 0.0.0.0 192.168.20.2

!
!
ip nat inside source list ISP1 interface GigabitEthernet0/1.10 overload
ip nat inside source list ISP2 interface GigabitEthernet0/1.20 overload
!
ip access-list standard ISP1
    permit 10.10.10.5
    permit 10.10.10.6
    permit 10.10.10.10
    permit 10.10.10.11
ip access-list standard ISP2
    permit 10.10.10.100
    permit 10.10.10.101

!
route-map test permit 10
match ip address ISP1
set ip next-hop verify-availability 192.168.10.2 10 track 111
set ip next-hop verify-availability 192.168.20.2 15 track 122
!
route-map test permit 20
match ip address ISP2
set ip next-hop verify-availability 192.168.20.2 10 track 122
set ip next-hop verify-availability 192.168.10.2 15 track 111

I explain : Some ip of the lan network goes out by the ISP1 and of the other one by the ISP2. When the isp1 connection does not work (the isp1-ip become unavailable ) any more, I would like that those going out by the ISP1 can automatically begin to go out by the ISP2

The problem is that when isp1 is not reachable, the traffic of the access list ISP1 does not manage to be to nat to pass on the connection ISP2. The failover does not work. What is wrong in the config and what can i do please?

Thanks in advance.

Actions

This Discussion