Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASR1002: dynamic PAT + route-map - bug or feature?

Good day to all!

I have faced with a problem when I tryed to use route-maps and dynamic PAT (overload) on ASR1002 series.

At the moment there are:

2x ASR 1002

Cisco IOS Software, IOS-XE Software (PPC_LINUX_IOSD-ADVENTERPRISEK9-M), Version 15.3(2)S1, RELEASE SOFTWARE (fc1)

IOS XE Version: 03.09.01.S

System image file is "bootflash:/asr1000rp1-adventerprisek9.03.09.01.S.153-2.S1.bin

There is one ISP at the moment.

ASRs acting as a border gatrway between internal network and internet.

Inside interfaces of both ASR are connected with HSRP.

On ASRs there are already:

- dynamic PAT (internet for internal users)

- static NAT (one server that should be accessed from outside)

- ZBFW

- RA VPN

There are NO bgp, PI-addresses and AS.

The task is rather simple: to make connection to the second ISP for redundancy (the best will be to use both ISP at the same time but for due to the bug(feature) that I will describe it is impossible).

Interfaces on ASR:

Po1.101 - internal network (192.168.0.0/16 and 10.0.0.0/8). 10.255.255.0/24 - RA-VPN pool, 10.10.10.2 - host that should have a static NAT.

Po2.2 - ISP1 (1.1.1.0/27, GW: 1.1.1.30)

Po2.3 - ISP2 (2.2.2.0/29, GW: 2.2.2.6)

Config:

...

!

interface Port-channel1.101

description INSIDE

encapsulation dot1Q 101

ip address 10.0.0.2 255.255.255.248

no ip redirects

ip nat inside

zone-member security INSIDE

standby version 2

standby 1 ip 10.0.0.1

standby 1 priority 110

standby 1 preempt

standby 1 name INSIDE

standby 1 track 1 decrement 30

standby 1 track 2 decrement 20

standby 1 track 3 decrement 20

standby 1 track 4 decrement 40

standby 1 track 5 decrement 30

!

...

!

interface Port-channel2.2

description ISP1

encapsulation dot1Q 2

ip address 1.1.1.1 255.255.255.224

no ip redirects

ip nat outside

zone-member security OUTSIDE

crypto map MYMAP

!

interface Port-channel2.3

description ISP2

encapsulation dot1Q 3

ip address 2.2.2.2 255.255.255.248

no ip redirects

ip nat outside

zone-member security OUTSIDE

crypto map MYMAP

!

...

!

ip route 0.0.0.0 0.0.0.0 1.1.1.30 track 2

ip route 10.255.255.0 255.255.255.0 Port-channel2.2 track 2

ip route 0.0.0.0 0.0.0.0 2.2.2.6 250

ip route 10.0.0.0 255.0.0.0 10.0.0.6

ip route 10.255.255.0 255.255.255.0 Port-channel2.3 250

ip route 192.168.0.0 255.255.0.0 10.0.0.6

!

...

!

route-map ISP1 permit 10

description ISP1

match ip address NAT

match interface Port-channel2.2

!

route-map ISP2 permit 10

description ISP2

match ip address NAT

match interface Port-channel2.3

!

route-map EXT_via_ISP1 permit 10

match ip address EXT_ROUTE_MAP

match interface Port-channel2.2

!

route-map EXT_via_ISP2 permit 10

match ip address EXT_ROUTE_MAP

match interface Port-channel2.3

!

...

!

ip access-list extended NAT

deny   ip host 10.10.10.2 any

deny   ip 192.168.0.0 0.0.255.255 10.255.255.0 0.0.0.255

deny   ip 10.0.1.0 0.0.0.255 10.255.255.0 0.0.0.255

deny   ip 10.10.10.0 0.0.0.255 10.255.255.0 0.0.0.255

deny   ip 10.1.0.0 0.0.0.255 10.255.255.0 0.0.0.255

permit ip 192.168.0.0 0.0.255.255 any

permit ip 10.0.0.0 0.255.255.255 any

!

ip access-list extended EXT_ROUTE_MAP

permit ip host 10.10.10.2 any

!

ip nat inside source route-map ISP2 interface Port-channel2.3 overload

ip nat inside source route-map ISP1 interface Port-channel2.2 overload

ip nat inside source static 10.10.10.2 1.1.1.2 route-map EXT_via_ISP1 redundancy INSIDE

ip nat inside source static 10.10.10.2 2.2.2.3 route-map EXT_via_ISP2 redundancy INSIDE

The problem is connected with this command:

"ip nat inside source route-map ISP1 interface Port-channel2.2 overload"

After this command had been entered the behavior of NAT becomes very strange.

There are no dynamic translation in nat table EXCEPT icmp...

Inside users can ping everything on internet but they cannot access to any external resource...

After replacing this command with

"ip nat inside source list NAT interface Port-channel2.2 overload"

and  clearing translaion everything begins to work (dynamic translations appears in NAT-table).

There is no any syslog message...

Host 10.10.10.2 is avalibale form inernet with address 1.1.1.2 regardless of dynamic nat configuration (with and without route-map)...

Is there something that I forgot or limitation ?

Or is this a bug?

In my scenario there is no way to use 2 ISP (with backup scheme and even more so when we want to use tham at the same time) without route-maps...

Thanks for any help in advance.

721
Views
0
Helpful
0
Replies