cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1118
Views
9
Helpful
16
Replies

2 ISPs, NAT and PBR

sergeivanoff
Level 1
Level 1

Hello All,

I seem to hit the wall with something what should be pretty straight forward. We have 1 router and 2 ISP's connected to it.

I have configured PBR on the internal interface to forward some traffic to 2nd ISP and according to route-maps, the traffic gets policied.

But I'm unable to go anywhere beyond the gateways. If I put default gateway in place - traffic goes ok for the ISP where default gateway is set (and 2nd ISP doesn't go anywhere).

Am I missing something?

Thx, Serge.

16 Replies 16

a.alekseev
Level 7
Level 7

try to use "set ip next-hop" instead of "set ip default next-hop"

route-map RM-PBR permit 10

match ip address ACL-PBR-isp2

set ip next-hop (default gateway of ISP2)

route-map RM-PBR permit 20

set ip next-hop (default gateway of ISP2)

Thanks for the quick replied. I tried set ip next-hop as well but it didn't make any difference. There's a typo in the config as well, sorry about that. The correct part is:

route-map RM-PBR permit 10

match ip address ACL-PBR-isp2

set ip next-hop (default gateway of ISP2)

route-map RM-PBR permit 20

set ip next-hop (default gateway of ISP1)

ip access-list extended ACL-NAT-isp2

permit ip host 10.100.12.161 any

ip access-list extended ACL-NAT-ips1

deny ip host 10.100.12.161 any

permit ip any any

Looks like my cut'n'paste skills aren't the best today. I missed the internal LAN in NAT in the original configuration. I'm not sure if permit ip any any would work with NAT, so here's the correct ACL. The reason for deny private IP's in the beginning - we do have a VPN going over isp2, so we don't need to NAT that traffic

ip access-list extended ACL-NAT-ips1

remark Do not NAT towards Private IP

deny ip any 127.0.0.0 0.255.255.255

deny ip any 10.0.0.0 0.255.255.255

deny ip any 172.16.0.0 0.0.255.255

deny ip any 192.168.0.0 0.0.255.255

remark Deny single hosts

deny ip host 10.100.12.161 any

permit ip 10.100.0.0 0.0.255.255 any

Thx, Serge.

So if I understand it correctly, PBR happens before NAT. Then how this suppose to look like?

Do I need to utilize default gateway somewhere? Without NAT PBR works like a charm but with NAT, it's not.

Thx, Serge.

I think it shoud be

ip nat inside source route-map RM-NAT-isp1 interface FastEthernet0/0 overload

but in you config you have

ip nat inside source route-map RM-NAT-isp1 interface FastEthernet0/1 overload

Yes, sorry about that. Noticed that as well in the config, but didn't update the posted one.

Still, it doesn't work. I removed all the extra NAT's, etc. Just want to PBR 1 host and it's not going anywhere beyond a default gateway.

:))

show the actual configuration.

Here we go. The configuration only for 1 host to go over isp2.

I do not see any route for 10.100.12.161

sh ip route 10.100.12.161

#sh ip route 10.100.12.161

Routing entry for 10.100.0.0/16

Known via "static", distance 1, metric 0

Routing Descriptor Blocks:

* 10.100.11.254

Route metric is 0, traffic share count is 1

oops, sorry for this

could you try initiate traffic from the 10.100.12.161 and show the output "sh ip nat tr | i 10.100.12.161"

#sh ip nat trans

Pro Inside global Inside local Outside local Outside global

icmp x.x.x.x:512 10.100.12.161:512 213.73.255.52:512 213.73.255.52:512

tcp x.x.x.x:80 10.100.12.161:80 --- ---

As far as I can see the NAT is correctly set on the interface I want it go and not appearing on the default interface.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco