cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
799
Views
0
Helpful
4
Replies

PBR with dual WAN with NAT

a296766384
Level 1
Level 1

Hi All ,

This is my first post , hope im in the right place .

i have a CISCO 1841 that is set in this way (IP's are not my , for security reasons)

!
interface FastEthernet0/0
description -= Modem 10M/800k =-
no ip address
ip nat outside
no ip virtual-reassembly
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface FastEthernet0/0/1
description -= 3M/3M ISP Line =-
switchport access vlan 2
duplex full
speed 100
!

!
interface FastEthernet0/0/2
description -= Connection To Firewall =-
switchport access vlan 3
!
interface Vlan2
description -= WAN 3/3 =-
ip address 1.2.3.4 255.255.255.252   !# lets say this is a public ip
no ip redirects
ip nat outside
ip virtual-reassembly
!
interface Vlan3
description -= LAN To Firewall =-
ip address 10.11.12.1 255.255.255.0  !# lets say this is a public ip subnet
ip nat inside
ip virtual-reassembly
!

Wen i come to set routing table , i wanted to route based on destination ip

so that traffig going out to my servers (on the internet) will be route from Vlan2 and the rest will be route from Dialer1

to do so i created a PBR and asign it on the interface

!

interface Vlan3
  description -= LAN To Firewall =-
  ip address 10.11.12.1 255.255.255.0
ip nat inside
  ip virtual-reassembly

ip policy route-map TEST_MAP

!

ip route 0.0.0.0 0.0.0.0 1.2.3.5 200

!

ip nat inside source route-map TEST_MAP interface Dialer1 overload

!

route-map TEST_MAP permit 10
match ip address 25
set interface Dialer1
set default interface Dialer1
!

access-list 25 permit 7.6.5.4 0.0.0.254

!

Now my problem is this : traffic are going out from the correct interface , with NAT

because i can see the IP is changes when i set the match ip address to whatismyip.com .

but for some reason i can only have HTTP GET  , and when i do HTTP POST from my browser , there is nothing

how can i monitor this problem , and solve it . i am no expert in CISCO , but i think i missed something on this configuration here .

any help would be appreciate

Yan

Message was edited by: Yan YAg

4 Replies 4

Richard Burts
Hall of Fame
Hall of Fame

Yan

I notice several things in the config, though I am not sure if any of them are the cause of the symptoms that you describe.

- you have ip nat outside configured on both the FastEther0/0 and the VLAN2 interfaces. But the nat statement that you posted only deals with dialer1. Are there additional nat statements that you did not include in your post? How are you dealing with address translation for traffic going out VLAN2?

- you are using the same route map for both PBR and for NAT. I believe that it would be better to have separate route maps for PBR and for NAT.

- I am not clear why you are configuring a distance of 200 on your default route. Is there some other source of routing information that provides a default route and you want this to act as a float static route?

I wonder if your problem is related to MTU problems. Since you are doing PPPOE over the dialer it is adding additional information to the frame that is to be transmitted. When you do a HTTP GET that is usually a smaller frame. When you do a POST that is likely to be a larger frame. And when the additional information is added to the frame by PPPOE it could cause the frame to be too large. I would suggest that you configure the ip tcp adjust-mss command to set the maximum segment size to a smaller value. Give it a try and let us know if it helps.

HTH

Rick

HTH

Rick

Hi rburts and thanks for the answe

I remove the nat outside of FastEther0/0 and left the Dialer with nat outside and vlan2

so that now i have 2 WAN with NAT outside . this didnt help .

I am a little confuse about NAT , from reading the documents , what i ma trying to acomplished is this

my LAN ip subnet is public IPs , so i wasn't sure if i need to set NAT between T1 and my LAN interface .

i know that the routing and NAT is good from the T1 , thats why i didnt touche this settings , but again i am a nowbie with all this

and get my information from documents and forums . i do know i did a mess here , but willing to learn .

I drow a diagram of what i ment to do , but dont know how exactly to do it .note that the IPs are not real

So i have set all interfaces , but probable mess up with the NAT and route-map . i want all traffic coming from VLAN3

to go out with its IP when going out of VLAN2 . but i want to NAT all traffic goint out of Dialer1 . and to manage all this by route-map acl's

and not by static route .

Yan

The way that you are obscuring the addresses helped me not understand that the addresses on your LAN are public IPs. If they are public IPs then probably you do not need to translate them when going over the T1. So I would think that you want to remove the ip nat outside from that interface.

I still think that separate route maps for PBR and for address translation would be good. And in fact I am not sure that you need a route map for address translation. I would think that matching an access list in the translation process would be sufficient.

HTH

Rick

HTH

Rick

Thanks again for the reply ,

I will make the change and let you know if it worked

now that i look at it , it make sence to remove outside nat from T1 interface .

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco