Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1486
  • Last Modified:

Configuring Cisco with several public IP's for NAT on one interface

I have a Cisco 2800 with two Eth interfaces (fe0/0 and fe0/1), one (fe0/0) connected to my LAN and the other one (fe0/1) connected to my "Internet" segment; this Internet segment is in turn connected to 3 ISP routers (one ADSL, one LS, and one VSAT -- let's call them A, B and C). Currently, my Cisco 2800 Internet eth interface (fe0/1) is assigned a public IP from connection A, and default ip outbound routing is directed towards A's router. And I have also defined some NAT's between some other public IP's bought from A and some of my private IP's (on the fe0/0) side. This works fine -- ie, I can  establish connections out to the Internet from the LAN, and clients from the Internet can connect to my NAT'ed LAN servers. Basic stuff. Great.

Now, I'd like to use connections B and C. So I have similarly defined some more NAT's, using public ip addresses bought from ISP's B and C, and NAT'ed them to some LAN ip's. And these NAT's don't work (neither TCP nor UDP). Should I do something about the "return path"? ie, I've got only one default route out, towards A's gateway. How should I explain the router that connections/packets first coming onto B/C public IP's should be routed back to B/C's gateways? I can't even get these NAT's to work with B and C public ip's when I hook up a single PC on my "Internet" segment with a public address from B and C.
0
GrobRIM
Asked:
GrobRIM
  • 2
  • 2
1 Solution
 
Scotty_ciscoCommented:
Under FE0/1 what does your IP address look like is it assigned to a block that ISP A gave you?  The reason that B and C is not working is they route the block to FE0/1 if there is not an address on 0/1 that the router will respond to it will drop the packet.

Try adding secondary addresses for B and C ISP's

ip address x.x.x.x 255.255.255.x secondary  (ISP B's wan IP address)
ip address y.y.y.y 255.255.255.y secondary (ISP C's WAN IP address)

Thanks
Scott
0
 
GrobRIMAuthor Commented:
Scott,

Yes, on FE0/1, I'm using public IP adresses assigned to me by ISP's A, B, and C.

I had already tried that -- adding explicit secondary addresses to the interface, though the cisco doc seems to state that the router won't use them for other purposes than sending routing updates) -- and it didn't help.

I thought that if the router would establish an incoming NAT'ed connection on, say, public ip B1 or C1, it would send packets back using B1 or C1 as the source address, and to make things clear for it, I've also expicitely stated that addresses B1 and C1 are on interface FE0/1 by creating explicit routes to the public subnets assigned to me by B and C, like:
ip route <public-subnetrange-B> <public-subnetmask-B> FastEthernet0/1
ip route <public-subnetrange-C> <public-subnetmask-C> FastEthernet0/1

But didn't help either....

0
 
Scotty_ciscoCommented:
then you will want to look at the command IP ouside source static should work and maybe do some policey based routing to determine path... Just a thought.

Thanks
scott
0
 
GrobRIMAuthor Commented:
Which commande are you refering to, Scott?

I understand I'll need some policy-based routing to have my back-traffic routed to B's and C's gateways, but still, I can't even have the NAT work inwards with a test-PC plugged directly on the FE0/1 segment and set with a public IP from B or C.... grrr....
0
 
mikebernhardtCommented:
You have 2 separate issues
1. Routing to the various ISPs.
2. Getting NAT to work for your various ISPs and their assigned addresses

If you want to use all 3 ISPs but from different PCs or networks, then you can use policy routing. If you want to have all users use all 3 ISPs then won't work because of TCP operation combined with NAT. However you can setup failover in your policy routing so that if one ISP dies those users will automatically move to another one.

The 2nd is a NAT issue which has nothing do do with the routing. The best way to work on this is to disconnect ISP A and C while you are trying to get B to work. then plug in ISP A and verify that it still works. Then do the same for ISP C.

You can't use secondary addresses for 2 reasons- first, ISP B will never accept source addresses that belong to ISP A, and will send traffic destined for an ISP A address directly to ISP B, who will forward it to you. 2nd, packets are always sent from the primary address- even routing updates. You cannot control which ISP return traffic will use- it will always use the ISP that owns the address you NATted to because that's how internet routing works. The only way around that is to get your own public addressing from ARIN and use BGP.
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now