Re: NAT route-map and floating routes

aparada14 · ‎10-01-2006

I have this scenario:

!

crypto ipsec transform-set VPN_PROD esp-3des esp-sha-hmac

!

crypto map VPN_PROD 1 ipsec-isakmp

description VPN_PROD

set peer 192.168.1.4

set transform-set VPN_PROD

match address ACL_VPN_PROD

!

interface FastEthernet0/1

description LAN COnnection

ip address 10.0.160.4 255.255.255.248

ip nat inside

ip virtual-reassembly

speed 100

full-duplex

!

! ==== ISP_01 ===

!

interface Serial0/0.102 point-to-point

description ISP_01_PROD

ip address 192.168.150.21 255.255.255.252

frame-relay interface-dlci 102

crypto map VPN_PROD

!

! ==== ISP_02 ===

!

interface Serial0/2.19 point-to-point

description ISP_02_desa

ip address 192.168.151.21 255.255.255.252

ip nat outside

ip virtual-reassembly

frame-relay interface-dlci 19

!

ip route 192.168.10.4 255.255.255.255 192.168.150.22 name PROD

ip route 192.168.10.4 255.255.255.255 192.168.151.22 20 name desa

!

ip nat inside source static 10.0.44.50 172.20.10.64 route-map rm_desa

!

ip access-list extended ACL_VPN_PROD

permit ip host 10.0.44.31 host 192.168.10.4 log-input

!

ip access-list extended acl_desa

permit ip host 10.0.44.50 host 192.168.10.4

!

route-map rm_desa permit 10

match ip address acl_desa

set default interface Serial0/2.19

!

Hi,

I?m implementing this to get connection through a NAT statement to a network partner using the floting route shown

as desa, this route is not in the routing table and I have found that using policy routing and route-map there are two

commands:

1.- set default interface "type number"

2.- set ip default next-hop "ip address"

tha I can use in order to get connection if in the routing table has no explicit route for the destination network.

In this case I have 2 differents ISP?s and only one of them with nat. Can anyone tell me if this can work?, I tried but I couldn?t see in the nat table the translation 10.0.44.50 -> 172.20.10.64. there is something wrong??

Regards,

Alex

Edison Ortiz · ‎10-02-2006

Alex,

Is there a route back to 172.20.10.64 from the remote network ? Also, the remote network must source *only* with IP 192.168.10.4 since that's the only route in your router at the present time.

I also recommend changing the route-map from

set default interface Serial0/2.19

to

set ip next-hop 192.168.151.22

___

Please rate helpful posts.

Thanks

aparada14 · ‎10-03-2006

Hi,

Thanks for your answer, I put the set default interface command because I read this is used when there is no entry in the routing table, and this is the case for the floating route pointing to the same destination but different ISP and also to do nat. I?ll be testing this thursday in the morning but I?m not sure if it will work. There is another command for testing: set ip default next-hop, but I never have tested this commands, and I don?t know if they will work for my case.

Edison Ortiz · ‎10-03-2006

My understanding is that the set default interface command is supported only over point-to-point links, unless a route-cache entry exists using the same interface specified in the set interface command in the route map.

The set ip default next-hop will only check for default routing information. If the route is on the routing table, it will use it. Is that what you want ?

aparada14 · ‎10-06-2006

Hi Edison,

I want to use the connection through the ISP_02, the interface is configured as point-to-point, and for this connection there is a floating static route to the destinnation 192.168.10.4, the same for the another ISP.

! ==== ISP_02 ===

!

interface Serial0/2.19 point-to-point

description ISP_02_desa

ip address 192.168.151.21 255.255.255.252

ip nat outside

ip virtual-reassembly

frame-relay interface-dlci 19

!

Edison Ortiz · ‎10-06-2006

Alex,

What about a route back ?

Have you tried a traceroute and see where it dies ?