We help IT Professionals succeed at work.

Two ISP's, need help with NATting

bfilipek
bfilipek asked
on
434 Views
Last Modified: 2010-04-08
Ill try to explain as simply as possible:

I have a 2611XM that has two separate internet connections from two ISPs terminating into it. From the 2611, I have my Pix515E connected. I have a /28 block (16 usable) IP's from ISP1 that are used between my 2611 and PIX. The remaining 14 IP's are statically natted in the PIX to servers with LAN IP's on my network.

I also have a /28 block of IP's from ISP2 (the ISP2 WAN interface is using one of these IP's, and my ISP's router is using one as well. That leaves me with 14 to use on the 2611). I want to nat some of these 14 IPs to servers on my LAN, but they are servers who already have IPs natted through the PIX.

My goal is this: I want to give my users 2 IP's to use to access our internal server. If the first one doesn't work (because ISP1 is down), then I want the other one to work (which is from ISP2). What do I need to do to get this natting to work properly?

Here is the natting from the 2611 config:


interface FastEthernet0/0
 description WAN to ISP1
 ip address 9.9.9.98 255.255.255.192
 duplex auto
 speed auto
 no cdp enable
!
interface Serial0/0
 description WAN T1 to ISP2
 ip address 2.2.2.210 255.255.255.240
 no cdp enable
!
interface FastEthernet0/1
 description 2611 to Pix
 ip address 1.1.1.113 255.255.255.240
 duplex auto
 speed auto
 no cdp enable
!
ip classless
ip route 0.0.0.0 0.0.0.0 9.9.9.97


Here is the natting from the PIX515 config:

ip address outside 1.1.1.114 255.255.255.240
ip address inside 192.168.1.1 255.255.252.0
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 1.1.1.115 192.168.1.15 netmask 255.255.255.255 0 0
static (inside,outside) 1.1.1.116 192.168.1.16 netmask 255.255.255.255 0 0
static (inside,outside) 1.1.1.117 192.168.1.17 netmask 255.255.255.255 0 0
route outside 0.0.0.0 0.0.0.0 1.1.1.113 1

Comment
Watch Question

Top Expert 2006

Commented:
The problem here will be the PIX unless you are running 7.x code.
It can only support a single IP address range on the external interface unless you want to do some natting to it

Basically put 2600 (natting all ) ---> PIX

Create a subnet that only the 2600 ethernet and the PIX outside live on

lets say 10.10.1.1 for 2600 and 10.10.1.2 for PIX

PIX config would only change slightly


ip address outside 10.10.1.2 255.255.255.0
ip address inside 192.168.1.1 255.255.252.0
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 10.10.1.115 192.168.1.15 netmask 255.255.255.255 0 0
static (inside,outside) 10.10.1.116 192.168.1.16 netmask 255.255.255.255 0 0
static (inside,outside) 10.10.1.117 192.168.1.17 netmask 255.255.255.255 0 0


2600 Configuration

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080093fca.shtml

access-list natme permit ip 10.10.1.0 255.255.255.0 any

ip nat outside source static ISPIP1 PIX-IPs
ip nat outside source static ISPIP2 PIX-IPs
etc

ip nat inside source list nat-me  overload


interface FastEthernet0/0
 description WAN to ISP1
 ip address 9.9.9.98 255.255.255.192
 duplex auto
 speed auto
 no cdp enable
ip nat outside
!
interface Serial0/0
 description WAN T1 to ISP2
 ip address 2.2.2.210 255.255.255.240
 no cdp enable
ip nat outside
!
interface FastEthernet0/1
 description 2611 to Pix
 ip address 10.10.1.1 255.255.255.0
 duplex auto
 speed auto
 no cdp enable
ip nat inside
!
ip classless
ip route 0.0.0.0 0.0.0.0 9.9.9.97

Author

Commented:
Hi prueconsulting, thanks for your reply.

I still dont understand how the natting will work from the internet to my internal servers. So lets say I want IP 1.1.1.115 (from ISP1) to go to my internal server 192.168.1.115. I also want IP 2.2.2.115 (from ISP2) to go to the same internal server 192.168.1.115. How can I have two IP's natting to the SAME internal IP? I didn't think this was possible? The route maps seem to only be for outbound traffic originating from my internal IP (in this case, 192.168.1.115).
Top Expert 2006

Commented:
You will have to create a "non-public" address space between the PIX and the 2600.

The configuration note i posted was also an Idea.

The configuration i posted is more to this point.

This way you create static nats on the 2600 pointing to the same address on the PIX

Ie you nat 10.10.1.2 on the PIX to 192.168.1.115

So on the 2600 you create your static nats like this

ISP 1
Nat 1.1.1.115 to 10.10.1.2
ISP2
nat 2.2.2.115 to 10.10.1.2

This way your PIX only has a single static nat to deal with.

Author

Commented:
So I have to NAT 1.1.1.115 to 10.10.1.2 which you have as the PIX's outside interface. What would I NAT 1.1.1.116 and 1.1.1.117 to then?

Also, does is the link you posted (explaining route maps) work with the config that you posted, or should the route-maps be used separately?
Top Expert 2006

Commented:
10.10.1.x

Assign as many ips on the external of the pIx as you need.


Routemaps can be used separately.

I just posted it as another alternative to accomplish what you want.

Author

Commented:
So if ISP1 gave me 1.1.1.112/28 (1.1.1.113-1.1.1.126 usable), and ISP2 gave me 2.2.2.112/28 (2.2.2.113-2.2.2.126 usable), my 2611 would look like this (ignore previous example IP's).

=============================================================
access-list natme permit ip 10.10.1.0 255.255.255.0 any
!
ip nat outside source static 1.1.1.115 10.10.1.115
ip nat outside source static 2.2.2.115 10.10.1.115
ip nat outside source static 1.1.1.116 10.10.1.116
ip nat outside source static 2.2.2.116 10.10.1.116
ip nat outside source static 1.1.1.117 10.10.1.117
ip nat outside source static 2.2.2.117 10.10.1.117
!
ip nat inside source list natme  overload
!
!
interface FastEthernet0/0
 description WAN to ISP1
 ip address 11.11.11.98 255.255.255.192
 duplex auto
 speed auto
 no cdp enable
ip nat outside
!
interface Serial0/0
 description WAN T1 to ISP2
 ip address 12.12.12.237 255.255.255.252
 no cdp enable
ip nat outside
!
interface FastEthernet0/1
 description 2611 to Pix
 ip address 10.10.1.1 255.255.255.0
 duplex auto
 speed auto
 no cdp enable
ip nat inside
!
ip classless
ip route 0.0.0.0 0.0.0.0 11.11.11.97

=============================================================

And my PIX515E would look like this:


ip address outside 10.10.1.2 255.255.255.0
ip address inside 192.168.1.1 255.255.252.0
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 10.10.1.115 192.168.1.15 netmask 255.255.255.255 0 0
static (inside,outside) 10.10.1.116 192.168.1.16 netmask 255.255.255.255 0 0
static (inside,outside) 10.10.1.117 192.168.1.17 netmask 255.255.255.255 0 0

=============================================================

Thats all I need for the inbound natting to work over both connections?
Top Expert 2006

Commented:
Yes this should be all thats required to have your inbound natting functional.

Author

Commented:
Ok that makes sense. Now, would I be able to add any statements that will make my OUTBOUND natting functional over both ISPs too?

I realize this would work if I wanted my outbound traffic to use just the one ISP:

ip nat inside source static 10.10.1.115 1.1.1.115
ip nat inside source static 10.10.1.116 1.1.1.116
ip nat inside source static 10.10.1.117 1.1.1.117

But when I throw the 2nd ISP in there, this obviously wouldn't work:

ip nat inside source static 10.10.1.115 1.1.1.115
ip nat inside source static 10.10.1.115 2.2.2.115
ip nat inside source static 10.10.1.116 1.1.1.116
ip nat inside source static 10.10.1.116 2.2.2.116
ip nat inside source static 10.10.1.117 1.1.1.117
ip nat inside source static 10.10.1.117 2.2.2.117


What would I have to do at this point? Thanks again.
Top Expert 2006

Commented:
You can load balance between the 2 connections using a routing protocol like OSPF.
Then you statics would be built based on which interface they are leaving.

This is where the route maps would come in handy based on which one its leaving.


Author

Commented:
Why did you suggest using:

ip nat outside source static 1.1.1.115 10.10.1.115
ip nat outside source static 2.2.2.115 10.10.1.115

as opposed to

ip nat inside source static 10.10.1.115 1.1.1.115
ip nat inside source static 10.10.1.115 2.2.2.115

???  Shouldn't it be the "ip nat inside" statements?
Top Expert 2006

Commented:
Ip nat inside source static will create teh outbound static when those devices talk outbound.

the ip nat outside static will create the static mapping on the external interface.

I think for all intensive purposes they accomplish the exact same thing however.

Author

Commented:
The very bottom of this page explains the two: http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094e77.shtml

It says:

ip nat inside source
    *      Translates the source of IP packets that are traveling inside to outside.
    *      Translates the destination of the IP packets that are traveling outside to inside.

ip nat outside source
    *      Translates the source of the IP packets that are traveling outside to inside.
    *      Translates the destination of the IP packets that are traveling inside to outside.


It sounds like I should be using the ip nat INSIDE command, right?
Top Expert 2006

Commented:
Yes inside would be the one you would want .

Author

Commented:
ip nat inside source static 10.10.1.115 1.1.1.115
ip nat inside source static 10.10.1.115 2.2.2.115

So if IP 192.168.1.115 (which is natted to 10.10.1.115 on the PIX) wants to access the internet, which address would it use to go out to the internet?
Top Expert 2006
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.