Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Problem with NAT across two outside interfaces

I manage a development network here that accesses its internet via our corporate firewall.

We have a DSL connection as well for traffic that must bypass the firewall. Typically, we plug directly into the DSL switch, get an IP address from the DSL modem (192.168.1.x) and access it that way. Well, I have a special case where a certain destination should get routed over the DSL connection, but the rest of the traffic needs to go over the standard internet connection.

What I want is for the bulk of the traffic to exit via 172.23.8.1, but for traffic destined for 1.1.1.1 (obfuscated) to exit via the DSL gateway of 192.168.1.1. Unfortunately, we have to NAT this traffic because we don't have management of the modem to tell it where the 10.x.x.x and 172.x.x.x networks are.

The routing part works fine. If I run a traceroute from the router itself, the 1.1.1.1 traffic goes over the DSL connection, and all of the general web traffic on the LANs work. I can ping 192.168.1.163. However, it appears that the NAT isn't working right because I can't ping 1.1.1.1 or 192.168.1.1 from inside the 10.x.x.x or 172.x.x.x networks.

I'd be extremely grateful for any help.

Here is the relevant config:

Current configuration : 4378 bytes
!
interface GigabitEthernet0/0
no ip address
duplex auto
speed auto
!

! This is a router-on-a-stick for the development network, hence the sub interfaces

!
interface GigabitEthernet0/0.1
encapsulation dot1Q 1 native
ip address 172.23.8.3 255.255.0.0
ip nat outside
ip virtual-reassembly
!
interface GigabitEthernet0/0.2
encapsulation dot1Q 6
ip address 192.168.1.163 255.255.255.0
ip nat outside
ip virtual-reassembly
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/1.1
encapsulation dot1Q 100
ip address 10.7.0.254 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip route 0.0.0.0 0.0.0.0 172.23.8.1
ip route 1.1.1.1 255.255.255.255 192.168.1.1
!
ip nat inside source route-map dsl_traffic interface GigabitEthernet0/0.2 overload
ip nat inside source route-map general_traffic interface GigabitEthernet0/0.1 overload
!
! Deny statements are used to prevent NAT from occuring on traffic destined for local LANs
!
access-list 100 deny  ip any 10.7.0.0 0.0.255.255
access-list 100 deny  ip any 172.23.0.0 0.0.255.255
access-list 100 permit ip any any
!
route-map general_traffic permit 10
match ip address 100
match interface GigabitEthernet0/0.1
!
route-map dsl_traffic permit 10
match ip address 100
match interface GigabitEthernet0/0.2
!
!
end

272
Views
0
Helpful
0
Replies
CreatePlease to create content