Advanced NAT problem

lehpoh · ‎03-30-2003

I have a Cisco 1720 router with leased line to internet and ISDN backup to internet. The ISDN backup is using "Backup interface" method. My ISP assign different IP pool for my leased line and ISDN. So I use route-map so that the router will select appropiate pool when using leased line or ISDN.

For testing purposes, When I am connecting using leased line, I issue a continuous ping to my ISP primary DNS server, 165.21.83.88. When I remove the leased line connection, the ISDN kick in and runs fine, but my ping never recovered from "request timeout"! if I stop the ping and issue a new ping to my ISP secondary DNS server, 165.21.100.88, I got reply. when I cancel this ping and ping back 165.21.83.88, it still request timeout!

Now when I put back the leased line connection, the ISDN goes down. Now I can ping 165.21.83.88 but I cannot ping 165.21.100.88.

It seems like the NAT translation for 165.21.83.88 continuously stick to leased line although I am using ISDN backup. likewise the NAT translation for 165.21.100.88 stick to ISDN connection even though I am using leased line.

Why?? How to solve this problem??

raymong · ‎03-31-2003

I'd suggest running some debugs the next time you test the failover to see what is happening to the translations... debug ip nat and debug ip nat detailed.

tepatel · ‎03-31-2003

First you need to make sure that the dns servers, primary and secondary, assigned via leased line and via isdn PPP link are the same.

Now you can automatically clear that nat entries using command "ip nat translation .....". You can use "ip nat translation dns-timeout 5" where 5 is in secs to clear that dns nat entry in 5 secs.

Pl. visit following url for more on that

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122tcr/122tip1r/p1ftipad.htm#1019618

lehpoh · ‎04-01-2003

DNS server is the same for leased line and ISDN. Pinging the dns server is just an example. It happens even when I ping another fixed public IP. Does the "ip nat translation dns-timeout 5" command resolve issues like pinging to another fixed public IP?

lehpoh · ‎04-01-2003

--begin ciscomoderator note-- The following post has been edited to remove potentially confidential information. Please refrain from posting confidential information on the site to reduce security risks to your network. -- end ciscomoderator note --

My config is as follows:

--moderator edit-- router#sh ru

Building configuration...

Current configuration : 1709 bytes

!

version 12.1

no service single-slot-reload-enable

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname --moderator edit-- router

!

logging rate-limit console 10 except errors

enable secret 5 --moderator edit-- xxxxxxx

!

memory-size iomem 25

ip subnet-zero

no ip source-route

no ip finger

no ip domain-lookup

!

isdn switch-type basic-net3

!

interface BRI0

ip address --moderator edit-- nnn.nn.nn.250 255.255.255.252

ip nat outside

encapsulation ppp

dialer idle-timeout 60

dialer map ip --moderator edit-- nnn.nn.nn.249 name --moderator edit-- router 65375200

dialer-group 1

isdn switch-type basic-net3

ppp authentication pap callin

ppp pap sent-username --moderator edit-- router password 7 --moderator edit--

!

interface FastEthernet0

ip address --moderator edit-- qqq.qqq.qqq.4 255.255.0.0

ip nat inside

speed auto

!

interface Serial0

backup delay 0 30

backup interface BRI0

ip address --moderator edit-- rrr.rr.rr.250 255.255.255.252

no ip proxy-arp

ip nat outside

no cdp enable

!

ip nat pool MAYPOOL --moderator edit-- sss.sss.ss.194 --moderator edit-- sss.sss.ss.198 netmask 255.255.255.248

ip nat pool Leased_Line_Pool --moderator edit-- vvv.vvv.vvv.33 --moderator edit-- vvv.vvv.vvv.33 prefix-length 28

ip nat inside source route-map ISDN_Map pool MAYPOOL overload

ip nat inside source route-map Leased_Line_Map pool Leased_Line_Pool overload

ip classless

ip route 0.0.0.0 0.0.0.0 --moderator edit-- rrr.rr.rr.249

ip route 0.0.0.0 0.0.0.0 --moderator edit-- nnn.nn.nn.249 200

no ip http server

!

access-list 1 permit --moderator edit-- ttt.ttt.0.0 0.0.255.255

dialer-list 1 protocol ip permit

route-map ISDN_Map permit 10

match ip address 1

match interface BRI0

!

route-map Leased_Line_Map permit 10

match ip address 1

match interface Serial0

!

line con 0

logging synchronous

transport input none

line aux 0

line vty 0 4

password 7 --moderator edit--

login

!

no scheduler allocate

end

siddiquiabdul · ‎04-01-2003

take the "match ip address 1" statement out from both of the route maps.

Since basically you are defining the same rule in two different route maps.

Once the "match ip address 1" rules gets parsed then the NAT does not in effect bothers for other rules.

The catch here is to have the policies in your route maps as different as possible. Try just with match interface statement & that should work for you.

mqueres · ‎04-07-2003

I have a similar problem using route-maps with two different pools. The situation occurs when the first link goes down and the second link assumes the connection but the NAT doesn’t change the pool unless enter manual command like clear ip nat translation *.

Some part of my configuration is as follows:

Interface Serial0/0:0

ip address 200.184.229.109 255.255.255.252

ip nat outside

!

Interface Serial0/1:0

ip address 200.157.1.1 255.255.255.0

ip nat outside

ip nat pool RS102 200.184.1.1 200.184.1.254 netmask 255.255.255.0

ip nat pool RS101 198.22.1.1 198.22.1.254 netmask 255.255.255.0

!two different pools

ip nat inside source route-map POOL1 pool RS101

ip nat inside source route-map POOL2 pool RS102

!two different route-maps

ip route 0.0.0.0 0.0.0.0 200.184.229.110

ip route 0.0.0.0 0.0.0.0 200.157.1.2 50

!two default routes with different administrative distance

access-list 10 permit 200.184.229.110

access-list 20 permit 200.157.1.2

route-map POOL2 permit 10

match ip next-hop 20

!

route-map POOL1 permit 10

match ip next-hop 10

ip nat translation timeout 10

NAT translation never expires !

cpe-nat-multi-h#sh ip nat tran ic ver

Pro Inside global Inside local Outside local Outside global

icmp 198.22.1.1:256 10.0.0.1:256 20.0.0.1:256 20.0.0.1:256

create 00:00:29, use 00:00:00, left 00:00:09, Map-Id(In): 1,

icmp 198.22.1.3:256 10.0.0.2:256 20.0.0.1:256 20.0.0.1:256

create 00:00:25, use 00:00:00, left 00:00:09, Map-Id(In): 1,

C 200.157.1.0/24 is directly connected, Serial0/1:0

10.0.0.0/24 is subnetted, 1 subnets

C 10.0.0.0 is directly connected, FastEthernet3/0

S* 0.0.0.0/0 [50/0] via 200.157.1.2

IOS software: c3640-jsx-mz.122-13.T.bin

The NAT doesn’t assume the condition defined in route-maps to change the pool (even using only one statement in each Route-map).

Does this problem represent a Bug? Any suggestion?

Thanks

rjackson · ‎04-07-2003

This is interesting but the real problem here is the isp thats making people buy two address pools. That's rediculous and unecessisary. For one thing it means you cannot have any incoming traffic, no onsite servers for email or web hosting. Your DNS on the internet will only point to one of the address spaces and it can take 7 days to update DNS on the internet. Not a very good failover time. The ISP should be able to reroute to the same pool through the isdn backup.

To make this work you need to make the route maps sensitive to the status of the WAn circuit. i dont think thats possible.

mqueres · ‎04-10-2003

Thanks for the answer, but the explanation is trying to show that the change from one pool to another doesn’t work correctly, because any kind of combination was already configured in Route-map (match interface, match ip next-hop) and NAT translation never expires the time for the instance because it doesn’t use the information on Route-maps.

These two statements can be sensitive to the status of the wan circuit, but unfortunately the pools are not changed if one link goes down because the NAT seems that doesn’t use the information on Route-maps.

This case is not a commercial case but technical and the customer will not “buy” two addresses from the same ISP. He has a configuration with two different addresses from two ISPs and is trying to use some kind of automatic redundancy without BGP.

rjackson · ‎04-10-2003

have you seen this doc? It might help, its called nat order of operation.

http://www.cisco.com/en/US/customer/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml

mqueres · ‎04-14-2003

Thanks for the answer. This paper confirms the first question: Policy routing is performed before NAT, but in a specific lab environment the router doesn’t join the statement like "match ip next hop" with the correct NAT pool.

Similar questions about NAT with different pools using Route-maps are already described in others conversations. I think that Cisco can clarify the issues about the configuration with NAT and Route-maps.

Is there someone from Cisco to help us?