Announcement

Collapse
No announcement yet.

Multiple NAT dialer interfaces

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Multiple NAT dialer interfaces

    Hello all,

    I have one more question about multiple NATs on a single Cisco box. My config is below. So what I'm trying to do is to provide internet for 192.168.1.10 and 192.168.1.11. I want 192.168.1.10 to go through Dialer2 and 192.168.1.11 to go through Dialer3. So I've tried to configure route-maps as described here http://www.cisco.com/en/US/tech/tk64...80093fca.shtml . However, the problem is that only one client has internet access at a time.

    So if I ping some internet host from both 192.168.1.10 and 192.168.1.11, then both Dialer2 and Dialer3 do dial out. However only one host receives ping replies. If I shut down the corresponding dialer and bring it back up, then the other host starts receiving ping replies. Here is some debug information (currenlty 192.168.1.11 receives ping replies and 192.168.1.10 doesn't):

    show ip nat translations
    Pro Inside global Inside local Outside local Outside global
    icmp 66.249.174.232:59756192.168.1.10:59756 8.8.8.8:59756 8.8.8.8:59756
    icmp 66.81.223.186:60012 192.168.1.11:60012 8.8.8.8:60012 8.8.8.8:60012
    debug ip nat
    show log
    Jun 28 18:09:26.189: NAT: s=192.168.1.10->66.249.174.232, d=8.8.8.8 [0]
    Jun 28 18:09:26.701: NAT: s=192.168.1.11->66.81.223.186, d=8.8.8.8 [0]
    Jun 28 18:09:26.873: NAT: s=8.8.8.8, d=66.81.223.186->192.168.1.11 [0]
    Jun 28 18:09:27.189: NAT: s=192.168.1.10->66.249.174.232, d=8.8.8.8 [0]
    Jun 28 18:09:27.701: NAT: s=192.168.1.11->66.81.223.186, d=8.8.8.8 [0]
    Jun 28 18:09:27.881: NAT: s=8.8.8.8, d=66.81.223.186->192.168.1.11 [0]

    It looks like nat changes source for IP packets from 192.168.1.10 but doesn't receive anything back... or it just doesn't send anything? Any help will be appreciated! I have already tried to set up multiple NATs using route-maps, access-lists, and without them, the result was always the same: only a single client has internet access at a time.
    Here is my configuration:

    Code:
    interface FastEthernet0/0
     ip address 192.168.1.1 255.255.255.0
     ip nat inside
     ip virtual-reassembly
     duplex full
     speed 100
     no cdp enable
    
    interface Dialer2
     ip address negotiated
     ip nat outside
     ip virtual-reassembly
     encapsulation ppp
     dialer in-band
     dialer idle-timeout 600
     dialer string xxxxxxxxxxx
     dialer-group 2
     ppp pap sent-username xxxxxxxxxx password 0 xxxxxxxxxx
     ppp ipcp dns request
     ppp ipcp mask request
     ppp timeout retry 15
    
    interface Dialer3
     ip address negotiated
     ip nat outside
     ip virtual-reassembly
     encapsulation ppp
     dialer in-band
     dialer idle-timeout 600
     dialer string xxxxxxxxxxx
     dialer-group 3
     ppp pap sent-username xxxxxxxxxx password 0 xxxxxxxxxx
     ppp ipcp dns request
     ppp ipcp mask request
     ppp timeout retry 15
    
    ip route 0.0.0.0 0.0.0.0 Dialer3
    ip route 0.0.0.0 0.0.0.0 Dialer2
    
    ip nat inside source route-map nat2 interface Dialer2 overload
    ip nat inside source route-map nat3 interface Dialer3 overload
    
    access-list 10 permit 192.168.1.10
    access-list 11 permit 192.168.1.11
    
    route-map nat3 permit 10
     match ip address 11
    !
    route-map nat2 permit 10
     match ip address 10
    Thanks!

  • #2
    Re: Multiple NAT dialer interfaces

    Try to use some policy based routing


    ip nat inside source route-map nat2 interface Dialer2 overload
    ip nat inside source route-map nat3 interface Dialer3 overload

    access-list 10 permit 192.168.1.10
    access-list 11 permit 192.168.1.11

    route-map nat3 permit 10
    match ip address 11
    match interface dialer 3
    !
    route-map nat2 permit 10
    match ip address 10
    match interface dialer 2

    int fa0/0
    ip policy route-map PBR
    ip nat inside


    route-map PBR permit 10
    match ip address 11
    set interface dialer 3

    route-map PBR permit 20
    match ip address 10
    set interface dialer 2
    Last edited by auglan; 15th May 2010, 03:48.
    CCNA, CCNA-Security, CCNP
    CCIE Security (In Progress)

    Comment


    • #3
      Re: Multiple NAT dialer interfaces

      I also think in this scenario, that having two default gateways may be part of your problem... ?
      Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

      Comment


      • #4
        Re: Multiple NAT dialer interfaces

        Yeah both statics should have the same cost so its probably load balancing between the two. The issue is there is no way for the router to know what static it should use. The policy routing will bypass what the routing table has. You could setup some kind of conditional routing to choose a specific next hop using IP SLA and enhanced object tracking to track the status of the static route based on your specific ISP next hops. The issue is you dont specify a next hop but an outgoing interface. Try it out and see it it works. If I get some time today I will try to lab this scenario on my rack.
        CCNA, CCNA-Security, CCNP
        CCIE Security (In Progress)

        Comment


        • #5
          Re: Multiple NAT dialer interfaces

          Thanks auglan! It works exactly as you described.
          policy based routing rocks

          Comment


          • #6
            Re: Multiple NAT dialer interfaces

            Ok cool. Yeah PBR is nice but the only issue with that setup is there really isnt any redundancy. (IF 1 isp goes down its pretty much going to blackhole any traffic for that circuit) but at least its working.
            CCNA, CCNA-Security, CCNP
            CCIE Security (In Progress)

            Comment

            Working...
            X