Link to home
Start Free TrialLog in
Avatar of mhorrocks
mhorrocks

asked on

NAT Failover on Cisco router with BGP not working

Hi Everyone

I'm having a problem with NAT Failover
we have just gone to a BGP setup for multi homing from static routes on the gateway router
the NAT failover worked before when we just had static routes but doesnt work now.
Before the move from static routers i have several users designated with and access-list and router map to use the backup connection as there default router, these no longer work which is why I know something is wrong.

With the above mentioned routemap (called BACK_UP) in place from the .60 address i can tracert to the backup connections interface and gateway IP's but a traceroute to anything passed that gets stuck at the .1 ip addess of the router anything after that is * * *

I'm pretty sure i'm just missing something simple
I've attached a sanitized copy of the relevant config from the router and sanitized in the same way copy of the sh ip route


For ease of readed but at the same time to protect my self I changed the IP addresses so that
mmm.mmm.mmm.  address are the connection to the main ISP
bbb.bbb.bbb. address are the IP address assigned to us by our backup ISP
xxx.xxx.xxx. are our own IP address range.
xxx.xxx.xxx.100 is the default IP for traffic coming for our firewall



Show ip route
+++++++++++++
Gateway of last resort is mmm.mmm.mmm.85 to network 0.0.0.0

     bbb.bbb.bbb.0/27 is subnetted, 1 subnets
C       bbb.bbb.bbb.96 is directly connected, GigabitEthernet0/2
     mmm.mmm.0.0/30 is subnetted, 1 subnets
C       mmm.mmm.mmm.84 is directly connected, Serial1/0
B*   0.0.0.0/0 [20/1] via mmm.mmm.mmm.85, 6w3d
C    xxx.xxx.xxx.0/22 is directly connected, GigabitEthernet0/1




Router Config
++++++++++++++

interface GigabitEthernet0/1
 description External IP's
 ip address xxx.xxx.xxx.1 255.255.252.0
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip policy route-map BACK_UP
 duplex auto
 speed auto
 media-type rj45
 negotiation auto
 no mop enabled
!
interface GigabitEthernet0/2
 description Backup Connection
 ip address bbb.bbb.bbb.98 255.255.255.224
 ip verify unicast reverse-path
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 media-type rj45
 negotiation auto
 no mop enabled
!
interface Serial1/0
 description T3 multihome (Serial interface)
 ip address mmm.mmm.mmm.86 255.255.255.252
 ip verify unicast reverse-path
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip flow egress
 ip route-cache flow
 dsu bandwidth 9000
 scramble
 framing c-bit
 cablelength 10
!
router bgp XXXXX
 no synchronization
 bgp router-id mmm.mmm.mmm.86
 bgp log-neighbor-changes
 network mmm.mmm.mmm.84 mask 255.255.255.252
 network xxx.xxx.xxx.0 mask 255.255.252.0
 neighbor mmm.mmm.mmm.85 remote-as YYYYY
 neighbor mmm.mmm.mmm.85 version 4
 neighbor mmm.mmm.mmm.85 default-originate
 neighbor mmm.mmm.mmm.85 route-map our_ips out
 neighbor mmm.mmm.mmm.85 maximum-prefix 500
 no auto-summary
!
ip default-gateway mmm.mmm.mmm.85
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 mmm.mmm.mmm.85 80
ip route 0.0.0.0 0.0.0.0 bbb.bbb.bbb.97 120
!
ip nat inside source list NAT2BACKUP interface GigabitEthernet0/2 overload
ip nat inside source static xxx.xxx.xxx.100 bbb.bbb.bbb.100
ip nat inside source static xxx.xxx.xxx.101 bbb.bbb.bbb.101
ip nat inside source static xxx.xxx.xxx.102 bbb.bbb.bbb.102
!
ip access-list standard BGP_OUT
 remark Access list for bgp routemap to allow only our IP's to broadcast out
 permit xxx.xxx.xxx.0 0.0.3.255
ip access-list standard NAT2BACKUP
 remark NAT_2_BACKUP
 permit xxx.xxx.xxx.0 0.0.3.255
!
route-map our_ips permit 10
 match ip address BGP_OUT
!
ip access-list extended Backup_Users
 remark ip's in this acl map to route-map BACK_UP
 remark and are pushed out of the backup connection
 permit ip host xxx.xxx.xxx.60 any
!
route-map BACK_UP permit 100
 match ip address Backup_Users
 set ip default next-hop bbb.bbb.bbb.97
Avatar of Jan Bacher
Jan Bacher
Flag of United States of America image
You say that you are multi-homing but I only see one neighbor in the BGP config.

Even with a multi-homed environment, you can still choose a preferred path out with static routes if the outgoing bandwidth is dramatically less than the incoming bandwidth.
Avatar of mhorrocks
mhorrocks

ASKER

We are not currently multihomed, it's what we are working towards hence the single neighbor
that should be done in about a month or so

so what you are saying this secondary connection should be included in my BGP routing table either as
redistribute connected or redistribute static? I can then manipulate the the best route, would the fix my NAT problem ?
Avatar of Jan Bacher
Jan Bacher
Flag of United States of America image
I see the DS3 as the external facing interface peering with its BGP neighbor but the NAT is not applied to traffic leaving that interface.

According to the configuration above, the nat outside statement is applied to the backup GigE connection.  Is this GigE connection to be your backup external connection?
Avatar of mhorrocks
mhorrocks

ASKER

Yes that's correct
there are 3 connections in to the router

One from the Firewall (g0/1)
One for the DS3 (s1/0)
and one for a Business cable provider (g0/2)

there is no need to NAT traffic going over the DS3 (primary) but we do need to NAT traffic if i goes over the cable connection.
ASKER CERTIFIED SOLUTION
Avatar of Jan Bacher
Jan Bacher
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of mhorrocks
mhorrocks

ASKER

Manage to figure out my problem
partly route-map, partly bgp routing
while Jesper didnt fully solve the issue her comments did help
so im going to award _jesper the points