Solved: Re: Dual ISP: Nat Problem - Page 2

jcartier · ‎09-07-2007

Greetings,

I'm trying to achieve a failover scenario using a multi-homed connection to the same ISP. The problem I'm having is that the Nat translations are not clearing after the primary link fails...then comes back online. When the primary link recovers I'm still seeing traffic going over the back-up link. Any suggestions or comments?

ip sla monitor 1

type echo protocol ipIcmpEcho 192.168.1.1

frequency 5

ip sla monitor schedule 1 life forever start-time now

!

username admin privilege 15 secret xxx

!

track 1 rtr 1 reachability

!

interface FastEthernet0/0

desc ISP 2 - Backup Connection

ip address 192.168.2.2 255.255.255.252

ip nat outside

ip virtual-reassembly

ip route-cache flow

load-interval 30

duplex auto

speed auto

!

interface FastEthernet0/1

desc ISP 1 - Primary Connection

ip address 192.168.1.2 255.255.255.252

ip nat outside

ip virtual-reassembly

ip route-cache flow

load-interval 30

duplex auto

speed auto

!

interface FastEthernet0/3/0

!

interface FastEthernet0/3/1

!

interface FastEthernet0/3/2

!

interface FastEthernet0/3/3

!

interface FastEthernet0/3/4

!

interface FastEthernet0/3/5

!

interface FastEthernet0/3/6

!

interface FastEthernet0/3/7

!

interface FastEthernet0/3/8

description LAN

spanning-tree portfast

!

interface Vlan1

desc LAN Subnet

ip address 192.168.0.1 255.255.255.0

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1000

!

ip route 0.0.0.0 0.0.0.0 192.168.1.1 track 1

ip route 0.0.0.0 0.0.0.0 192.168.2.1 5

!

ip http server

no ip http secure-server

!

ip nat inside source route-map primary-nat interface FastEthernet0/0 overload

!

ip nat inside source route-map backup-nat2 interface FastEthernet0/1 overload

!

ip access-list extended nat

permit ip 192.168.0.0 0.0.0.255 any

!

route-map backup-nat2 permit 10

match ip address nat

set interface FastEthernet0/1

!

route-map primary-nat permit 10

match ip address nat

set interface FastEthernet0/0

jcartier · ‎09-08-2007

Let me first start off by thanking both of you for your posts/comments :)

I tried some testing today using the 'ip verify-reachability' and I still had the same problem. I'm going back into work tomorrow to test this scenario again.

I will re-test using the 'ip verify-reachability' again (+ updated code) and Mohammeds suggestion with the second route being tracked and not using it as a floating static route.

mohammedmahmoud · ‎09-08-2007

Hi,

You are very welcomed :) Please try changing the route-maps as follows:

!

route-map primary-nat permit 10

match ip address nat

match interface FastEthernet0/0

!

route-map backup-nat2 permit 10

match ip address nat

match interface FastEthernet0/1

!

BR,

Mohammed Mahmoud.

Edison Ortiz · ‎09-08-2007

I got a config that works. The only caveat is that you need the T train for oer support in the ip nat translation.

You will also need to play around with the 'ip nat translation time-out'

_______________________

ip sla 1

icmp-echo 192.168.1.2

frequency 5

ip sla schedule 1 life forever start-time now

track 1 rtr 1 reachability

interface Ethernet0/0

ip address 192.168.0.1 255.255.255.0

ip nat inside

ip virtual-reassembly

interface Ethernet1/0

ip address 192.168.1.1 255.255.255.0

ip nat outside

ip virtual-reassembly

interface Ethernet2/0

ip address 192.168.2.1 255.255.255.0

ip nat outside

ip virtual-reassembly

ip route 0.0.0.0 0.0.0.0 192.168.1.2 track 1

ip route 0.0.0.0 0.0.0.0 192.168.2.2 5

ip nat inside source route-map backup-nat interface Ethernet2/0 overload oer

ip nat inside source route-map primary-nat interface Ethernet1/0 overload oer

ip nat translation timeout 2

ip nat translation tcp-timeout 2

ip nat translation udp-timeout 2

ip nat translation icmp-timeout 2

ip access-list extended nat

permit ip 192.168.0.0 0.0.0.255 any

route-map primary-nat permit 10

match ip address nat

set ip next-hop verify-availability 192.168.1.2 1 track 1

!

route-map backup-nat permit 10

match ip address nat

set ip next-hop 192.168.2.2

____________________

Verification:

First going over the primary ISP

R2#show trac

Track 1

Response Time Reporter 1 reachability

Reachability is Up

7 changes, last change 00:00:10

Latest operation return code: OK

Latest RTT (millisecs) 1

Tracked by:

ROUTE-MAP 0

STATIC-IP-ROUTING 0

R2#show ip nat tr

Pro Inside global Inside local Outside local Outside global

icmp 192.168.1.1:15 192.168.0.2:15 10.10.10.2:15 10.10.10.2:15

Now going over the backup ISP

R2#show trac

Track 1

Response Time Reporter 1 reachability

Reachability is Down

8 changes, last change 00:00:00

Latest operation return code: Timeout

Tracked by:

ROUTE-MAP 0

STATIC-IP-ROUTING 0

R2#show ip nat tr

Pro Inside global Inside local Outside local Outside global

icmp 192.168.2.1:16 192.168.0.2:16 10.10.10.2:16 10.10.10.2:16

mohammedmahmoud · ‎09-09-2007

Hi,

Kindly find the result of my approach attached.

When the primary route is in the routing table:

Sep 8 23:57:17.703: NAT: map match primary

When the primary route is removed from the routing table (tracked via sla) and the backup route is inserted:

Sep 9 00:13:43.363: NAT: map match backup

One thing is for sure you need to play with the following to enhance the down time (plus you must also play with the frequency and timeout of the SLA):

ip sla monitor 1

type echo protocol ipIcmpEcho 155.1.146.2

timeout 1000 (default 5000msec)

frequency 3 (default 60sec)

ip sla monitor schedule 1 start-time now life forever

track 1 rtr 1 reachability

ip nat translation timeout 2 (default 60sec)

ip nat translation tcp-timeout 2 (default 60sec)

ip nat translation udp-timeout 2 (default 60sec)

ip nat translation icmp-timeout 2 (default 60sec)

HTH,

Mohammed Mahmoud.

mohammedmahmoud · ‎09-09-2007

Hi,

Another test results making sure that the default route is the route used in both cases:

NOTE: In this test since i am pinging a bogus ip 10.10.10.1 (to make sure that it will use the default route) which gives timeout, in order for me to be able to print the show ip nat translation and the expiring entry for illustrations i defaulted the nat timeout to 60 seconds.

Rack1R1#ping 10.10.10.1 source Serial1/0

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds:

Packet sent with a source address of 155.1.0.1

Sep 9 00:39:18.823: NAT: map match primary

Sep 9 00:39:18.823: NAT: [0] Allocated Port for 155.1.0.1 -> 155.1.146.1: wanted 74 got 74

Sep 9 00:39:18.823: NAT: i: icmp (155.1.0.1, 74) -> (10.10.10.1, 74) [1068]

Sep 9 00:39:18.823: NAT: s=155.1.0.1->155.1.146.1, d=10.10.10.1 [1068].

Sep 9 00:39:20.823: NAT: i: icmp (155.1.0.1, 74) -> (10.10.10.1, 74) [1070]

Sep 9 00:39:20.823: NAT: s=155.1.0.1->155.1.146.1, d=10.10.10.1 [1070].

Sep 9 00:39:22.823: NAT: i: icmp (155.1.0.1, 74) -> (10.10.10.1, 74) [1071]

Sep 9 00:39:22.823: NAT: s=155.1.0.1->155.1.146.1, d=10.10.10.1 [1071].

Sep 9 00:39:24.823: NAT: i: icmp (155.1.0.1, 74) -> (10.10.10.1, 74) [1073]

Sep 9 00:39:24.823: NAT: s=155.1.0.1->155.1.146.1, d=10.10.10.1 [1073].

Sep 9 00:39:26.823: NAT: i: icmp (155.1.0.1, 74) -> (10.10.10.1, 74) [1075]

Sep 9 00:39:26.823: NAT: s=155.1.0.1->155.1.146.1, d=10.10.10.1 [1075].

Success rate is 0 percent (0/5)

Rack1R1#

Rack1R1#sh ip nat translations

Pro Inside global Inside local Outside local Outside global

icmp 155.1.146.1:74 155.1.0.1:74 10.10.10.1:74 10.10.10.1:74

Rack1R1#

Sep 9 00:40:27.127: NAT: expiring 155.1.146.1 (155.1.0.1) icmp 74 (74)

Rack1R1#

After the primary route fails:

Rack1R1#

Rack1R1#ping 10.10.10.1 source Serial1/0

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds:

Packet sent with a source address of 155.1.0.1

Sep 9 00:41:01.399: NAT: map match backup

Sep 9 00:41:01.399: NAT: [0] Allocated Port for 155.1.0.1 -> 155.1.147.1: wanted 75 got 75

Sep 9 00:41:01.399: NAT: i: icmp (155.1.0.1, 75) -> (10.10.10.1, 75) [1107]

Sep 9 00:41:01.399: NAT: s=155.1.0.1->155.1.147.1, d=10.10.10.1 [1107].

Sep 9 00:41:03.395: NAT: i: icmp (155.1.0.1, 75) -> (10.10.10.1, 75) [1109]

Sep 9 00:41:03.395: NAT: s=155.1.0.1->155.1.147.1, d=10.10.10.1 [1109].

Sep 9 00:41:05.395: NAT: i: icmp (155.1.0.1, 75) -> (10.10.10.1, 75) [1111]

Sep 9 00:41:05.395: NAT: s=155.1.0.1->155.1.147.1, d=10.10.10.1 [1111].

Sep 9 00:41:07.395: NAT: i: icmp (155.1.0.1, 75) -> (10.10.10.1, 75) [1112]

Sep 9 00:41:07.395: NAT: s=155.1.0.1->155.1.147.1, d=10.10.10.1 [1112].

Sep 9 00:41:09.395: NAT: i: icmp (155.1.0.1, 75) -> (10.10.10.1, 75) [1114]

Sep 9 00:41:09.395: NAT: s=155.1.0.1->155.1.147.1, d=10.10.10.1 [1114].

Success rate is 0 percent (0/5)

Rack1R1#

Rack1R1#sh ip nat translations

Pro Inside global Inside local Outside local Outside global

icmp 155.1.147.1:75 155.1.0.1:75 10.10.10.1:75 10.10.10.1:75

Rack1R1#

Sep 9 00:42:09.543: NAT: expiring 155.1.147.1 (155.1.0.1) icmp 75 (75)

HTH,

Mohammed Mahmoud.

jcartier · ‎09-09-2007

Mohammed,

I noticed your testing and I thank you very much for all your assistance...you too Edison :). After the primary route fails and the backup takes over everything works fine...I didn't see anything in your tests that show what happens when the primary route is restored?

Because the backup route was the last route to be active will the traffic still be sent out the backup route since NAT translations have already been established?

Edison Ortiz · ‎09-09-2007

Jeff,

Here is the debug from ip nat based on my config (please note the timestamp on how quick it recovers)

R2#

*Sep 9 21:15:31.703: NAT: s=192.168.0.2->192.168.1.1, d=10.10.10.2 [1]

*Sep 9 21:15:31.703: NAT*: s=10.10.10.2, d=192.168.1.1->192.168.0.2 [1]

*Sep 9 21:15:31.703: NAT*: s=192.168.0.2->192.168.1.1, d=10.10.10.2 [2]

*Sep 9 21:15:31.703: NAT*: s=10.10.10.2, d=192.168.1.1->192.168.0.2 [2]

*Sep 9 21:15:31.703: NAT*: s=192.168.0.2->192.168.1.1, d=10.10.10.2 [3]

*Sep 9 21:15:31.707: NAT*: s=10.10.10.2, d=192.168.1.1->192.168.0.2 [3]

*Sep 9 21:15:31.707: NAT*: s=192.168.0.2->192.168.1.1, d=10.10.10.2 [4]

*Sep 9 21:15:31.707: NAT*: s=10.10.10.2, d=192.168.1.1->192.168.0.2 [4]

R2#

*Sep 9 21:15:34.039: NAT: expiring 192.168.1.1 (192.168.0.2) icmp 0 (0)

R2#show track

Track 1

Response Time Reporter 1 reachability

Reachability is Up

1 change, last change 00:06:49

Latest operation return code: OK

Latest RTT (millisecs) 1

Tracked by:

ROUTE-MAP 0

STATIC-IP-ROUTING 0

R2#show track

Track 1

Response Time Reporter 1 reachability

Reachability is Down

2 changes, last change 00:00:26

Latest operation return code: Timeout

Tracked by:

ROUTE-MAP 0

STATIC-IP-ROUTING 0

R2#

*Sep 9 21:18:00.899: NAT*: s=192.168.0.2->192.168.2.1, d=10.10.10.2 [10]

*Sep 9 21:18:00.903: NAT*: s=10.10.10.2, d=192.168.2.1->192.168.0.2 [10]

*Sep 9 21:18:00.903: NAT*: s=192.168.0.2->192.168.2.1, d=10.10.10.2 [11]

*Sep 9 21:18:00.903: NAT*: s=10.10.10.2, d=192.168.2.1->192.168.0.2 [11]

*Sep 9 21:18:00.903: NAT*: s=192.168.0.2->192.168.2.1, d=10.10.10.2 [12]

*Sep 9 21:18:00.903: NAT*: s=10.10.10.2, d=192.168.2.1->192.168.0.2 [12]

*Sep 9 21:18:00.903: NAT*: s=192.168.0.2->192.168.2.1, d=10.10.10.2 [13]

*Sep 9 21:18:00.907: NAT*: s=10.10.10.2, d=192.168.2.1->192.168.0.2 [13]

*Sep 9 21:18:00.907: NAT*: s=192.168.0.2->192.168.2.1, d=10.10.10.2 [14]

R2#

*Sep 9 21:18:00.907: NAT*: s=10.10.10.2, d=192.168.2.1->192.168.0.2 [14]

R2#

*Sep 9 21:18:03.343: NAT: expiring 192.168.2.1 (192.168.0.2) icmp 2 (2)

R2#

R2#show track

Track 1

Response Time Reporter 1 reachability

Reachability is Up

3 changes, last change 00:00:03

Latest operation return code: OK

Latest RTT (millisecs) 1

Tracked by:

ROUTE-MAP 0

STATIC-IP-ROUTING 0

R2#

*Sep 9 21:18:50.519: NAT: s=192.168.0.2->192.168.1.1, d=10.10.10.2 [20]

*Sep 9 21:18:50.523: NAT*: s=10.10.10.2, d=192.168.1.1->192.168.0.2 [20]

*Sep 9 21:18:50.523: NAT*: s=192.168.0.2->192.168.1.1, d=10.10.10.2 [21]

*Sep 9 21:18:50.523: NAT*: s=10.10.10.2, d=192.168.1.1->192.168.0.2 [21]

*Sep 9 21:18:50.523: NAT*: s=192.168.0.2->192.168.1.1, d=10.10.10.2 [22]

*Sep 9 21:18:50.523: NAT*: s=10.10.10.2, d=192.168.1.1->192.168.0.2 [22]

*Sep 9 21:18:50.527: NAT*: s=192.168.0.2->192.168.1.1, d=10.10.10.2 [23]

*Sep 9 21:18:50.527: NAT*: s=10.10.10.2, d=192.168.1.1->192.168.0.2 [23]

*Sep 9 21:18:50.527: NAT*: s=192.168.0.2->192.168.1.1, d=10.10.10.2 [24]

R2#

*Sep 9 21:18:50.527: NAT*: s=10.10.10.2, d=192.168.1.1->192.168.0.2 [24]

R2#

*Sep 9 21:18:52.579: NAT: expiring 192.168.1.1 (192.168.0.2) icmp 4 (4)

R2#

worldcalltel · ‎09-13-2007

Hi,

Just adding up some queries. I believe that your using dynamic translation. But what happens if your using a static NAT entry? Would it still failover based on the route maps?

Edison Ortiz · ‎09-13-2007

The problem with Static NAT is that you don't have the overload option which is needed for the oer.

I have static NAT has the redundancy operation but I will have to lab it up.

I won't have time until later next week.

worldcalltel · ‎09-13-2007

I have this scenario, but this time with 3 ISP each have its own router. Those 3 routers is connected to another router (to handle the NAT translation). The NAT Router is connected to a layer 2 switch. Here is the scenario, The NAT Router is a 7204 Router with 4 Ethernet Interface, 1. Digitel 2. FiberCity 3. IPLC 4. Layer2 switch. I have created a 3 static routes on NAT Router and 4 subinterface to support multiple public IP and private IP addresses.

Objectives:

1. NAT failover

Questions:

1. Are my static routes on the NAT Router correct? I have use a private IP address between 4 routers. This is my lab work, and all of these are for test purposes only. For example my server IP address is 202.118.140.68 can it still be routed to the internet? Im getting confused here.

2. This configuration are not yet tested because im lack of equipments. So i am using only a network simulator. Anyway, On the NAT part. I will try to use your suggestions.

3. Are there any conflict on my configuration?

See attachements for my network topology and configurations on my router.

Thanks in advance

worldcalltel · ‎09-13-2007

FYI...Attachements continuation...

Edison Ortiz · ‎09-13-2007

The problem you may be facing;

if ISP '1' goes down and you configure some kind of redundancy for static NAT, then the inside device will route over to ISP '2'.

However, you need to know what kind of services this inside device is providing. External sources need to point to the new external IP. How are you planning to accomplish this ?

That's the reason is much easier with dynamic NAT. External devices don't need to know how to reach your internal network.

worldcalltel · ‎09-13-2007

On the static NAT were using a different kind of servers. Like Call Center Application, SIP Proxy, PBX Proxy, FTP, DB and so on.

I think its better to prepare each static NAT translation for backup. Just in case on of the ISP goes down.

Right now my concerns are will my dynamic NAT works with this configuration? and if I use a static Public IP addresses can it still be routed to the internet properly without conflict on my static route entries?

Edison Ortiz · ‎09-13-2007

I can't give you a definite answer until I have a chance to lab it up.

I also suggest you start putting a config together for sharing and we can start from there as a template.

paolo bevilacqua · ‎09-09-2007

Interesting. Edison, would you explain the OER part for someone like me that has read already too much cisco documentation ?