Solved: Re: A good NAT design problem

MITCH JOHNSON · ‎05-28-2006

I have a router with two interfaces which of course have two different subnet ranges. This is going to be on a network with two possible paths to the Internet. I need to have traffic go in two possible directions. I also need to have a NAT pool so the internal users are translated to a public IP address. How do I do this by going through two separate interfaces, if one interface goes down, then it would be nice if the state would remain.

TIA

Mitch

atif.awan · ‎05-29-2006

From what I understand so far you want your inside hosts to a single public pool. Additionally, you have two links to your ISP from the same router and you want to be able to utilize both. Your concern is how this will work with NAT. Is that correct?

If yes then I believe you should not have any issues. NAT translations are not bound to a particular interface. For packets outbound from your network your NAT configuration will select how to NAT them to the public pool and once NATTED they will be sent out one of the external links; the external link to go out from is actually selected before NAT occurs . For incoming packets the router consults the NAT translation table and if there is a matching entry it does NAT (provided both interfaces have NAT enabled on them - ip nat outside). So as long as your ISP is routing back to you (for your public pool) via both the links then I think you do not have to worry about anything. It is only with multiple routers that NAT state sharing is a problem and even that I think is no longer an issue with SNAT (stateful nat).

View solution in original post

mahmoodmkl · ‎05-28-2006

HI

i think this link will help u.

http://www.cisco.com/warp/public/556/12.html

and for distrubuting the traffic i think u can go with PBR.

Thanks

Mahmood

MITCH JOHNSON · ‎05-29-2006

Policy based routing will not help this design at all. Concerning the NAT document you posted, I know how to do NAT, I just don't know how to do NAT on TWO different outside interfaces. I'd also like to keep the NAT stateful if possible.

devang_etcom · ‎05-29-2006

hi,,,

is it like...

you have two isp connection...and u have two differnet pool...and u want to nat your inside host to nat on any one public ip pool and must have to use only single link for access...am i right???

regards

Devang

MITCH JOHNSON · ‎05-29-2006

No,

Two paths to one ISP. One NAT pool which is on the local router, however, the packet may end up going out either of the two outside interfaces to get to the ISP.

Thanks

devang_etcom · ‎05-29-2006

hi,,,

i think you can do this by using the satic router...

u can configure two static route with two different metrics...both static route point to the two interface which are connected with the ISP...and one of the two with lowest metrics will be appear in to the routing table...and when the best past with lowest cost will goes down then worst will be in the routing table...

regards

Devang

MITCH JOHNSON · ‎05-29-2006

I considered doing that, but how do I do the NAT translation consistently over two different subnets.

atif.awan · ‎05-29-2006

From what I understand so far you want your inside hosts to a single public pool. Additionally, you have two links to your ISP from the same router and you want to be able to utilize both. Your concern is how this will work with NAT. Is that correct?

If yes then I believe you should not have any issues. NAT translations are not bound to a particular interface. For packets outbound from your network your NAT configuration will select how to NAT them to the public pool and once NATTED they will be sent out one of the external links; the external link to go out from is actually selected before NAT occurs . For incoming packets the router consults the NAT translation table and if there is a matching entry it does NAT (provided both interfaces have NAT enabled on them - ip nat outside). So as long as your ISP is routing back to you (for your public pool) via both the links then I think you do not have to worry about anything. It is only with multiple routers that NAT state sharing is a problem and even that I think is no longer an issue with SNAT (stateful nat).

MITCH JOHNSON · ‎05-29-2006

Thanks,

I always thought that the NAT had to go out the interface that "owns" the nat pool, for instance, I have a 10.10.10.0/24 subnet available for NAT (I know it's private, just an example), if I have one interface as 10.10.10.1/24 and another as 10.10.10.12.1 then should the NAT pool not gravitate to the 10.10.101 interface.

Or, is it that I could have two interfaces on two different point-to-point links, as I do, and then name them NAT outside, then have a totally separate NAT pool to NAT clients across either Outside interface to the ISP.

I'll try that out, thanks.

atif.awan · ‎05-29-2006

Yes you could have two different point-to-point links and the corresponding interfaces with ip nat outside configured. The NAT pool in this case will be an independent pool and does not have to be bound to any of the interfaces. Do test it out and let us know how it works out for you.

mahmoodmkl · ‎05-29-2006

HI

Atif thanks for u r explanation.but i am little bit confused.suppose if am having a scenario like this.

192.168.1.0/24 is my internal network.

10.10.1.0/24 for eg is outside network which is pool1

10.10.2.0/24...second pool

now as u can see that i have to links from the ISP and two public pools.will the config like below work.have a look at it.

router(config)int s0/0

router(confgi-if)ip address w.x.y.z subnetmask.

router(confif-if)ip nat outside

router(config)int s0/1

router(config-if)ip address

router(config-if)ip nat outside

ip nat pool ISP1 10.10.1.5 10.10.1.50 netmask /24

ip nat pool ISP2 10.10.2.5 10.10.2.50 netmask /24

access-list 10 permit 192.168.1.0 0.0.0.255

ip nat inside source list 10 pool ISP1

ip nat inside source list 10 pool ISP2

assume that the static routes are defined.

Thanks

Mahmood

atif.awan · ‎05-30-2006

Hello Mahmood,

From what I know you cannot use the same access-list for two different NAT pools so that part of your configuration will not work. Also you are mentioning ISP1 and ISP2 ... Do you mean that each link goes to a different ISP? (in the previous problem both links were to the same ISP so things were a little simpler). If you do want a configuration that will support two links to separate ISPs then that is also doable with the use of route-maps where you specify a combination of your inside addresses and the next-hop ip or interface. In your case it will be something like:

router-map ISP_1 permit 10

match ip address 10

match interface s0/0

router-map ISP_2 permit 10

match ip address 10

match interface s0/1

ip nat inside source route-map ISP_1 pool ISP1

ip nat inside source route-map ISP_2 pool ISP2

In this case all packets going out of interface s0/0 will always be natted to the pool provided to you by ISP1 (assuming s0/0 is your link to ISP1) and all packets going out of s0/1 will be natted to the pool provided by ISP2 (s0/1 is your link to ISP2). One point to note is that in this case you should not do per-packet load balancing otherwise it will break your NAT. Moreover when one link fails new sessions will work but existing sessions via the failed link will also fail.

mahmoodmkl · ‎05-30-2006

HI

Atif thanks for reply.In the above scenario suppose if i have both the links from the same ISP then how can we configure it.suppose if i have separate pools for both the links.how would be the configuration.

Thanks

Mahmood

atif.awan · ‎05-30-2006

If both links were going to the same ISP then I would not use separate pools. I will use a single pool as we have discussed earlier in this problem. If you still want to use separate pools you can follow the same process as I have described for the two ISP scenario but keep in mind the failure scenarios..

mahmoodmkl · ‎05-30-2006

Hi

Atif thanks.

U mean to say that we need to just define the nat pool,assign the ip address on serial interfaces,define IP nat outside.

will this load-balance our nat traffic.

Thanks

Mahmood