Re: NAT port translation from more than one WAN at the same time - Page 2

paultozer · ‎11-04-2006

Heres the scenario - I have a 2811 Router and have two wics for failover and load balancing. This is working ok.

However the NAT port 25 translation only works on one WAN address at a time, and it seems to switch from one to the other whenever it feels like it and when a fail happens, but would like it to be available on both WAN addresses at the same time.

Below is my running script the two IP addresses are the static WAN addresses given by my ISP which are recieved automatically

!

interface FastEthernet0/0

description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0/0$

ip address 192.168.4.253 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex half

speed auto

no mop enabled

!

interface ATM0/0/0

no ip address

no atm ilmi-keepalive

dsl operating-mode auto

!

interface ATM0/0/0.1 point-to-point

pvc 0/38

oam-pvc manage

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

interface ATM0/1/0

no ip address

no atm ilmi-keepalive

dsl operating-mode auto

!

interface ATM0/1/0.2 point-to-point

pvc 0/38

oam-pvc manage

encapsulation aal5mux ppp dialer

dialer pool-member 2

!

interface Dialer0

ip address negotiated

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication chap callin

ppp chap hostname username

ppp chap password 0 password

!

interface Dialer1

ip address negotiated

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 2

dialer-group 2

ppp authentication chap callin

ppp chap hostname username ppp chap password 0 password

!

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer0

ip route 0.0.0.0 0.0.0.0 Dialer1

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 5 life 86400 requests 10000

ip nat log translations syslog

ip nat pool ISP2 213.x.237.x.218.237.16 netmask 255.255.255.255

ip nat pool ISP1 213.x.237.x.218.237.7 netmask 255.255.255.255

ip nat inside source route-map ISP1-map interface Dialer0 overload

ip nat inside source route-map ISP2-map interface Dialer1 overload

ip nat inside source static tcp 192.168.4.1 25 213.218.237.16 25 extendable

ip nat inside source static tcp 192.168.4.1 25 213.218.237.7 25 extendable

!

dialer-list 1 protocol ip permit

dialer-list 2 protocol ip permit

!

route-map ISP2-map permit 10

match interface Dialer1

!

route-map ISP1-map permit 10

match interface Dialer0

!

paultozer · ‎11-13-2006

Yes two interfaces would be ok.

I have already done this however, and it doesn't seem to make a difference.

do you need an ip route 0.0.0.0 0.0.0.0 DialerX command, or is there a way to do this by using a route-map. As this is what seems to be the problem as it always seems that the default gateway is Dialer0

jackyoung · ‎11-13-2006

CAn you share the config. of the router ? If you have two interfaces in mail server, they are located at different subnet. You can configure two NAT rule for them. One NAT for ISP1 and another for ISP2. Then there is no need to use "extendable" and both NAT will be active.

I prefer to use PBR instead of static route, e.g. if the traffic arrived from Ethernet 1 of the router, it will forward to the ISP2 by PBR. Otherwise, the traffic will follow the routing table (assume to have one static route and point to ISP2, one floating static and point to ISP2) to forward the traffic to ISP1.

Hope this helps.

jackyoung · ‎11-13-2006

Sorry, the statment before last statment should be "(assume to have one static route and point to ISP1.....", it should be ISP1, I assume Ethernet 0 connects to first LAN card in mail server and Ethernet 1 connects to second LAN card in mail server.

paultozer · ‎11-17-2006

I've ammended my script to use route maps for the two ISP's to two lan's, but it still isn't playing ball. Heres my latest script

!This is the running config of the router: 192.168.4.253

!----------------------------------------------------------------------------

!version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname ROUTER

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

enable secret xxxx

enable password xxx

!

no aaa new-model

!

resource policy

!

ip subnet-zero

!

ip cef

!

ip domain name yourdomain.com

ip name-server 213.x.128.x

!

interface FastEthernet0/0

description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0/0$

ip address 192.168.4.253 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex half

speed auto

no mop enabled

!

interface FastEthernet0/1

ip address 172.16.0.253 255.255.0.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

interface ATM0/0/0

no ip address

no atm ilmi-keepalive

dsl operating-mode auto

!

interface ATM0/0/0.1 point-to-point

pvc 0/38

oam-pvc manage

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

interface ATM0/1/0

no ip address

no atm ilmi-keepalive

dsl operating-mode auto

!

interface ATM0/1/0.2 point-to-point

pvc 0/38

oam-pvc manage

encapsulation aal5mux ppp dialer

dialer pool-member 2

!

interface Dialer0

ip address negotiated

ip nat outside

ip virtual-reassembly

encapsulation ppp

ip policy route-map ISP1-map

dialer pool 1

dialer-group 1

ppp authentication chap callin

ppp chap hostname USERNAME

ppp chap password 0 PASSWORD

!

interface Dialer1

ip address negotiated

ip nat outside

ip virtual-reassembly

encapsulation ppp

ip policy route-map ISP2-map

dialer pool 2

dialer-group 2

ppp authentication chap callin

ppp chap hostname USERNAME

ppp chap password 0 PASSWORD

!

router ospf 1

log-adjacency-changes

maximum-paths 2

!

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer0

ip route 0.0.0.0 0.0.0.0 Dialer1

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 5 life 86400 requests 10000

ip nat log translations syslog

ip nat inside source static tcp 172.16.0.1 25 interface Dialer1 25

ip nat inside source static tcp 192.168.4.1 25 interface Dialer0 25

ip nat inside source route-map ISP1-map interface Dialer0 overload

ip nat inside source route-map ISP2-map interface Dialer1 overload

!

access-list 130 permit ip 192.168.4.0 0.0.0.255 any

access-list 131 permit ip 172.16.0.0 0.0.255.255 any

dialer-list 1 protocol ip permit

dialer-list 2 protocol ip permit

!

route-map ISP2-map permit 131

match ip address 131

match interface Dialer1

set ip next-hop dynamic dhcp

!

route-map ISP1-map permit 130

match ip address 130

match interface Dialer0

set ip next-hop dynamic dhcp

!

control-plane

!

line con 0

login local

line aux 0

line vty 0 4

privilege level 15

password PASSWORD

login local

transport input telnet ssh

line vty 5 15

privilege level 15

password PASSWORD

login local

transport input telnet ssh

!

scheduler allocate 20000 1000

!

end

jackyoung · ‎11-17-2006

You should apply the policy at the incoming interface, i.e. FE0 & FE1 instead of Dialer interface.

Moreover, you do not require to use two separated access-list. Because all traffic from FE0 from forward to Dialer 0, so only require an ACL as below :

access-list 100 permit ip any any

or

access-list 1 permit ip any

then apply above access-list to the route-map.

Only one FE require policy and the other require floating static for backup.

i.e. remove route-map ISP1, corresponding policy at interface and "ip route 0.0.0.0 0.0.0.0 dialer1"

add "ip route 0.0.0.0 0.0.0.0 dialer 1 200"

It means the traffic from FE0 will follow the routing table (i.e. dialer 0 as next-hop)and the traffic from FE1 will follow the policy to forward to dialer 1. If the dialer 0 down, the floating static route will appear and all traffic will float to dialer 1. If dialer 1 down, the policy will not work and the traffic from FE 1 will also flow to dialer 0.

Hope this helps.

paultozer · ‎11-17-2006

ip route 0.0.0.0 0.0.0.0 dialer 1 200

This works in a fail-over environment, but to be honest so did my original script with this route cost.

But what I am trying to achieve is to have incoming connection on both wan interfaces at the same time.

jackyoung · ‎11-18-2006

Due to you are using policy-based routing, once the next-hop of the PBR is available and the policy is applied on the correct interface. The traffic will be forwarded to the next-hop which is indicated in the PBR route-map. In the otherwords, you configured the PBR, it won't follow the routing table. Therefore, no matter you have both static routes w/ no cost paramter, it is no effect.

Please refer to my last post for my idea to have this works. If it is not your preferred operation or traffic flow, please let me know and I try to propose another one.

Moreover, the routing table or static route in a router is for the OUT-GOING traffic only, you cannot control the traffic from incoming side, so even you have two static routes at same cost, the incoming traffic still not be load-shared.

Hope this helps.

tekha · ‎11-18-2006

I'm guessing Paul needs to add route-maps to his NAT statements, kind of like this:

ip nat inside source static tcp 192.168.4.1 25 213.218.237.16 25 route-map ISP1-map extendable

ip nat inside source static tcp 192.168.4.1 25 213.218.237.7 25 route-map ISP2-map extendable

And check to see if you are using load-sharing per destiantion.

I take it you have allready checked for 2 default routes in the routetabel.