I have an issue after attempting to use the same configuration to what is used in the following example.
the load balance seems to work fine.
However i am attmepting to forward ports back into various locations. These do not work so well.
I have something liek the following.
ip nat inside source static tcp 192.168.1.2 25 220.127.116.11 25 extendable
ip nat inside source static tcp 192.168.1.2 25 18.104.22.168 25 extendable
When i telnet to port 25 from outside the network. Only one of these will work at any one time. Not both.
There are also more post forwards to other computer and these appear ot randomly work / dont work. I belive the issue is because the packets are being sent back out the wrong interfaces. Does anyone have any suggestions to get around this?
The fix i have is not fully working. It still has issues.
Pritty much the cisco seems to have the same issue's and most other routers when trying todo this. It leaks packets out the wrong wan interfaces. eg packet comes in dialer 1 but goes out dialer 2.
So you create 2 route-map's eg
route-map Redirect permit 10
match ip address 152
set interface Dialer1
route-map Redirect permit 11
match ip address 153
set interface Vlan2
on the inside interface. Matching the source ip's after the nat and redirect them out the correct interface.
access-list 153 permit ip host 192.168.4.2 any
where 192.168.4.2 is the isp ip address
this however only partially works as things still seem to get stuck in a cache. so it still leaks packets just not to many.
What if instead of using two different ip nat inside statements with two different external IPs, you create a single external address in your NAT statement.
I assume from your post that you have two interfaces with IPs of 22.214.171.124 and 126.96.36.199. Could you create a NAT statement like this:
ip nat inside source static tcp 192.168.1.2 25 188.8.131.52 25
I think that what this would do is to forward any traffic for SMTP to the 192.168.1.25 address. Upon replying, this inside host traffic would be translated back to 184.108.40.206.
So, no matter which outside interface the reply goes out of, it would send the traffic with a destination address of 220.127.116.11.
You don't have to use IPs associated with a physical interface in NAT. You just have to own the IP that you are using in the NAT translation. And, routers would need to know how to get to the IP (18.104.22.168 in this case).
I think that what is happening in your case is that if you telnet to 22.214.171.124:25 it is hitting that interface but the reply can be translated with an address 126.96.36.199 and this just won't work because the host is expecting a response from 188.8.131.52.
Let me know your thoughts.
Unfortunatly that wont work as the 2 external addresses are with different isp's which have rougue packet filters and both isp's only provide a single ip address each.
The ip nat inside statements are using the hard coded ip's otherwise you cannot create them on both external interfaces as ios will say that it is already in use.
Or a easyier way to trigger the problem.
From a remote host. telent to external ip1 the connection will work. Then telnet to external ip2 the connection will not work.
Disconnect / clear the router cache.
telnet to external ip2 and the connection will work. But the conneciton to external ip1 will now not work.
this is 100% reproducable ;)
your router configuration seems to be correct.
my only concern about your conf is that you have enabled per-port cef load sharing , can u disable that one and try again.
no ip cef load-sharing algorithm include-ports
Its more stable with it on than off. Which would seem correct since the routing cache is both per port and host instead of just by host.