Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

NAT port translation from more than one WAN at the same time

Heres the scenario - I have a 2811 Router and have two wics for failover and load balancing. This is working ok.

However the NAT port 25 translation only works on one WAN address at a time, and it seems to switch from one to the other whenever it feels like it and when a fail happens, but would like it to be available on both WAN addresses at the same time.

Below is my running script the two IP addresses are the static WAN addresses given by my ISP which are recieved automatically

!

interface FastEthernet0/0

description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0/0$

ip address 192.168.4.253 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex half

speed auto

no mop enabled

!

interface ATM0/0/0

no ip address

no atm ilmi-keepalive

dsl operating-mode auto

!

interface ATM0/0/0.1 point-to-point

pvc 0/38

oam-pvc manage

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

!

interface ATM0/1/0

no ip address

no atm ilmi-keepalive

dsl operating-mode auto

!

interface ATM0/1/0.2 point-to-point

pvc 0/38

oam-pvc manage

encapsulation aal5mux ppp dialer

dialer pool-member 2

!

!

interface Dialer0

ip address negotiated

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication chap callin

ppp chap hostname username

ppp chap password 0 password

!

interface Dialer1

ip address negotiated

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 2

dialer-group 2

ppp authentication chap callin

ppp chap hostname username ppp chap password 0 password

!

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer0

ip route 0.0.0.0 0.0.0.0 Dialer1

!

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 5 life 86400 requests 10000

ip nat log translations syslog

ip nat pool ISP2 213.x.237.x.218.237.16 netmask 255.255.255.255

ip nat pool ISP1 213.x.237.x.218.237.7 netmask 255.255.255.255

ip nat inside source route-map ISP1-map interface Dialer0 overload

ip nat inside source route-map ISP2-map interface Dialer1 overload

ip nat inside source static tcp 192.168.4.1 25 213.218.237.16 25 extendable

ip nat inside source static tcp 192.168.4.1 25 213.218.237.7 25 extendable

!

dialer-list 1 protocol ip permit

dialer-list 2 protocol ip permit

!

route-map ISP2-map permit 10

match interface Dialer1

!

route-map ISP1-map permit 10

match interface Dialer0

!

!

22 REPLIES
Silver

Re: NAT port translation from more than one WAN at the same time

Please check below link :

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a0080091cb9.shtml

It stated :

Once that is working, they might also want to define static mappings for a particular host using each provider's address space. The software does not allow two static translations with the same local address, though, because it is ambiguous from the inside. The router will accept these static translations and resolve the ambiguity by creating full translations (all addresses and ports) if the static translations are marked as "extendable". For a new outside-to-inside flow, the appropriate static entry will act as a template for a full translation. For a new inside-to-outside flow, the dynamic route-map rules will be used to create a full translation.

Can you confirm is there any outside-to-inside traffic for the second static NAT rule w/ extendable ?

If it is only triggered by inside-to-outside, there may be only one static NAT rule is used.

Hope this helps.

New Member

Re: NAT port translation from more than one WAN at the same time

The translation is from outside to inside.

What I am aiming at is the two adsl lines will both accept incoming SMTP on port 25 at the same time and forward it to 192.168.4.1

At present they will only do one at a time, if i down one dialer or set the route cost higher on one dialer then it will translate and visa-versa on the second wic.

I am not really interested in load balancing them just as long as they forward to the same or another address, as i have two lan ports.

However even when i forward port 25 to two different addresses from the two different public ip addresses it doesn't work until i down one wic.

Many thanks

Paul

Silver

Re: NAT port translation from more than one WAN at the same time

Thanks for the clarification. Could you advise how do you control and ensure the SMTP traffic from out-to-inside that flow to the preferred DSL ? The ISPs will advertise the route to Internet, the incoming traffic depends on the ISP & Internet routing table.

If you manual control the routing table in router, it is for the inside-to-outside traffic. It is true that if you fine tune the cost and the traffic flow to defined DSL w/ NAT. Otherwise, if there is SMTP traffic from outside-to-inside to both DSL, then it should work but inside-to-outside still use one DSL only at a time. Thx.

New Member

Re: NAT port translation from more than one WAN at the same time

I think this is where the problem lies. I thought that the two below commands would do that as they are the two public IP addresses that my ISP gave me for each ADSL connection. Dialer 0 being 213.218.237.7 and Dialer 1 being 213.218.237.16

ip nat inside source static tcp 192.168.4.1 25 213.218.237.16 25 extendable

ip nat inside source static tcp 192.168.4.1 25 213.218.237.7 25 extendable

Is this not the case? Any advise would be greatly appreciated.

Silver

Re: NAT port translation from more than one WAN at the same time

According to the config guide. Your command is correct but it works for outside-to-inside traffic or one of the link down and also work for inside-to-outside.

Can you advise how do you test (or prove the NAT is not working) the inside-to-outside traffic if you load-sharing two DSL links ?

Thx.

Hall of Fame Super Gold

Re: NAT port translation from more than one WAN at the same time

To add to the input from Jackyoung and Paul, since it is necessary to map your mail server to two external addresses, you can declare to equal preference MX handlers in DNS, using an address from each provider space. On the server, you will add another address on the LAN, this is done diferently depending on the OS. You will configure two static translations pairing internal and external addresses. This way you will receive email using both circuits normally, and one only in case of failure.

New Member

Re: NAT port translation from more than one WAN at the same time

This sounds like expected behavior. There is only one default gateway, so when your router tries to respond to connection attempts on the "second" DSL line, it actually uses the first dsl line because that's the default gateway. When you change the admin distance, you are really just changing the route to 0.0.0.0/0.0.0.0. You may find help with pbr routing.

HTH.

CJL

Cisco Systems, Inc.

Silver

Re: NAT port translation from more than one WAN at the same time

Hi CJL, could you explain why you said there is one GW ? There are two default routes w/ same AD and the router is the local GW for the server. Many thx.

New Member

Re: NAT port translation from more than one WAN at the same time

Hey Jack - It's just a guess on my part but I think as the router balances between the two dialer interfaces, inbound connection attemps will be intermittant. At least in this scenario, the router is ultimately flapping the default route between the two interfaces with the same admin distance.

The router decides where to send packets based on where they're going, not where they're from. So, the incoming interface is not part of the forwarding logic. As it replies to the inbound connection attemps, the packet header can contain a different source address than what the other end is expecting.

If an inbound connection attempt is made on Dialer0 port 25, it gets forwarded to the internal mailserver. The mail server responds and the NAT process takes place. When the router sends that response back out it will use whatever happens to be the default gw at the time. If it happens to go out on Dialer1 the connection will fail. Once it's established, the router will be stateful and connections will stay up.

If we take NAT out of the equation this problem won't exist because the source address would be the actual mailserver and the remote side wouldn't care how packets get there.

HTH.

CJL

Cisco Systems, Inc.

New Member

Re: NAT port translation from more than one WAN at the same time

This is exactly what i am seeing.

Is there a solution to this that you can base my configuration on.

I thought I had a policy based route by the route maps but i do not think this is working at all.

Help is greatly appreciated

Hall of Fame Super Gold

Re: NAT port translation from more than one WAN at the same time

Pls see my post above

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Network%20Infrastructure&topic=WAN%2C%20Routing%20and%20Switching&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.1ddcaef6/8#selected_message

I think that once you configure two addresses on the server and two non ambiguous translation, you will be able to have this working.

New Member

Re: NAT port translation from more than one WAN at the same time

already tried this, as well as having it on a seperate lan interface (as the 2811 has two).

It didn't work either unless one WAN was down.

It should be something quite simple i would imagine, but looking at other peoples posts on multiple adsl it doesn't look that way

Hall of Fame Super Gold

Re: NAT port translation from more than one WAN at the same time

I was thinking about all this and there may be implications depending on the order in which the inside interface processes PBR and NAT, thing that I'm not sure about.

So I would need to lab this out before saying for sure.

I hope to be able to do that after I'm back from a trip I'm taking now.

Silver

Re: NAT port translation from more than one WAN at the same time

Hi CJL, thanks a lot for the clarification. In fact, this is what I found in this case but not understand your meaning in pervious post, so I asked for clarification. Thanks again.

Hi Paul, is your ultimate goal is to load-sharing both incoming & outgoing SMTP traffic ? If this is the case, is it possible to have two LAN interfaces at the mail server then there will be two NAT rule for two LAN interface and it will not create the problem.

Hope this helps.

New Member

Re: NAT port translation from more than one WAN at the same time

Yes two interfaces would be ok.

I have already done this however, and it doesn't seem to make a difference.

do you need an ip route 0.0.0.0 0.0.0.0 DialerX command, or is there a way to do this by using a route-map. As this is what seems to be the problem as it always seems that the default gateway is Dialer0

Silver

Re: NAT port translation from more than one WAN at the same time

CAn you share the config. of the router ? If you have two interfaces in mail server, they are located at different subnet. You can configure two NAT rule for them. One NAT for ISP1 and another for ISP2. Then there is no need to use "extendable" and both NAT will be active.

I prefer to use PBR instead of static route, e.g. if the traffic arrived from Ethernet 1 of the router, it will forward to the ISP2 by PBR. Otherwise, the traffic will follow the routing table (assume to have one static route and point to ISP2, one floating static and point to ISP2) to forward the traffic to ISP1.

Hope this helps.

Silver

Re: NAT port translation from more than one WAN at the same time

Sorry, the statment before last statment should be "(assume to have one static route and point to ISP1.....", it should be ISP1, I assume Ethernet 0 connects to first LAN card in mail server and Ethernet 1 connects to second LAN card in mail server.

New Member

Re: NAT port translation from more than one WAN at the same time

I've ammended my script to use route maps for the two ISP's to two lan's, but it still isn't playing ball. Heres my latest script

!This is the running config of the router: 192.168.4.253

!----------------------------------------------------------------------------

!version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname ROUTER

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

enable secret xxxx

enable password xxx

!

no aaa new-model

!

resource policy

!

ip subnet-zero

!

!

ip cef

!

!

ip domain name yourdomain.com

ip name-server 213.x.128.x

ip name-server 213.x.128.x

!

!

!

interface FastEthernet0/0

description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0/0$

ip address 192.168.4.253 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex half

speed auto

no mop enabled

!

interface FastEthernet0/1

ip address 172.16.0.253 255.255.0.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

interface ATM0/0/0

no ip address

no atm ilmi-keepalive

dsl operating-mode auto

!

interface ATM0/0/0.1 point-to-point

pvc 0/38

oam-pvc manage

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

!

interface ATM0/1/0

no ip address

no atm ilmi-keepalive

dsl operating-mode auto

!

interface ATM0/1/0.2 point-to-point

pvc 0/38

oam-pvc manage

encapsulation aal5mux ppp dialer

dialer pool-member 2

!

!

interface Dialer0

ip address negotiated

ip nat outside

ip virtual-reassembly

encapsulation ppp

ip policy route-map ISP1-map

dialer pool 1

dialer-group 1

ppp authentication chap callin

ppp chap hostname USERNAME

ppp chap password 0 PASSWORD

!

interface Dialer1

ip address negotiated

ip nat outside

ip virtual-reassembly

encapsulation ppp

ip policy route-map ISP2-map

dialer pool 2

dialer-group 2

ppp authentication chap callin

ppp chap hostname USERNAME

ppp chap password 0 PASSWORD

!

router ospf 1

log-adjacency-changes

maximum-paths 2

!

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer0

ip route 0.0.0.0 0.0.0.0 Dialer1

!

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 5 life 86400 requests 10000

ip nat log translations syslog

ip nat inside source static tcp 172.16.0.1 25 interface Dialer1 25

ip nat inside source static tcp 192.168.4.1 25 interface Dialer0 25

ip nat inside source route-map ISP1-map interface Dialer0 overload

ip nat inside source route-map ISP2-map interface Dialer1 overload

!

access-list 130 permit ip 192.168.4.0 0.0.0.255 any

access-list 131 permit ip 172.16.0.0 0.0.255.255 any

dialer-list 1 protocol ip permit

dialer-list 2 protocol ip permit

!

route-map ISP2-map permit 131

match ip address 131

match interface Dialer1

set ip next-hop dynamic dhcp

!

route-map ISP1-map permit 130

match ip address 130

match interface Dialer0

set ip next-hop dynamic dhcp

!

!

!

!

control-plane

!

!

!

!

!

!

!

!

!

!

line con 0

login local

line aux 0

line vty 0 4

privilege level 15

password PASSWORD

login local

transport input telnet ssh

line vty 5 15

privilege level 15

password PASSWORD

login local

transport input telnet ssh

!

scheduler allocate 20000 1000

!

end

Silver

Re: NAT port translation from more than one WAN at the same time

You should apply the policy at the incoming interface, i.e. FE0 & FE1 instead of Dialer interface.

Moreover, you do not require to use two separated access-list. Because all traffic from FE0 from forward to Dialer 0, so only require an ACL as below :

access-list 100 permit ip any any

or

access-list 1 permit ip any

then apply above access-list to the route-map.

Only one FE require policy and the other require floating static for backup.

i.e. remove route-map ISP1, corresponding policy at interface and "ip route 0.0.0.0 0.0.0.0 dialer1"

add "ip route 0.0.0.0 0.0.0.0 dialer 1 200"

It means the traffic from FE0 will follow the routing table (i.e. dialer 0 as next-hop)and the traffic from FE1 will follow the policy to forward to dialer 1. If the dialer 0 down, the floating static route will appear and all traffic will float to dialer 1. If dialer 1 down, the policy will not work and the traffic from FE 1 will also flow to dialer 0.

Hope this helps.

New Member

Re: NAT port translation from more than one WAN at the same time

ip route 0.0.0.0 0.0.0.0 dialer 1 200

This works in a fail-over environment, but to be honest so did my original script with this route cost.

But what I am trying to achieve is to have incoming connection on both wan interfaces at the same time.

Silver

Re: NAT port translation from more than one WAN at the same time

Due to you are using policy-based routing, once the next-hop of the PBR is available and the policy is applied on the correct interface. The traffic will be forwarded to the next-hop which is indicated in the PBR route-map. In the otherwords, you configured the PBR, it won't follow the routing table. Therefore, no matter you have both static routes w/ no cost paramter, it is no effect.

Please refer to my last post for my idea to have this works. If it is not your preferred operation or traffic flow, please let me know and I try to propose another one.

Moreover, the routing table or static route in a router is for the OUT-GOING traffic only, you cannot control the traffic from incoming side, so even you have two static routes at same cost, the incoming traffic still not be load-shared.

Hope this helps.

Bronze

Re: NAT port translation from more than one WAN at the same time

I'm guessing Paul needs to add route-maps to his NAT statements, kind of like this:

ip nat inside source static tcp 192.168.4.1 25 213.218.237.16 25 route-map ISP1-map extendable

ip nat inside source static tcp 192.168.4.1 25 213.218.237.7 25 route-map ISP2-map extendable

And check to see if you are using load-sharing per destiantion.

I take it you have allready checked for 2 default routes in the routetabel.

186
Views
0
Helpful
22
Replies
CreatePlease login to create content