Solved

Configuring Cisco with several public IP's for NAT on one interface

Posted on 2006-06-15
7
1,475 Views
Last Modified: 2013-12-14
I have a Cisco 2800 with two Eth interfaces (fe0/0 and fe0/1), one (fe0/0) connected to my LAN and the other one (fe0/1) connected to my "Internet" segment; this Internet segment is in turn connected to 3 ISP routers (one ADSL, one LS, and one VSAT -- let's call them A, B and C). Currently, my Cisco 2800 Internet eth interface (fe0/1) is assigned a public IP from connection A, and default ip outbound routing is directed towards A's router. And I have also defined some NAT's between some other public IP's bought from A and some of my private IP's (on the fe0/0) side. This works fine -- ie, I can  establish connections out to the Internet from the LAN, and clients from the Internet can connect to my NAT'ed LAN servers. Basic stuff. Great.

Now, I'd like to use connections B and C. So I have similarly defined some more NAT's, using public ip addresses bought from ISP's B and C, and NAT'ed them to some LAN ip's. And these NAT's don't work (neither TCP nor UDP). Should I do something about the "return path"? ie, I've got only one default route out, towards A's gateway. How should I explain the router that connections/packets first coming onto B/C public IP's should be routed back to B/C's gateways? I can't even get these NAT's to work with B and C public ip's when I hook up a single PC on my "Internet" segment with a public address from B and C.
0
Comment
Question by:GrobRIM
  • 2
  • 2
7 Comments
 
LVL 12

Expert Comment

by:Scotty_cisco
ID: 16913862
Under FE0/1 what does your IP address look like is it assigned to a block that ISP A gave you?  The reason that B and C is not working is they route the block to FE0/1 if there is not an address on 0/1 that the router will respond to it will drop the packet.

Try adding secondary addresses for B and C ISP's

ip address x.x.x.x 255.255.255.x secondary  (ISP B's wan IP address)
ip address y.y.y.y 255.255.255.y secondary (ISP C's WAN IP address)

Thanks
Scott
0
 

Author Comment

by:GrobRIM
ID: 16913980
Scott,

Yes, on FE0/1, I'm using public IP adresses assigned to me by ISP's A, B, and C.

I had already tried that -- adding explicit secondary addresses to the interface, though the cisco doc seems to state that the router won't use them for other purposes than sending routing updates) -- and it didn't help.

I thought that if the router would establish an incoming NAT'ed connection on, say, public ip B1 or C1, it would send packets back using B1 or C1 as the source address, and to make things clear for it, I've also expicitely stated that addresses B1 and C1 are on interface FE0/1 by creating explicit routes to the public subnets assigned to me by B and C, like:
ip route <public-subnetrange-B> <public-subnetmask-B> FastEthernet0/1
ip route <public-subnetrange-C> <public-subnetmask-C> FastEthernet0/1

But didn't help either....

0
 
LVL 12

Expert Comment

by:Scotty_cisco
ID: 16914031
then you will want to look at the command IP ouside source static should work and maybe do some policey based routing to determine path... Just a thought.

Thanks
scott
0
 

Author Comment

by:GrobRIM
ID: 16914105
Which commande are you refering to, Scott?

I understand I'll need some policy-based routing to have my back-traffic routed to B's and C's gateways, but still, I can't even have the NAT work inwards with a test-PC plugged directly on the FE0/1 segment and set with a public IP from B or C.... grrr....
0
 
LVL 28

Accepted Solution

by:
mikebernhardt earned 125 total points
ID: 17095882
You have 2 separate issues
1. Routing to the various ISPs.
2. Getting NAT to work for your various ISPs and their assigned addresses

If you want to use all 3 ISPs but from different PCs or networks, then you can use policy routing. If you want to have all users use all 3 ISPs then won't work because of TCP operation combined with NAT. However you can setup failover in your policy routing so that if one ISP dies those users will automatically move to another one.

The 2nd is a NAT issue which has nothing do do with the routing. The best way to work on this is to disconnect ISP A and C while you are trying to get B to work. then plug in ISP A and verify that it still works. Then do the same for ISP C.

You can't use secondary addresses for 2 reasons- first, ISP B will never accept source addresses that belong to ISP A, and will send traffic destined for an ISP A address directly to ISP B, who will forward it to you. 2nd, packets are always sent from the primary address- even routing updates. You cannot control which ISP return traffic will use- it will always use the ISP that owns the address you NATted to because that's how internet routing works. The only way around that is to get your own public addressing from ARIN and use BGP.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Cable Modem Provisioning from DPoE compliant server  This Article is to support CMTS administrators to provide an overview of DOCSIS compliance configuration file, and to provision a cable modem located at customer place from a Back office serve…
Sometimes you have to pull out old tricks to get a new firewall to work… While we were installing a new Sonicwall at a customers site we found that sites they were able to visit before were not working.  It seemed random and we could not understa…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now