06-09-2008 12:45 AM - edited 03-03-2019 10:17 PM
Hi,
I need some one help me with my problem.I work for a small organization as an network operator.Here in our company they have brought 2 WAN Leased link of
2 Mbps each from the same ISP.The ISP according to their policy provides a block of 8 Public ip address for LAN for each 2 Mbps WAN link purchased.So now with 2 WAN links i have a total of (8+8=16) Valid IP Address.Now my problem is the router which i am using is 1720 with one ethernet port.I am attaching the sample config file for ur reference.With this config i can nslookup but cannot browse.
Thanks in advance.
SEEID
06-09-2008 01:29 AM
Hi,
after checking the attached config i would like to clear one of the statements linsted in the running config.
ip nat pool NET-POOL2 45.222.48.16.24 45.222.48.16.31 prefix-length 29
Can you verify this statement ?
06-09-2008 01:52 AM
it is the for the mask i used this i.e.255.255.255.248
06-09-2008 02:38 AM
Why are you setting "ip next-hop" in the route-map?
Can you try without that?
Also, you are not using "overload".... doesthat mean you have so les hosts inside who need to access the web?
Regards,
Niranjan
06-09-2008 03:22 AM
I think you did not understand what i was pointing out to.
ip nat pool NET-POOL2 45.222.48.16.24 45.222.48.16.31 prefix-length 29 ? You need to verify this ip address its 5 octets.
Is this links from 1 ISP or diffrent ISP ?
Show ip nat translation whats the output for this ?
If possible pls try this acl.
access-list 111 permit ip 172.16.13.0 0.0.0.255 200.100.132.142 255.255.255.252
access-list 112 permit ip ip 172.16.13.0 0.0.0.255 200.100.132.146 255.255.255.252
Regards,
Pravin
06-10-2008 01:37 AM
Hi,
Let me again explain to you,well we have 2 Leased Circuits of 2Mbps each coming from the same ISP and terminating on the 2 WAN ports of a single router 1720.The router is with one LAN port.
Now with this 2 WAN Links the,ISP has supplied with 2 Blocks of IP Address (45.222.48.16-23/29 & 45.222.48.16.24-31/29),
you can refer to the attached config file.Now the problem is there is no nat happening when i ping some external site and check for (RTR#show ip nat translation),i dont see anything translations,but sometimes when i nslookup i can resolve but no browsing :(
Thanks in advance
Saeeid
06-10-2008 07:00 AM
Saeeid..Going thru your config..it paused me for a question. What exactly are u looking to achieve with the existing config or for that matter the additional ip's.There are couple of points to be noted here.
First you see there are 2 default routes pointing to different Se interfaces.This wud only make sense if its coupled into a floating static route so that it moves over other Se i/f if one of the attached Se link fails(assuming same ISP uses different paths to advertise out to internet).
Secondly,do u intend to host any web/ftp server internally in ur n/w and have this being accessed from external sources.In this case the additional ip's can be used for this.
Also,having so much additional ip's is normally used wen the additional global ip's are alloted as primary & secondary to the internal lan fe0 interface & further part of these are assigned to any other connected firewall or routers inside of the network to segregate and have the traffic flow with different directions.If so , NAT will happen on the devices connected to the Fe0 interfaces.
Let us know ur views so that we can work forward to ur desired solution.
Pls rate the post if it helps!!!
06-10-2008 09:20 PM
Hi reco,
Let me quickly answer your
queries:
1.Well the use of two default routes is the idea to utilise both the links.
2.No i dont intend to have any web/ftp server on my internal n/w.
Hope i answered your queries....
Requirement:
So,coming on to what exactly i am trying to do or looking for is that.
1.I want to utilise both the wan links from the same ISP,and also both the block of IP's
in whatever possibly way and route the traffic on both the links at a given time.
Concerns:
I appreciate any new config for my requirement or alter the exiting one,whichever best possible way.
Thanks in advance..
06-11-2008 09:39 PM
Saeeid..here we go.
Pls try the below config.I havn't really tested this but based on ur need this should work in all logic, unless otherwise.
The configs i h'v posted is kept minimal to the need here.IP's used are also as provided.if any changes pls amend accordingly.
________________
int se0
ip address 200.100.132.142 255.255.255.252
ip nat outside
ip policy route-map exit
int se1
ip address 200.100.132.146 255.255.255.252
ip nat outside
ip policy route-map exit
int fe0
ip address 172.16.13.1 255.255.255.0
ip nat inside
ip nat inside source route-map test1 int se0 overload
ip nat inside source route-map test2 int se1 overload
ip route 0.0.0.0 0.0.0.0 200.100.132.141 10
ip route 0.0.0.0 0.0.0.0 200.100.132.145 70
acl 25 permit 200.100.132.145
acl 26 permit 200.100.132.141
acl 35 permit 172.16.13.0 0.0.0.255
acl 45 permit 45.222.48.16 0.0.0.7 ( isp1 global range)
acl 55 permit 45.222.48.24 0.0.0.7 ( isp2 global range)
route-map exit permit 10
match ip addr 45
set ip next-hop 200.100.132.145
route-map exit permit 20
match ip addr 55
set ip next-hop 200.100.132.141
route-map test1 permit 10
match ip addr 35
match ip next-hop 26
route-map test2 permit 20
match ip addr 35
match ip next-hop 25
_________________
Jst a headups on this..the 2 default routes used here are floating ones each tagged with a metric.This allows the other to be used in case of one of them not reachable.
Route-maps point/invoke respective hops/addresses.
Let us know the output once u hook this to the device.
Pls rate/mark if this helps!!!
06-16-2008 11:59 PM
Hi foxbatreco ,
I am yet to try this on the router as because of hectic schedule.Anyway thank you very much for the config and i have already rated your post.If will get back you once and try the config.,
Saeed
06-17-2008 05:47 AM
Thanks buddy! Pls try the config and let us know if its thru.Any issues ..we will help u to find a solution.
06-24-2008 12:38 AM
Hi there,
Well today i tried the config below,but unfortunetly only i can browse one site i.e.www.google.com,and also the traffic is not hitting both the interface as i wanted,if i shut one interface there is no translation or any traffic passing...All the transalation and traffic is moving on one link i.e serial0
Urgent reply to my problem will be appreciated.
Thanks in advance...
int se0
ip address 200.100.132.142 255.255.255.252
ip nat outside
ip policy route-map exit
int se1
ip address 200.100.132.146 255.255.255.252
ip nat outside
ip policy route-map exit
int fe0
ip address 172.16.13.1 255.255.255.0
ip nat inside
ip nat inside source route-map test1 int se0 overload
ip nat inside source route-map test2 int se1 overload
ip route 0.0.0.0 0.0.0.0 200.100.132.141 10
ip route 0.0.0.0 0.0.0.0 200.100.132.145 70
acl 25 permit 200.100.132.145
acl 26 permit 200.100.132.141
acl 35 permit 172.16.13.0 0.0.0.255
acl 45 permit 45.222.48.16 0.0.0.7 ( isp1 global range)
acl 55 permit 45.222.48.24 0.0.0.7 ( isp2 global range)
route-map exit permit 10
match ip addr 45
set ip next-hop 200.100.132.145
route-map exit permit 20
match ip addr 55
set ip next-hop 200.100.132.141
route-map test1 permit 10
match ip addr 35
match ip next-hop 26
route-map test2 permit 20
match ip addr 35
match ip next-hop 25
06-24-2008 04:56 AM
This is a nasty issue that you will find many threads on. Even though you have the same ISP on both connections it has the same issue as using 2 ISP.
Best solution is to ask the ISP to bond the links together with something like multilink ppp and route both block to you over what now appears to be a single link.
Assuming that is not possible I will point out some of the issues you have.
First policy routing is input only you cannot policy route output. You really need to do the policy routing on the ethernet but since policy routing is done before nat on inside to ouside traffic you can't just match the ISP addresses.
You biggest issue is that you cannot really load balance this. By default the router will use a combination of source and destination ip addresses to pick a path. The problem you will find is that the address you are natted to will change based on the path. This may work but in many cases even though a site may appear to have only 1 address behind the covers it may have many. If the router would choose a different path to get to these you get different nat source addresses which the servers at the remote site will detect as a spoof and drop your session.
Although not a good solution you need to manually balance your traffic. You in effect assign your users to on or the other ISP.
One common way would be to send all even addresses on way and all odd addresses the other.
So to start you put a policy route on the ethernet interface that matches the 172.16.13.x addresses and sets the next hop to whichever ISP you choose.
Now you have to fix the nat issue. You need to create 2 pools one with each ISP and assign the addresses based on the nexthop. This will be very similar to the way you do it with your nat overload in your sample. You should most likely remove the nat overload statements of you are going to use a nat pool
This should make it mostly work but you will never get true load balancing.
You also have a issue if one of the connections fail which I won't discuss here but you can look up policy routing and track object for a solution.
06-09-2008 04:40 AM
Hi,Can somone help me with some example configuring 1720 router with single ethernet port,for two subnet internal with natting to access internet and two wan links to the same ISP.
06-10-2008 04:30 AM
I believe what pravinxyz was trying to say is that your NAT Pool line should look something like this:
ip nat pool NET-POOL2 45.222.48.16 45.222.48.31 prefix-length 29
The IP address length is too big in your statement.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide