Re: Routing and NAT

ingemar.jacob · ‎10-31-2010

Hello Community,

i got one question.

I'm using to Cisco Routers with differnt ISPs and NATing to connect to the internet.

Router A is set as default gateway for the LAN Hosts.

Now i want to set up host routes on router A for some LAN clients to go through Router B and than to internet.

For Example: Client explorer wants to connect to www.cisco.com. Way should be Client > Router A > Router B > www.cisco.com

But when i set the route on router a, ip route 172.16.0.57 255.255.255.255 172.16.0.100 (router B) the tracert shows that the client with ip 172.16.0.57 directly connects via router a and ist not going through router b.

Tracing route to e144.cd.akamaiedge.net [88.221.136.170]
over a maximum of 30 hops:

1     1 ms     1 ms     1 ms 172.16.0.101
2     2 ms     1 ms     2 ms 192.168.2.1
3    24 ms    23 ms    22 ms 217.0.119.235
4    22 ms    23 ms    26 ms 217.0.91.202
5    38 ms    35 ms    36 ms 217.5.66.210
6    35 ms    36 ms    36 ms 88.221.136.170

Any ideas what's going wrong?

Thanks and Greetings I. Jacob

Peter Paluch · ‎10-31-2010

Hello Jacob,

What you want to do cannot be done using ordinary routing. Ordinary IP routing takes only the destination into consideration when making a routing decision. However, what you want to do is making the router to consider both the source and the destination when routing a packet. This can be done using a functionality called Policy Based Routing.

The command you have added on the Router A has a different effect than you intended: The command ip route 172.16.0.57 255.255.255.255 172.16.0.100 essentially tells the router that if it receives a packet with the destination of 172.16.0.57, it shall send it to the router 172.16.0.100. I believe that this is actually what you don't want to do - the Router A is capable of delivering the packet to the 172.16.0.57 directly but you are forcing the Router A to deliver the packet via an extra hop through Router B.

In any case, if you want to make some stations to use a different gateway then the configuration on the Router A would be as follows:

ip access-list standard ACL-PBR1

permit host 172.16.0.57

! Repeat the permit line for any other host to be routed specially

route-map RM-PBR permit 10

match ip address ACL-PBR1

set ip next-hop 172.16.0.100

interface FastEthernet0/0

! I assume this is the interface connected to the internal network

ip policy route-map RM-PBR

This configuration is what we call Policy Based Routing. It makes the router to inspect the IP packets coming into the Fa0/0 interface. If the packets match the ACL-PBR1 access-list (that is, if the source is permitted by this standard ACL) then they will be forwarded to the next-ho 172.16.0.100, bypassing the routing table on the router. If the packets do not match the ACL, they will be routed normally according to the routing table.

Best regards,

Peter

ingemar.jacob · ‎10-31-2010

Hello Peter,

thanks for your answer.

I will test this tomorrow.

The route i set up was definitly wrong, you are right. The mistake got through my mind after writing the first post.

I will let you now tomorrow, if it worked.

ingemar.jacob · ‎11-01-2010

Hello Peter,

I tested your configuration and it worked.

Thank you!

Kind regards

Ingemar

Peter Paluch · ‎11-01-2010

Hello,

I am glad to have helped. And I apologize if I inadvertently called you by your surname - frankly, I am not sure whether Ingemar or Jacob is your first name, and I apologize sincerely for that.

Best regards,

Peter