02-08-2010 08:09 AM - edited 03-04-2019 07:26 AM
Hello all.
First off, this is not the first time I did this... but it is the first time in 12.4... and it seems there have been changes that are causing me issues.
Here is a sample of what I had done in 12.3 which worked perfectly.
<code>
interface Ethernet0
description Internal Side
ip address 10.0.2.254 255.255.255.0
ip nat inside
!
interface Ethernet1
description Internet Side
ip address 64.65.66.67 255.255.255.240 secondary
ip address 74.75.76.77 255.255.255.240
ip nat outside
!
ip nat inside source static tcp 10.0.2.2 80 74.75.76.78 80 extendable
ip nat inside source static tcp 10.0.2.2 80 64.65.66.68 80 route-map biWAN-PAE extendable
!
ip classless
ip route 0.0.0.0 0.0.0.0 74.75.76.76 permanent
!
route-map biWAN-PAE permit 10
set ip next-hop 64.65.66.66
!
</code>
Now when I try to do this in 12.4, it simply won't work. First it won't allow the two "ip nat inside source static" commands as-is. I need to define them with a route-map each. So I created another route-map with a "set ip next-hop" for the 74.75.76.76 gateway. But all my traffic is headed to 74.75.76.76 regardless of what translation/route-map it uses.
My thought at this point is to setup a loopback interface for all 'outside' traffic and try to setup a route-map on the loopback interface so I can have the route-map ACLs working on public IP addresses...
Thoughts on this?
Thanks! -Cheers, Peter.
02-09-2010 06:40 PM
Anyone?
03-09-2010 11:37 PM
Peter,
First of all my question to you would be : "why are you implementing NAT in this fashion?"
You do not have multiple exit interfaces, just multiple public ip's. So whats the benefit of using two public ip's to access the same Internal server. I mean if that ISP link or the interface goes down, then both these public ip's would not work.
Secondly, while sending the traffic out, routing always happens before NAT. So even if you have "set ip next-hop" statement added in the route-map which is called on a NAT statement, it will not do anything because routing decision has been already made. So as a best practice, don't use "set ip next-hop" command in route-maps which are being used for NAT.
"set ip next-hop" command should only be used when PBR is implemented and the route-map is called under an interface using the "ip policy route-map" command.
Only after understanding your actual requirement, we can suggest a solution or a workaround.
Neeraj
03-18-2010 06:23 PM
I am not worried so much about the interface failure as I am about Internet access failure. The two IP blocks are provided over two different links which are consolidated via a ethernet switch.
I have read about the route being before nat... but I am thinking that there must be some way to route after nat. Either by using a loopback interface or such, but I just have not come to a solution.
Thanks. -Peter.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide