Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

NAT Failover on Cisco router with BGP not working

Posted on 2009-06-29
6
Medium Priority
?
1,091 Views
Last Modified: 2012-05-07
Hi Everyone

I'm having a problem with NAT Failover
we have just gone to a BGP setup for multi homing from static routes on the gateway router
the NAT failover worked before when we just had static routes but doesnt work now.
Before the move from static routers i have several users designated with and access-list and router map to use the backup connection as there default router, these no longer work which is why I know something is wrong.

With the above mentioned routemap (called BACK_UP) in place from the .60 address i can tracert to the backup connections interface and gateway IP's but a traceroute to anything passed that gets stuck at the .1 ip addess of the router anything after that is * * *

I'm pretty sure i'm just missing something simple
I've attached a sanitized copy of the relevant config from the router and sanitized in the same way copy of the sh ip route


For ease of readed but at the same time to protect my self I changed the IP addresses so that
mmm.mmm.mmm.  address are the connection to the main ISP
bbb.bbb.bbb. address are the IP address assigned to us by our backup ISP
xxx.xxx.xxx. are our own IP address range.
xxx.xxx.xxx.100 is the default IP for traffic coming for our firewall



Show ip route
+++++++++++++
Gateway of last resort is mmm.mmm.mmm.85 to network 0.0.0.0

     bbb.bbb.bbb.0/27 is subnetted, 1 subnets
C       bbb.bbb.bbb.96 is directly connected, GigabitEthernet0/2
     mmm.mmm.0.0/30 is subnetted, 1 subnets
C       mmm.mmm.mmm.84 is directly connected, Serial1/0
B*   0.0.0.0/0 [20/1] via mmm.mmm.mmm.85, 6w3d
C    xxx.xxx.xxx.0/22 is directly connected, GigabitEthernet0/1




Router Config
++++++++++++++

interface GigabitEthernet0/1
 description External IP's
 ip address xxx.xxx.xxx.1 255.255.252.0
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip policy route-map BACK_UP
 duplex auto
 speed auto
 media-type rj45
 negotiation auto
 no mop enabled
!
interface GigabitEthernet0/2
 description Backup Connection
 ip address bbb.bbb.bbb.98 255.255.255.224
 ip verify unicast reverse-path
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 media-type rj45
 negotiation auto
 no mop enabled
!
interface Serial1/0
 description T3 multihome (Serial interface)
 ip address mmm.mmm.mmm.86 255.255.255.252
 ip verify unicast reverse-path
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip flow egress
 ip route-cache flow
 dsu bandwidth 9000
 scramble
 framing c-bit
 cablelength 10
!
router bgp XXXXX
 no synchronization
 bgp router-id mmm.mmm.mmm.86
 bgp log-neighbor-changes
 network mmm.mmm.mmm.84 mask 255.255.255.252
 network xxx.xxx.xxx.0 mask 255.255.252.0
 neighbor mmm.mmm.mmm.85 remote-as YYYYY
 neighbor mmm.mmm.mmm.85 version 4
 neighbor mmm.mmm.mmm.85 default-originate
 neighbor mmm.mmm.mmm.85 route-map our_ips out
 neighbor mmm.mmm.mmm.85 maximum-prefix 500
 no auto-summary
!
ip default-gateway mmm.mmm.mmm.85
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 mmm.mmm.mmm.85 80
ip route 0.0.0.0 0.0.0.0 bbb.bbb.bbb.97 120
!
ip nat inside source list NAT2BACKUP interface GigabitEthernet0/2 overload
ip nat inside source static xxx.xxx.xxx.100 bbb.bbb.bbb.100
ip nat inside source static xxx.xxx.xxx.101 bbb.bbb.bbb.101
ip nat inside source static xxx.xxx.xxx.102 bbb.bbb.bbb.102
!
ip access-list standard BGP_OUT
 remark Access list for bgp routemap to allow only our IP's to broadcast out
 permit xxx.xxx.xxx.0 0.0.3.255
ip access-list standard NAT2BACKUP
 remark NAT_2_BACKUP
 permit xxx.xxx.xxx.0 0.0.3.255
!
route-map our_ips permit 10
 match ip address BGP_OUT
!
ip access-list extended Backup_Users
 remark ip's in this acl map to route-map BACK_UP
 remark and are pushed out of the backup connection
 permit ip host xxx.xxx.xxx.60 any
!
route-map BACK_UP permit 100
 match ip address Backup_Users
 set ip default next-hop bbb.bbb.bbb.97
0
Comment
Question by:mhorrocks
  • 3
  • 3
6 Comments
 
LVL 29

Expert Comment

by:Jan Springer
ID: 24831326
You say that you are multi-homing but I only see one neighbor in the BGP config.

Even with a multi-homed environment, you can still choose a preferred path out with static routes if the outgoing bandwidth is dramatically less than the incoming bandwidth.
0
 

Author Comment

by:mhorrocks
ID: 24895902
We are not currently multihomed, it's what we are working towards hence the single neighbor
that should be done in about a month or so

so what you are saying this secondary connection should be included in my BGP routing table either as
redistribute connected or redistribute static? I can then manipulate the the best route, would the fix my NAT problem ?
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 24896054
I see the DS3 as the external facing interface peering with its BGP neighbor but the NAT is not applied to traffic leaving that interface.

According to the configuration above, the nat outside statement is applied to the backup GigE connection.  Is this GigE connection to be your backup external connection?
0
NEW Veeam Backup for Microsoft Office 365 1.5

With Office 365, it’s your data and your responsibility to protect it. NEW Veeam Backup for Microsoft Office 365 eliminates the risk of losing access to your Office 365 data.

 

Author Comment

by:mhorrocks
ID: 24897732
Yes that's correct
there are 3 connections in to the router

One from the Firewall (g0/1)
One for the DS3 (s1/0)
and one for a Business cable provider (g0/2)

there is no need to NAT traffic going over the DS3 (primary) but we do need to NAT traffic if i goes over the cable connection.
0
 
LVL 29

Accepted Solution

by:
Jan Springer earned 1500 total points
ID: 24910080
what do you see with "sh ip nat trans" when failing over to the cable connection?
0
 

Author Comment

by:mhorrocks
ID: 25008723
Manage to figure out my problem
partly route-map, partly bgp routing
while Jesper didnt fully solve the issue her comments did help
so im going to award _jesper the points
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

783 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question