Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Multiple WANs from Different ISPs: Forcing session thru same interface/ISP?

I have 3 WAN connections: 1 T-1 and 2 ADSLs each from different ISPs and different public addresses.

All are connected to the same 2801 router through a WIC-1T, Fa0/0 and Fa0/1 respectively.

Problems:

1) When I ping from the Internet to one of the interfaces, the reply packet sometimes goes through a different interface, hence different ISP. How can I force the return packet to go through the same interface that received it?

2) Related to (1), when I SSH to the router from the outside, I get a slow/disrupted connection since the reply packets goes through another interface. This problem gets solved when I set a static route to the client SSH. Of course, this is not the optimal solution.

There are other issues (multiple NAT pools not working because sessions don't go through the same ISP) but I'll with this simpler problem first.

I configured the static routes as:

ip route 0.0.0.0 0.0.0.0 a.a.a.a (ISP 1)

ip route 0.0.0.0 0.0.0.0 b.b.b.b (ISP 2)

ip route 0.0.0.0 0.0.0.0 c.c.c.c (ISP 3)

In summary, what should I do to force egress packets out the same interface as their same-session ingress packets?

7 REPLIES

Re: Multiple WANs from Different ISPs: Forcing session thru same

Sam,

Do you own the public address assigned to your router interfaces or they are assigned by the provider?

In the 2nd case the Ip address from one provider will not be accepted via the other provider and hence will not be reachable.

Narayan

New Member

Re: Multiple WANs from Different ISPs: Forcing session thru same

We don't own the public IPs, and we're not big enough to convince each ISP to advertise through BGP the other public IPs from the other ISPs.

I didn't have this problem when we were just using a Linksys RV082 on the 2 ADSLs. I guess by default it used the 'reply through same interface' scheme, even for NAT'd sessions.

I upgraded to the Cisco 2801 since we just added the T-1.

Isn't there a CLI command to force replies through the same interface?

New Member

Re: Multiple WANs from Different ISPs: Forcing session thru same

can you post the output of running config "show run " and the ip routes "show ip route"?

New Member

Re: Multiple WANs from Different ISPs: Forcing session thru same

I included just the relevant parts. The IP addresses are disguised of course:

!

interface FastEthernet0/0

ip address 200.200.200.242 255.255.255.240

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

no mop enabled

!

interface FastEthernet0/1

ip address 201.201.201.242 255.255.255.240

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

no mop enabled

!

interface FastEthernet0/3/0

!

interface FastEthernet0/3/1

!

interface FastEthernet0/3/2

!

interface FastEthernet0/3/3

!

interface Serial0/2/0

bandwidth 1544

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

encapsulation frame-relay

!

interface Serial0/2/0.1 point-to-point

ip address 202.202.202.242 255.255.255.252

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly

no cdp enable

frame-relay interface-dlci 100 IETF

!

interface Vlan1

ip address 10.0.0.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

!

ip classless

ip route 0.0.0.0 0.0.0.0 200.200.200.241 // For Fa0/0

ip route 0.0.0.0 0.0.0.0 201.201.201.241 // For Fa0/1

ip route 0.0.0.0 0.0.0.0 202.202.202.241 // For Se0/2/0.1

!

SHOW IP ROUTE:

10.0.0.0/24 is subnetted, 1 subnets

C 10.0.0.0 is directly connected, Vlan1

S* 0.0.0.0/0 [1/0] via 202.202.202.241

[1/0] via 200.200.200.241

[1/0] via 201.201.201.241

New Member

Re: Multiple WANs from Different ISPs: Forcing session thru same

I am curious on how you do NAT. Can you also paste the NAT commands used.

New Member

Re: Multiple WANs from Different ISPs: Forcing session thru same

I use route-maps on 3 nat pools, just as in the white paper:

Cisco IOS Network Address Translation Overview

http://www.cisco.com/en/US/products/ps6640/products_white_paper09186a0080091cb9.shtml

But that's a separate although related problem to the 'reply through same interface' issue, or what I've read in other posts as 'symmetric routing'.

Again, is there a way to force replies from a multi-homed router through the same interface?

...

!

ip nat pool NATPOOL_ISP1 200.200.200.242 200.200.200.242 prefix-length 24

ip nat pool NATPOOL_ISP2 201.201.201.242 201.201.201.242 prefix-length 24

ip nat pool NATPOOL_ISP3 202.202.202.242 202.202.202.242 prefix-length 24

ip nat inside source route-map ROUTEMAP_NAT_ISP1 pool NATPOOL_ISP1 overload

ip nat inside source route-map ROUTEMAP_NAT_ISP2 pool NATPOOL_ISP2 overload

ip nat inside source route-map ROUTEMAP_NAT_ISP3 pool NATPOOL_ISP3 overload

!

access-list 110 remark *** ROUTE-MAP for NAT translation (ROUTEMAP_NAT_*) ***

access-list 110 permit ip 10.0.0.0 0.0.0.255 any

!

route-map ROUTEMAP_NAT_ISP1 permit 1

match ip address 110

match interface FastEthernet0/0

!

route-map ROUTEMAP_NAT_ISP2 permit 1

match ip address 110

match interface FastEthernet0/1

!

route-map ROUTEMAP_NAT_ISP3 permit 1

match ip address 110

match interface Serial0/2/0.1

!

...

New Member

Re: Multiple WANs from Different ISPs: Forcing session thru same

Cisco routers source their packets with the address assigned to the interface nearest to the destination. So, when you ping or SSH to the "outside" address, you are not matching your NAT ACL as it's ip is not in the 10.x.x.x range...

That being said, chances are, it won't match as the path doesn't cross thru an interface with "ip nat inside".

My suggestion. Create 3 loopback interfaces with ip nat inside. Create static nat translations to point them so you know which ISP link you came down.. I think this will also create a state xlate in the nat table (use show ip nat trans to see the entries).

Let me if I'm off-base...

--Jon

222
Views
0
Helpful
7
Replies
CreatePlease login to create content