NAT port translation from more than one WAN at the same time

paultozer · ‎11-04-2006

Heres the scenario - I have a 2811 Router and have two wics for failover and load balancing. This is working ok.

However the NAT port 25 translation only works on one WAN address at a time, and it seems to switch from one to the other whenever it feels like it and when a fail happens, but would like it to be available on both WAN addresses at the same time.

Below is my running script the two IP addresses are the static WAN addresses given by my ISP which are recieved automatically

!

interface FastEthernet0/0

description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0/0$

ip address 192.168.4.253 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex half

speed auto

no mop enabled

!

interface ATM0/0/0

no ip address

no atm ilmi-keepalive

dsl operating-mode auto

!

interface ATM0/0/0.1 point-to-point

pvc 0/38

oam-pvc manage

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

interface ATM0/1/0

no ip address

no atm ilmi-keepalive

dsl operating-mode auto

!

interface ATM0/1/0.2 point-to-point

pvc 0/38

oam-pvc manage

encapsulation aal5mux ppp dialer

dialer pool-member 2

!

interface Dialer0

ip address negotiated

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication chap callin

ppp chap hostname username

ppp chap password 0 password

!

interface Dialer1

ip address negotiated

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 2

dialer-group 2

ppp authentication chap callin

ppp chap hostname username ppp chap password 0 password

!

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer0

ip route 0.0.0.0 0.0.0.0 Dialer1

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 5 life 86400 requests 10000

ip nat log translations syslog

ip nat pool ISP2 213.x.237.x.218.237.16 netmask 255.255.255.255

ip nat pool ISP1 213.x.237.x.218.237.7 netmask 255.255.255.255

ip nat inside source route-map ISP1-map interface Dialer0 overload

ip nat inside source route-map ISP2-map interface Dialer1 overload

ip nat inside source static tcp 192.168.4.1 25 213.218.237.16 25 extendable

ip nat inside source static tcp 192.168.4.1 25 213.218.237.7 25 extendable

!

dialer-list 1 protocol ip permit

dialer-list 2 protocol ip permit

!

route-map ISP2-map permit 10

match interface Dialer1

!

route-map ISP1-map permit 10

match interface Dialer0

!

jackyoung · ‎11-06-2006

Please check below link :

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a0080091cb9.shtml

It stated :

Once that is working, they might also want to define static mappings for a particular host using each provider's address space. The software does not allow two static translations with the same local address, though, because it is ambiguous from the inside. The router will accept these static translations and resolve the ambiguity by creating full translations (all addresses and ports) if the static translations are marked as "extendable". For a new outside-to-inside flow, the appropriate static entry will act as a template for a full translation. For a new inside-to-outside flow, the dynamic route-map rules will be used to create a full translation.

Can you confirm is there any outside-to-inside traffic for the second static NAT rule w/ extendable ?

If it is only triggered by inside-to-outside, there may be only one static NAT rule is used.

Hope this helps.

paultozer · ‎11-07-2006

The translation is from outside to inside.

What I am aiming at is the two adsl lines will both accept incoming SMTP on port 25 at the same time and forward it to 192.168.4.1

At present they will only do one at a time, if i down one dialer or set the route cost higher on one dialer then it will translate and visa-versa on the second wic.

I am not really interested in load balancing them just as long as they forward to the same or another address, as i have two lan ports.

However even when i forward port 25 to two different addresses from the two different public ip addresses it doesn't work until i down one wic.

Many thanks

Paul

jackyoung · ‎11-07-2006

Thanks for the clarification. Could you advise how do you control and ensure the SMTP traffic from out-to-inside that flow to the preferred DSL ? The ISPs will advertise the route to Internet, the incoming traffic depends on the ISP & Internet routing table.

If you manual control the routing table in router, it is for the inside-to-outside traffic. It is true that if you fine tune the cost and the traffic flow to defined DSL w/ NAT. Otherwise, if there is SMTP traffic from outside-to-inside to both DSL, then it should work but inside-to-outside still use one DSL only at a time. Thx.

paultozer · ‎11-08-2006

I think this is where the problem lies. I thought that the two below commands would do that as they are the two public IP addresses that my ISP gave me for each ADSL connection. Dialer 0 being 213.218.237.7 and Dialer 1 being 213.218.237.16

ip nat inside source static tcp 192.168.4.1 25 213.218.237.16 25 extendable

ip nat inside source static tcp 192.168.4.1 25 213.218.237.7 25 extendable

Is this not the case? Any advise would be greatly appreciated.

jackyoung · ‎11-08-2006

According to the config guide. Your command is correct but it works for outside-to-inside traffic or one of the link down and also work for inside-to-outside.

Can you advise how do you test (or prove the NAT is not working) the inside-to-outside traffic if you load-sharing two DSL links ?

Thx.

paolo bevilacqua · ‎11-11-2006

To add to the input from Jackyoung and Paul, since it is necessary to map your mail server to two external addresses, you can declare to equal preference MX handlers in DNS, using an address from each provider space. On the server, you will add another address on the LAN, this is done diferently depending on the OS. You will configure two static translations pairing internal and external addresses. This way you will receive email using both circuits normally, and one only in case of failure.

cjlago · ‎11-09-2006

This sounds like expected behavior. There is only one default gateway, so when your router tries to respond to connection attempts on the "second" DSL line, it actually uses the first dsl line because that's the default gateway. When you change the admin distance, you are really just changing the route to 0.0.0.0/0.0.0.0. You may find help with pbr routing.

HTH.

CJL

Cisco Systems, Inc.

jackyoung · ‎11-09-2006

Hi CJL, could you explain why you said there is one GW ? There are two default routes w/ same AD and the router is the local GW for the server. Many thx.

cjlago · ‎11-11-2006

Hey Jack - It's just a guess on my part but I think as the router balances between the two dialer interfaces, inbound connection attemps will be intermittant. At least in this scenario, the router is ultimately flapping the default route between the two interfaces with the same admin distance.

The router decides where to send packets based on where they're going, not where they're from. So, the incoming interface is not part of the forwarding logic. As it replies to the inbound connection attemps, the packet header can contain a different source address than what the other end is expecting.

If an inbound connection attempt is made on Dialer0 port 25, it gets forwarded to the internal mailserver. The mail server responds and the NAT process takes place. When the router sends that response back out it will use whatever happens to be the default gw at the time. If it happens to go out on Dialer1 the connection will fail. Once it's established, the router will be stateful and connections will stay up.

If we take NAT out of the equation this problem won't exist because the source address would be the actual mailserver and the remote side wouldn't care how packets get there.

HTH.

CJL

Cisco Systems, Inc.

paultozer · ‎11-11-2006

This is exactly what i am seeing.

Is there a solution to this that you can base my configuration on.

I thought I had a policy based route by the route maps but i do not think this is working at all.

Help is greatly appreciated

paolo bevilacqua · ‎11-12-2006

Pls see my post above

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Network%20Infrastructure&topic=WAN%2C%20Routing%20and%20Switching&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.1ddcaef6/8#selected_message

I think that once you configure two addresses on the server and two non ambiguous translation, you will be able to have this working.

paultozer · ‎11-12-2006

already tried this, as well as having it on a seperate lan interface (as the 2811 has two).

It didn't work either unless one WAN was down.

It should be something quite simple i would imagine, but looking at other peoples posts on multiple adsl it doesn't look that way

paolo bevilacqua · ‎11-12-2006

I was thinking about all this and there may be implications depending on the order in which the inside interface processes PBR and NAT, thing that I'm not sure about.

So I would need to lab this out before saying for sure.

I hope to be able to do that after I'm back from a trip I'm taking now.

jackyoung · ‎11-12-2006

Hi CJL, thanks a lot for the clarification. In fact, this is what I found in this case but not understand your meaning in pervious post, so I asked for clarification. Thanks again.

Hi Paul, is your ultimate goal is to load-sharing both incoming & outgoing SMTP traffic ? If this is the case, is it possible to have two LAN interfaces at the mail server then there will be two NAT rule for two LAN interface and it will not create the problem.

Hope this helps.