Help! Two "NAT outside" interfaces: How to filter/choose interfaces?

Document

Mon, 11/11/2013 - 12:01
Nov 11th, 2013
User Badges:

Hello everyone, I really need a hint here!


I have configured a simple two ISPs load balancing using two default routes and two NAT overload. Load balancing is working fine. (See NAT configuration at bottom). This way, any NAT INSIDE host, is able to reach internet using both ISPs randomly.


I need some specific hosts to access internet using a Single specific ISP. Think of it as "load balancing" exceptions, if you will.

In other words, I need to disable load balancing and stick with a single ISP for certain hosts within NAT INSIDE that access HTTPS sites. This is because many SSL sites are unusable with load balancing and should be accessed using a single external IP address.


I've tried to create roadmaps and also I've tried to modify given roadmaps without success. Please see config below:

(part of current running-config.)

object-group service PuertosNavegacion

description Puerto 80 y 443

tcp source eq www

tcp source eq 443

!

interface GigabitEthernet0/0

description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$

ip address xxx.xxx.29.170 255.255.255.248

ip nat outside

ip virtual-reassembly in

ip policy route-map forceTelmex

duplex auto

speed auto

!

interface GigabitEthernet0/1

ip dhcp client route track 345

ip address dhcp

ip nat outside

ip virtual-reassembly in

ip policy route-map forceTelmex

duplex auto

speed auto

!

interface Vlan3

description puertos LAN

ip address 192.168.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

ip dns server

ip nat inside source route-map fiberNat interface GigabitEthernet0/1 overload

ip nat inside source route-map telmexNat interface GigabitEthernet0/0 overload

ip route 0.0.0.0 0.0.0.0 xxx.xxx.29.169

ip route 192.168.3.0 255.255.255.0 192.168.1.10 2

ip route 0.0.0.0 0.0.0.0 dhcp

!

access-list 110 permit ip 192.168.1.0 0.0.0.255 any

access-list 111 remark acepta nat deniega http y https

access-list 111 remark CCP_ACL Category=1

access-list 111 permit ip 192.168.1.0 0.0.0.255 any

access-list 111 deny   object-group PuertosNavegacion 192.168.1.0 0.0.0.255 any

!

route-map fiberNat permit 10

match ip address 111

match interface GigabitEthernet0/1

!

route-map telmexNat permit 10

match ip address 110

match interface GigabitEthernet0/0

!


Thanks in advance,

Agustin.

Loading.

Actions

This Document

Related Content