Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

2 ISPs, NAT and PBR

Hello All,

I seem to hit the wall with something what should be pretty straight forward. We have 1 router and 2 ISP's connected to it.

I have configured PBR on the internal interface to forward some traffic to 2nd ISP and according to route-maps, the traffic gets policied.

But I'm unable to go anywhere beyond the gateways. If I put default gateway in place - traffic goes ok for the ISP where default gateway is set (and 2nd ISP doesn't go anywhere).

Am I missing something?

Thx, Serge.

16 REPLIES

Re: 2 ISPs, NAT and PBR

try to use "set ip next-hop" instead of "set ip default next-hop"

route-map RM-PBR permit 10

match ip address ACL-PBR-isp2

set ip next-hop (default gateway of ISP2)

route-map RM-PBR permit 20

set ip next-hop (default gateway of ISP2)

New Member

Re: 2 ISPs, NAT and PBR

Thanks for the quick replied. I tried set ip next-hop as well but it didn't make any difference. There's a typo in the config as well, sorry about that. The correct part is:

route-map RM-PBR permit 10

match ip address ACL-PBR-isp2

set ip next-hop (default gateway of ISP2)

route-map RM-PBR permit 20

set ip next-hop (default gateway of ISP1)

Re: 2 ISPs, NAT and PBR

ip access-list extended ACL-NAT-isp2

permit ip host 10.100.12.161 any

ip access-list extended ACL-NAT-ips1

deny ip host 10.100.12.161 any

permit ip any any

New Member

Re: 2 ISPs, NAT and PBR

Looks like my cut'n'paste skills aren't the best today. I missed the internal LAN in NAT in the original configuration. I'm not sure if permit ip any any would work with NAT, so here's the correct ACL. The reason for deny private IP's in the beginning - we do have a VPN going over isp2, so we don't need to NAT that traffic

ip access-list extended ACL-NAT-ips1

remark Do not NAT towards Private IP

deny ip any 127.0.0.0 0.255.255.255

deny ip any 10.0.0.0 0.255.255.255

deny ip any 172.16.0.0 0.0.255.255

deny ip any 192.168.0.0 0.0.255.255

remark Deny single hosts

deny ip host 10.100.12.161 any

permit ip 10.100.0.0 0.0.255.255 any

Thx, Serge.

New Member

Re: 2 ISPs, NAT and PBR

So if I understand it correctly, PBR happens before NAT. Then how this suppose to look like?

Do I need to utilize default gateway somewhere? Without NAT PBR works like a charm but with NAT, it's not.

Thx, Serge.

Re: 2 ISPs, NAT and PBR

I think it shoud be

ip nat inside source route-map RM-NAT-isp1 interface FastEthernet0/0 overload

but in you config you have

ip nat inside source route-map RM-NAT-isp1 interface FastEthernet0/1 overload

New Member

Re: 2 ISPs, NAT and PBR

Yes, sorry about that. Noticed that as well in the config, but didn't update the posted one.

Still, it doesn't work. I removed all the extra NAT's, etc. Just want to PBR 1 host and it's not going anywhere beyond a default gateway.

Re: 2 ISPs, NAT and PBR

:))

show the actual configuration.

New Member

Re: 2 ISPs, NAT and PBR

Here we go. The configuration only for 1 host to go over isp2.

Re: 2 ISPs, NAT and PBR

I do not see any route for 10.100.12.161

sh ip route 10.100.12.161

New Member

Re: 2 ISPs, NAT and PBR

#sh ip route 10.100.12.161

Routing entry for 10.100.0.0/16

Known via "static", distance 1, metric 0

Routing Descriptor Blocks:

* 10.100.11.254

Route metric is 0, traffic share count is 1

Re: 2 ISPs, NAT and PBR

oops, sorry for this

could you try initiate traffic from the 10.100.12.161 and show the output "sh ip nat tr | i 10.100.12.161"

New Member

Re: 2 ISPs, NAT and PBR

#sh ip nat trans

Pro Inside global Inside local Outside local Outside global

icmp x.x.x.x:512 10.100.12.161:512 213.73.255.52:512 213.73.255.52:512

tcp x.x.x.x:80 10.100.12.161:80 --- ---

As far as I can see the NAT is correctly set on the interface I want it go and not appearing on the default interface.

Re: 2 ISPs, NAT and PBR

try to disable RPF

interface FastEthernet0/1

no ip verify unicast reverse-path

New Member

Re: 2 ISPs, NAT and PBR

That did it! Thanks a lot, shame on me, for not looking deep enough.

520
Views
9
Helpful
16
Replies
CreatePlease login to create content