Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Dual ISP: Nat Problem

Greetings,

I'm trying to achieve a failover scenario using a multi-homed connection to the same ISP. The problem I'm having is that the Nat translations are not clearing after the primary link fails...then comes back online. When the primary link recovers I'm still seeing traffic going over the back-up link. Any suggestions or comments?

ip sla monitor 1

type echo protocol ipIcmpEcho 192.168.1.1

frequency 5

ip sla monitor schedule 1 life forever start-time now

!

!

!

!

username admin privilege 15 secret xxx

!

!

!

track 1 rtr 1 reachability

!

!

!

!

interface FastEthernet0/0

desc ISP 2 - Backup Connection

ip address 192.168.2.2 255.255.255.252

ip nat outside

ip virtual-reassembly

ip route-cache flow

load-interval 30

duplex auto

speed auto

!

interface FastEthernet0/1

desc ISP 1 - Primary Connection

ip address 192.168.1.2 255.255.255.252

ip nat outside

ip virtual-reassembly

ip route-cache flow

load-interval 30

duplex auto

speed auto

!

interface FastEthernet0/3/0

!

interface FastEthernet0/3/1

!

interface FastEthernet0/3/2

!

interface FastEthernet0/3/3

!

interface FastEthernet0/3/4

!

interface FastEthernet0/3/5

!

interface FastEthernet0/3/6

!

interface FastEthernet0/3/7

!

interface FastEthernet0/3/8

description LAN

spanning-tree portfast

!

interface Vlan1

desc LAN Subnet

ip address 192.168.0.1 255.255.255.0

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1000

!

ip route 0.0.0.0 0.0.0.0 192.168.1.1 track 1

ip route 0.0.0.0 0.0.0.0 192.168.2.1 5

!

ip http server

no ip http secure-server

!

ip nat inside source route-map primary-nat interface FastEthernet0/0 overload

!

ip nat inside source route-map backup-nat2 interface FastEthernet0/1 overload

!

ip access-list extended nat

permit ip 192.168.0.0 0.0.0.255 any

!

route-map backup-nat2 permit 10

match ip address nat

set interface FastEthernet0/1

!

route-map primary-nat permit 10

match ip address nat

set interface FastEthernet0/0

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Bronze

Re: Dual ISP: Nat Problem

I got a config that works. The only caveat is that you need the T train for oer support in the ip nat translation.

You will also need to play around with the 'ip nat translation time-out'

_______________________

ip sla 1

icmp-echo 192.168.1.2

frequency 5

ip sla schedule 1 life forever start-time now

track 1 rtr 1 reachability

interface Ethernet0/0

ip address 192.168.0.1 255.255.255.0

ip nat inside

ip virtual-reassembly

interface Ethernet1/0

ip address 192.168.1.1 255.255.255.0

ip nat outside

ip virtual-reassembly

interface Ethernet2/0

ip address 192.168.2.1 255.255.255.0

ip nat outside

ip virtual-reassembly

ip route 0.0.0.0 0.0.0.0 192.168.1.2 track 1

ip route 0.0.0.0 0.0.0.0 192.168.2.2 5

ip nat inside source route-map backup-nat interface Ethernet2/0 overload oer

ip nat inside source route-map primary-nat interface Ethernet1/0 overload oer

ip nat translation timeout 2

ip nat translation tcp-timeout 2

ip nat translation udp-timeout 2

ip nat translation icmp-timeout 2

ip access-list extended nat

permit ip 192.168.0.0 0.0.0.255 any

route-map primary-nat permit 10

match ip address nat

set ip next-hop verify-availability 192.168.1.2 1 track 1

!

route-map backup-nat permit 10

match ip address nat

set ip next-hop 192.168.2.2

____________________

Verification:

First going over the primary ISP

R2#show trac

Track 1

Response Time Reporter 1 reachability

Reachability is Up

7 changes, last change 00:00:10

Latest operation return code: OK

Latest RTT (millisecs) 1

Tracked by:

ROUTE-MAP 0

STATIC-IP-ROUTING 0

R2#show ip nat tr

Pro Inside global Inside local Outside local Outside global

icmp 192.168.1.1:15 192.168.0.2:15 10.10.10.2:15 10.10.10.2:15

Now going over the backup ISP

R2#show trac

Track 1

Response Time Reporter 1 reachability

Reachability is Down

8 changes, last change 00:00:00

Latest operation return code: Timeout

Tracked by:

ROUTE-MAP 0

STATIC-IP-ROUTING 0

R2#show ip nat tr

Pro Inside global Inside local Outside local Outside global

icmp 192.168.2.1:16 192.168.0.2:16 10.10.10.2:16 10.10.10.2:16

40 REPLIES
Hall of Fame Super Bronze

Re: Dual ISP: Nat Problem

I'm afraid the router is doing what is told.

Let's see the logic:

a) packet comes into the Vlan1 and see the ip nat inside command

b) routes goes to the ip nat inside and see two entries. One for F0/0 and F0/1 associated to a route-map.

c) Both route-maps are valid so it round-robin the selection, some addresses will be NAT'd using route-map backup-nat2 and some addresses will use primary-nat. The route-maps are both matching the same source-destination based on the extended ACL 'nat'.

_____

The only way to make this work is to /somehow/ make the backup-nat2 route-map 'invalid' while the primary interface is up but at the moment, I don't have a suggestion.

New Member

Re: Dual ISP: Nat Problem

So no idea how I could make this scenario work? I know what your saying, but I don't foresee a solution. Anyone?

Hall of Fame Super Bronze

Re: Dual ISP: Nat Problem

I found something but I don't have the gear to lab it up so please test it in your lab before implementing.

Modify your route-maps with

route-map backup-nat2 permit 10

match ip address nat

set ip next-hop verify-availability [Backup-ISP IP] track

!

route-map primary-nat permit 10

match ip address nat

set ip next-hop verify-availability [Primary-ISP IP] track

http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t/123t_4/gtpbrtrk.htm#wp1057830

HTH,

New Member

Re: Dual ISP: Nat Problem

Thanks EdisonOrtiz. I will try this tomorrow and let you know how it works out.

Re: Dual ISP: Nat Problem

Hi Edison,

Actually, i disagree with you a little bit on the logic that this NAT configuration will do, when NAT uses a route map to decide to create a translation entry, it will always create a "fully extended" translation entry. This translation entry will contain both the inside and outside (local and global) address entries and any TCP or UDP port information, and as long as the primary link is up the first NAT statement is only used (since the backup one is using floating static route, and the 2 route-map are matching on the outgoing interfaces), when the primary link fails, the primary route is withdrawn from the routing table and the floating static route is insterted into the routing table and the second NAT statement will be used according to the route-map (matching the outgoing second interface), the point here is when the primary interface gets up again the secondary route should be removed (floating static) and the router should use the first NAT statement once again, can we discuss this logic, and after wards we can see why isn't it working as it should be.

BR,

Mohammed Mahmoud.

New Member

Re: Dual ISP: Nat Problem

I've noticed that the order/placement of the 'nat statements' does make a difference in the configuration. I'll be trying some changes to the configuration this morning and will re-post my findings.

I've heard trying to configure a router for this type of scenario has been a problem in every help/forum website I've encountered.

Hall of Fame Super Bronze

Re: Dual ISP: Nat Problem

Mohammed,

Jeff is using a route-map with a set statement. NAT will never examine the routing table to determine how the packet is going to exit the router. If the route-map is valid, the packet will be translated and its egress interface will be the one within the corresponding route-map.

Your explanation is quite correct when using nat source list or route-map without a set command.

I wonder that if Jeff removes the set command within the route-map, would NAT perform its logic based on the current routing table ?

My suggestion will also work, because the route-map will become invalid once a predefined track is entered along with the set ip next hop command.

One thing I forgot to mention, we need to take into account the NAT timeout. If a src/dst was translated while 'ISP Backup' was up, this traffic will remain until the whole conversation is broken due to NAT timeout.

Re: Dual ISP: Nat Problem

Hi Edison,

You are correct about that, sorry i missed that it is a set and not a match, but don't you think that it would work out if he used a match interface in the route-map instead of the set, in this way the router will examine the routing table, and takes its decision based upon the valid route.

Mentioning the NAT timeout, when i read this thread at start, this is what i thought is the problem, don't you think that we need to manipulate it in this scenario.

Always nice having discussions with you Edison.

BR,

Mohammed Mahmoud.

Hall of Fame Super Bronze

Re: Dual ISP: Nat Problem

Mohammed,

He has a match against an ACL which is working as intended. The router will use the routing table if the set is missing or invalid, for instance if the interface specified in the set is down.

The NAT timeout definitely plays a part of this problem and I should've asked about the output from the NAT translation table.

Another question is, is the router selecting the backup-nat after the primary ISP has been up for a long time ? If that's the case, the route-map is being round-robin'd.

Your contribution to this thread is appreciated and I hope your CCIE studies are going well.

Re: Dual ISP: Nat Problem

Edison,

Thank you very much, my studies are going well, but i am starting to lose the little me inside, to be replaced with commands and router tricks for the exam, you understand how it goes :)

Back to the original poster, what i meant is that he can use 2 matches in his route-map to match both the ACL and the appropriate outgoing interface:

!

route-map backup-nat2 permit 10

match ip address nat

match interface FastEthernet0/1

!

route-map primary-nat permit 10

match ip address nat

match interface FastEthernet0/0

In this way according to the available route in the routing table the appropriate nat will be used (according to the outgoing interface), and as for the NAT timeout issue, we can reduce the timers to enhance it, what do you think about this.

BR,

Mohammed Mahmoud.

Hall of Fame Super Bronze

Re: Dual ISP: Nat Problem

That would work if the actual interface goes down. As this connection is ethernet based, the router only knows the connection is down when is unable to send packets to the next hop.

For the match interface to make the route-map 'invalid' the interface must be 'hard-down'.

That's the reason Jeff is implementing tracking via reachability, because the interfaces remain up/up even when the ISP is down.

You also have to be careful on a match being referenced by an ip nat within a route-map as this will be used on the translation.

__________

As for your CCIE studies, don't focus too much on router tricks. That's great to learn those tricks from workbooks but you won't be tested on that. You will be tested on routing/switching fundamentals, not how to ICMP request from a loopback interface :)

Re: Dual ISP: Nat Problem

Edison,

Yes i think that we are converging right now :), why don't he use SLA to track both routes, and use the 2 matches as i've said, having the match interface inside the route-map would only have effect if the route in the routing table points to that interface and wouldn't have effect if the interface is up or down, and accordingly it should work this way.

--------

As for studying i understand what you are saying, and that's what i am trying to do, i was just kidding about these router tricks stuff as the Brians do :), i am starting the workbooks this weekend, and we shall see, wish me luck please, and thank you very much.

BR,

Mohammed Mahmoud.

Hall of Fame Super Bronze

Re: Dual ISP: Nat Problem

He is using SLA for the static route. Using the match interface in the route-map will force the router to use the ip address of that interface as the src nat ip.

Keep in mind, this route-map is using NAT on the match statement and PBR for the set statement.

___________

I truly believe you will do well but don't be disappointed if you fail in the first try. It's a learning experience that only those who 've taken the Lab, can understand.

When it's your Lab ?

Re: Dual ISP: Nat Problem

Please correct me if i am wrong:

!

route-map primary-nat permit 10

match ip address nat

match interface FastEthernet0/0

!

Will match the ACL named nat for the src nat ip, and match FastEthernet0/0 as the outgoing interface, which should be controlled according to the routing table, and thus if the main route is valid, then the appropriate route map is matched and accordingly the appropriate nat statement is used, and the same if the other route is valid, and controlling the routes via SLA will solve the fastethernet interface issue.

----------

I never get disappointed by God's will, but i got the feeling that i can do it :) Its by the end of November.

BR,

Mohammed Mahmoud.

New Member

Re: Dual ISP: Nat Problem

Let me first start off by thanking both of you for your posts/comments :)

I tried some testing today using the 'ip verify-reachability' and I still had the same problem. I'm going back into work tomorrow to test this scenario again.

I will re-test using the 'ip verify-reachability' again (+ updated code) and Mohammeds suggestion with the second route being tracked and not using it as a floating static route.

Re: Dual ISP: Nat Problem

Hi,

You are very welcomed :) Please try changing the route-maps as follows:

!

route-map primary-nat permit 10

match ip address nat

match interface FastEthernet0/0

!

route-map backup-nat2 permit 10

match ip address nat

match interface FastEthernet0/1

!

BR,

Mohammed Mahmoud.

Hall of Fame Super Bronze

Re: Dual ISP: Nat Problem

I got a config that works. The only caveat is that you need the T train for oer support in the ip nat translation.

You will also need to play around with the 'ip nat translation time-out'

_______________________

ip sla 1

icmp-echo 192.168.1.2

frequency 5

ip sla schedule 1 life forever start-time now

track 1 rtr 1 reachability

interface Ethernet0/0

ip address 192.168.0.1 255.255.255.0

ip nat inside

ip virtual-reassembly

interface Ethernet1/0

ip address 192.168.1.1 255.255.255.0

ip nat outside

ip virtual-reassembly

interface Ethernet2/0

ip address 192.168.2.1 255.255.255.0

ip nat outside

ip virtual-reassembly

ip route 0.0.0.0 0.0.0.0 192.168.1.2 track 1

ip route 0.0.0.0 0.0.0.0 192.168.2.2 5

ip nat inside source route-map backup-nat interface Ethernet2/0 overload oer

ip nat inside source route-map primary-nat interface Ethernet1/0 overload oer

ip nat translation timeout 2

ip nat translation tcp-timeout 2

ip nat translation udp-timeout 2

ip nat translation icmp-timeout 2

ip access-list extended nat

permit ip 192.168.0.0 0.0.0.255 any

route-map primary-nat permit 10

match ip address nat

set ip next-hop verify-availability 192.168.1.2 1 track 1

!

route-map backup-nat permit 10

match ip address nat

set ip next-hop 192.168.2.2

____________________

Verification:

First going over the primary ISP

R2#show trac

Track 1

Response Time Reporter 1 reachability

Reachability is Up

7 changes, last change 00:00:10

Latest operation return code: OK

Latest RTT (millisecs) 1

Tracked by:

ROUTE-MAP 0

STATIC-IP-ROUTING 0

R2#show ip nat tr

Pro Inside global Inside local Outside local Outside global

icmp 192.168.1.1:15 192.168.0.2:15 10.10.10.2:15 10.10.10.2:15

Now going over the backup ISP

R2#show trac

Track 1

Response Time Reporter 1 reachability

Reachability is Down

8 changes, last change 00:00:00

Latest operation return code: Timeout

Tracked by:

ROUTE-MAP 0

STATIC-IP-ROUTING 0

R2#show ip nat tr

Pro Inside global Inside local Outside local Outside global

icmp 192.168.2.1:16 192.168.0.2:16 10.10.10.2:16 10.10.10.2:16

Re: Dual ISP: Nat Problem

Hi,

Kindly find the result of my approach attached.

When the primary route is in the routing table:

Sep 8 23:57:17.703: NAT: map match primary

When the primary route is removed from the routing table (tracked via sla) and the backup route is inserted:

Sep 9 00:13:43.363: NAT: map match backup

One thing is for sure you need to play with the following to enhance the down time (plus you must also play with the frequency and timeout of the SLA):

ip sla monitor 1

type echo protocol ipIcmpEcho 155.1.146.2

timeout 1000 (default 5000msec)

frequency 3 (default 60sec)

ip sla monitor schedule 1 start-time now life forever

track 1 rtr 1 reachability

ip nat translation timeout 2 (default 60sec)

ip nat translation tcp-timeout 2 (default 60sec)

ip nat translation udp-timeout 2 (default 60sec)

ip nat translation icmp-timeout 2 (default 60sec)

HTH,

Mohammed Mahmoud.

Re: Dual ISP: Nat Problem

Hi,

Another test results making sure that the default route is the route used in both cases:

NOTE: In this test since i am pinging a bogus ip 10.10.10.1 (to make sure that it will use the default route) which gives timeout, in order for me to be able to print the show ip nat translation and the expiring entry for illustrations i defaulted the nat timeout to 60 seconds.

Rack1R1#ping 10.10.10.1 source Serial1/0

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds:

Packet sent with a source address of 155.1.0.1

Sep 9 00:39:18.823: NAT: map match primary

Sep 9 00:39:18.823: NAT: [0] Allocated Port for 155.1.0.1 -> 155.1.146.1: wanted 74 got 74

Sep 9 00:39:18.823: NAT: i: icmp (155.1.0.1, 74) -> (10.10.10.1, 74) [1068]

Sep 9 00:39:18.823: NAT: s=155.1.0.1->155.1.146.1, d=10.10.10.1 [1068].

Sep 9 00:39:20.823: NAT: i: icmp (155.1.0.1, 74) -> (10.10.10.1, 74) [1070]

Sep 9 00:39:20.823: NAT: s=155.1.0.1->155.1.146.1, d=10.10.10.1 [1070].

Sep 9 00:39:22.823: NAT: i: icmp (155.1.0.1, 74) -> (10.10.10.1, 74) [1071]

Sep 9 00:39:22.823: NAT: s=155.1.0.1->155.1.146.1, d=10.10.10.1 [1071].

Sep 9 00:39:24.823: NAT: i: icmp (155.1.0.1, 74) -> (10.10.10.1, 74) [1073]

Sep 9 00:39:24.823: NAT: s=155.1.0.1->155.1.146.1, d=10.10.10.1 [1073].

Sep 9 00:39:26.823: NAT: i: icmp (155.1.0.1, 74) -> (10.10.10.1, 74) [1075]

Sep 9 00:39:26.823: NAT: s=155.1.0.1->155.1.146.1, d=10.10.10.1 [1075].

Success rate is 0 percent (0/5)

Rack1R1#

Rack1R1#sh ip nat translations

Pro Inside global Inside local Outside local Outside global

icmp 155.1.146.1:74 155.1.0.1:74 10.10.10.1:74 10.10.10.1:74

Rack1R1#

Sep 9 00:40:27.127: NAT: expiring 155.1.146.1 (155.1.0.1) icmp 74 (74)

Rack1R1#

After the primary route fails:

Rack1R1#

Rack1R1#ping 10.10.10.1 source Serial1/0

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds:

Packet sent with a source address of 155.1.0.1

Sep 9 00:41:01.399: NAT: map match backup

Sep 9 00:41:01.399: NAT: [0] Allocated Port for 155.1.0.1 -> 155.1.147.1: wanted 75 got 75

Sep 9 00:41:01.399: NAT: i: icmp (155.1.0.1, 75) -> (10.10.10.1, 75) [1107]

Sep 9 00:41:01.399: NAT: s=155.1.0.1->155.1.147.1, d=10.10.10.1 [1107].

Sep 9 00:41:03.395: NAT: i: icmp (155.1.0.1, 75) -> (10.10.10.1, 75) [1109]

Sep 9 00:41:03.395: NAT: s=155.1.0.1->155.1.147.1, d=10.10.10.1 [1109].

Sep 9 00:41:05.395: NAT: i: icmp (155.1.0.1, 75) -> (10.10.10.1, 75) [1111]

Sep 9 00:41:05.395: NAT: s=155.1.0.1->155.1.147.1, d=10.10.10.1 [1111].

Sep 9 00:41:07.395: NAT: i: icmp (155.1.0.1, 75) -> (10.10.10.1, 75) [1112]

Sep 9 00:41:07.395: NAT: s=155.1.0.1->155.1.147.1, d=10.10.10.1 [1112].

Sep 9 00:41:09.395: NAT: i: icmp (155.1.0.1, 75) -> (10.10.10.1, 75) [1114]

Sep 9 00:41:09.395: NAT: s=155.1.0.1->155.1.147.1, d=10.10.10.1 [1114].

Success rate is 0 percent (0/5)

Rack1R1#

Rack1R1#

Rack1R1#sh ip nat translations

Pro Inside global Inside local Outside local Outside global

icmp 155.1.147.1:75 155.1.0.1:75 10.10.10.1:75 10.10.10.1:75

Rack1R1#

Rack1R1#

Rack1R1#

Sep 9 00:42:09.543: NAT: expiring 155.1.147.1 (155.1.0.1) icmp 75 (75)

HTH,

Mohammed Mahmoud.

New Member

Re: Dual ISP: Nat Problem

Mohammed,

I noticed your testing and I thank you very much for all your assistance...you too Edison :). After the primary route fails and the backup takes over everything works fine...I didn't see anything in your tests that show what happens when the primary route is restored?

Because the backup route was the last route to be active will the traffic still be sent out the backup route since NAT translations have already been established?

Hall of Fame Super Bronze

Re: Dual ISP: Nat Problem

Jeff,

Here is the debug from ip nat based on my config (please note the timestamp on how quick it recovers)

R2#

*Sep 9 21:15:31.703: NAT: s=192.168.0.2->192.168.1.1, d=10.10.10.2 [1]

*Sep 9 21:15:31.703: NAT*: s=10.10.10.2, d=192.168.1.1->192.168.0.2 [1]

*Sep 9 21:15:31.703: NAT*: s=192.168.0.2->192.168.1.1, d=10.10.10.2 [2]

*Sep 9 21:15:31.703: NAT*: s=10.10.10.2, d=192.168.1.1->192.168.0.2 [2]

*Sep 9 21:15:31.703: NAT*: s=192.168.0.2->192.168.1.1, d=10.10.10.2 [3]

*Sep 9 21:15:31.707: NAT*: s=10.10.10.2, d=192.168.1.1->192.168.0.2 [3]

*Sep 9 21:15:31.707: NAT*: s=192.168.0.2->192.168.1.1, d=10.10.10.2 [4]

*Sep 9 21:15:31.707: NAT*: s=10.10.10.2, d=192.168.1.1->192.168.0.2 [4]

R2#

*Sep 9 21:15:34.039: NAT: expiring 192.168.1.1 (192.168.0.2) icmp 0 (0)

R2#show track

Track 1

Response Time Reporter 1 reachability

Reachability is Up

1 change, last change 00:06:49

Latest operation return code: OK

Latest RTT (millisecs) 1

Tracked by:

ROUTE-MAP 0

STATIC-IP-ROUTING 0

R2#show track

Track 1

Response Time Reporter 1 reachability

Reachability is Down

2 changes, last change 00:00:26

Latest operation return code: Timeout

Tracked by:

ROUTE-MAP 0

STATIC-IP-ROUTING 0

R2#

*Sep 9 21:18:00.899: NAT*: s=192.168.0.2->192.168.2.1, d=10.10.10.2 [10]

*Sep 9 21:18:00.903: NAT*: s=10.10.10.2, d=192.168.2.1->192.168.0.2 [10]

*Sep 9 21:18:00.903: NAT*: s=192.168.0.2->192.168.2.1, d=10.10.10.2 [11]

*Sep 9 21:18:00.903: NAT*: s=10.10.10.2, d=192.168.2.1->192.168.0.2 [11]

*Sep 9 21:18:00.903: NAT*: s=192.168.0.2->192.168.2.1, d=10.10.10.2 [12]

*Sep 9 21:18:00.903: NAT*: s=10.10.10.2, d=192.168.2.1->192.168.0.2 [12]

*Sep 9 21:18:00.903: NAT*: s=192.168.0.2->192.168.2.1, d=10.10.10.2 [13]

*Sep 9 21:18:00.907: NAT*: s=10.10.10.2, d=192.168.2.1->192.168.0.2 [13]

*Sep 9 21:18:00.907: NAT*: s=192.168.0.2->192.168.2.1, d=10.10.10.2 [14]

R2#

*Sep 9 21:18:00.907: NAT*: s=10.10.10.2, d=192.168.2.1->192.168.0.2 [14]

R2#

*Sep 9 21:18:03.343: NAT: expiring 192.168.2.1 (192.168.0.2) icmp 2 (2)

R2#

R2#show track

Track 1

Response Time Reporter 1 reachability

Reachability is Up

3 changes, last change 00:00:03

Latest operation return code: OK

Latest RTT (millisecs) 1

Tracked by:

ROUTE-MAP 0

STATIC-IP-ROUTING 0

R2#

*Sep 9 21:18:50.519: NAT: s=192.168.0.2->192.168.1.1, d=10.10.10.2 [20]

*Sep 9 21:18:50.523: NAT*: s=10.10.10.2, d=192.168.1.1->192.168.0.2 [20]

*Sep 9 21:18:50.523: NAT*: s=192.168.0.2->192.168.1.1, d=10.10.10.2 [21]

*Sep 9 21:18:50.523: NAT*: s=10.10.10.2, d=192.168.1.1->192.168.0.2 [21]

*Sep 9 21:18:50.523: NAT*: s=192.168.0.2->192.168.1.1, d=10.10.10.2 [22]

*Sep 9 21:18:50.523: NAT*: s=10.10.10.2, d=192.168.1.1->192.168.0.2 [22]

*Sep 9 21:18:50.527: NAT*: s=192.168.0.2->192.168.1.1, d=10.10.10.2 [23]

*Sep 9 21:18:50.527: NAT*: s=10.10.10.2, d=192.168.1.1->192.168.0.2 [23]

*Sep 9 21:18:50.527: NAT*: s=192.168.0.2->192.168.1.1, d=10.10.10.2 [24]

R2#

*Sep 9 21:18:50.527: NAT*: s=10.10.10.2, d=192.168.1.1->192.168.0.2 [24]

R2#

*Sep 9 21:18:52.579: NAT: expiring 192.168.1.1 (192.168.0.2) icmp 4 (4)

R2#

New Member

Re: Dual ISP: Nat Problem

Hi,

Just adding up some queries. I believe that your using dynamic translation. But what happens if your using a static NAT entry? Would it still failover based on the route maps?

Hall of Fame Super Bronze

Re: Dual ISP: Nat Problem

The problem with Static NAT is that you don't have the overload option which is needed for the oer.

I have static NAT has the redundancy operation but I will have to lab it up.

I won't have time until later next week.

New Member

Re: Dual ISP: Nat Problem

I have this scenario, but this time with 3 ISP each have its own router. Those 3 routers is connected to another router (to handle the NAT translation). The NAT Router is connected to a layer 2 switch. Here is the scenario, The NAT Router is a 7204 Router with 4 Ethernet Interface, 1. Digitel 2. FiberCity 3. IPLC 4. Layer2 switch. I have created a 3 static routes on NAT Router and 4 subinterface to support multiple public IP and private IP addresses.

Objectives:

1. NAT failover

Questions:

1. Are my static routes on the NAT Router correct? I have use a private IP address between 4 routers. This is my lab work, and all of these are for test purposes only. For example my server IP address is 202.118.140.68 can it still be routed to the internet? Im getting confused here.

2. This configuration are not yet tested because im lack of equipments. So i am using only a network simulator. Anyway, On the NAT part. I will try to use your suggestions.

3. Are there any conflict on my configuration?

See attachements for my network topology and configurations on my router.

Thanks in advance

New Member

Re: Dual ISP: Nat Problem

FYI...Attachements continuation...

Hall of Fame Super Bronze

Re: Dual ISP: Nat Problem

The problem you may be facing;

if ISP '1' goes down and you configure some kind of redundancy for static NAT, then the inside device will route over to ISP '2'.

However, you need to know what kind of services this inside device is providing. External sources need to point to the new external IP. How are you planning to accomplish this ?

That's the reason is much easier with dynamic NAT. External devices don't need to know how to reach your internal network.

New Member

Re: Dual ISP: Nat Problem

On the static NAT were using a different kind of servers. Like Call Center Application, SIP Proxy, PBX Proxy, FTP, DB and so on.

I think its better to prepare each static NAT translation for backup. Just in case on of the ISP goes down.

Right now my concerns are will my dynamic NAT works with this configuration? and if I use a static Public IP addresses can it still be routed to the internet properly without conflict on my static route entries?

Hall of Fame Super Bronze

Re: Dual ISP: Nat Problem

I can't give you a definite answer until I have a chance to lab it up.

I also suggest you start putting a config together for sharing and we can start from there as a template.

Hall of Fame Super Gold

Re: Dual ISP: Nat Problem

Interesting. Edison, would you explain the OER part for someone like me that has read already too much cisco documentation ?

682
Views
15
Helpful
40
Replies
CreatePlease to create content