Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

How to properly load balance two ISP's and two NATs

Posted on 2008-11-04
4
Medium Priority
?
314 Views
Last Modified: 2010-04-21
I currently have 2800 Series router connected to CEF by Destination balanced T1's and 2ndary provider Broadband Cable.  I've configured 2 NAT out going ACL's one for each provider, and configured 3 static routes (2xt1's 1xcable).  

At this point if I enable all lines/routes I end up with failed packets leaving the router and I'm 90% sure its due to NAT being applied to the wrong line.  IE the Cable NAT applied on the T1 lines or the T1's NAT being applied to packets on the cable.
What is the proper configuration to allow for load balancing across two different providers with seperate NAT's?  IF this isn't possible what is the proper configuration to allow for failover?
In both situations I end up running into failed packet transmission and I'm unsure as to how to proceed.

I can provide any data required beyond that listed below.

Thanks,
Postie.
ip route 0.0.0.0 0.0.0.0 Serial0/0/0:0 permanent - t1#1
ip route 0.0.0.0 0.0.0.0 Serial0/0/1:0 permanent - t1#2
ip route 0.0.0.0 0.0.0.0 gigabitethernet0/1 10 permanent - cable
 
ip nat inside source list ECCL1 interface Loopback0 overload - T1 NAT
ip nat inside source list ECCL2 interface GigabitEthernet0/1 overload -Cable NAT
 
ip access-list standard ECCL1 - T1 NAT
 remark Company
 remark SDM_ACL Category=2
 permit 192.168.1.0 0.0.0.255
ip access-list standard ECCL2 - CABLE NAT
 remark Company
 remark SDM_ACL Category=2
 permit 192.168.1.0 0.0.0.255

Open in new window

0
Comment
Question by:Posthumous
  • 3
4 Comments
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 2000 total points
ID: 22877567
Give this a try.  You need to use route-maps and match the outgoing interface so when traffic leaves the T1's, it is NAT'ed to a T1 IP and the same for the cable side.  The routing is fine but remove the permanent keyword from each route for failover purposes.  Replace the NAT statements with the below and add the route-maps:

Access-lists are fine:

ip access-list standard ECCL1 - T1 NAT
 remark Company
 remark SDM_ACL Category=2
 permit 192.168.1.0 0.0.0.255
ip access-list standard ECCL2 - CABLE NAT
 remark Company
 remark SDM_ACL Category=2
 permit 192.168.1.0 0.0.0.255

Add route-maps:

route-map t1 permit 10
 match ip address ECCL1
 match interface Serial0/0/0:0

route-map t1 permit 20
 match ip address ECCL1
 match interface Serial0/0/1:0

route-map cable permit 10
 match ip address ECCL2
 match interface GigabitEthernet0/1

no ip nat inside source list ECCL1 interface Loopback0 overload - Remove the existing
no ip nat inside source list ECCL2 interface GigabitEthernet0/1 overload - Remove the existing

ip nat inside source route-map t1 interface Loopback0 overload
ip nat inside source route-map cable interface GigabitEthernet0/1 overload

Remove permanent keyword from routes:

no ip route 0.0.0.0 0.0.0.0 Serial0/0/0:0 permanent
no ip route 0.0.0.0 0.0.0.0 Serial0/0/1:0 permanent
no ip route 0.0.0.0 0.0.0.0 gigabitethernet0/1 10 permanent

ip route 0.0.0.0 0.0.0.0 Serial0/0/0:0
ip route 0.0.0.0 0.0.0.0 Serial0/0/1:0
ip route 0.0.0.0 0.0.0.0 gigabitethernet0/1 10
0
 
LVL 1

Author Comment

by:Posthumous
ID: 22878982
Very nice!
Excellent sir, I'll put that information into the router tonight and see what breaks!
Will let you know as soon as I know one way or another.

post
0
 
LVL 1

Author Comment

by:Posthumous
ID: 22881730
Good evening.
With the changes as listed above I can do extended pings out all interfaces without any lost traffic.

However if I ping extended using the loopback0 interface that is translated to the T1 provided IP range, I recieve an alternating .!.!. response from the test.  
Also current continuous pings from a workstation inside the network to outside 4.2.2.2 see large amounts of failed pings, perhaps over 50%.
Pings to the router itself recieve no loss.
I removed the gigabit route and the NAT related too it and see the same data loss.

I'm reviewing ACLs now to make sure nothing else could be blocking the pings.

Thanks,
Post

Browsing on the internet and connectivity to remote sites along with incoming requests to mail server seem to be working fine. Strangely.




ip route 0.0.0.0 0.0.0.0 Serial0/0/1:0
ip route 0.0.0.0 0.0.0.0 Serial0/0/0:0
ip route 0.0.0.0 0.0.0.0 gigabitethernet0/1 10
 
ip nat inside source route-map cable interface GigabitEthernet0/1 overload
ip nat inside source route-map t1 interface Loopback0 overload
 
ip access-list standard ECCL1
 remark Company
 remark SDM_ACL Category=2
 permit 192.168.1.0 0.0.0.255
ip access-list standard ECCL2
 remark Company
 remark SDM_ACL Category=2
 permit 192.168.1.0 0.0.0.255
 
route-map t1 permit 10
 match ip address ECCL1
 match interface Serial0/0/0:0
!
route-map t1 permit 20
 match ip address ECCL1
 match interface Serial0/0/1:0
!
route-map cable permit 10
 match ip address ECCL2
 match interface GigabitEthernet0/1
 
 
 
Below is a sample ping from the PC: (actually one of the better batches)
Request timed out.
Request timed out.
Reply from 4.2.2.2: bytes=32 time=18ms TTL=56
Reply from 4.2.2.2: bytes=32 time=18ms TTL=56
Request timed out.
Reply from 4.2.2.2: bytes=32 time=18ms TTL=56
Request timed out.
Reply from 4.2.2.2: bytes=32 time=18ms TTL=56
Reply from 4.2.2.2: bytes=32 time=18ms TTL=56
Reply from 4.2.2.2: bytes=32 time=18ms TTL=56
Reply from 4.2.2.2: bytes=32 time=18ms TTL=56
Request timed out.
Reply from 4.2.2.2: bytes=32 time=18ms TTL=56
Reply from 4.2.2.2: bytes=32 time=18ms TTL=56
Reply from 4.2.2.2: bytes=32 time=18ms TTL=56
Request timed out.

Open in new window

0
 
LVL 1

Author Closing Comment

by:Posthumous
ID: 31513135
Thanks for the info Working well!
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
In this article, we’ll look at how to deploy ProxySQL.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

569 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question