Solved

Trouble with NAT entries and route maps for multiple ISPs

Posted on 2011-09-30
14
201 Views
Last Modified: 2012-05-12
Below is a very simplified config for my edge router.  We want one internal host to go out Carrier 1 and the other to go our Carrier 2.

The first translation for 172.20.2.4 does not work properly and users cannot access the internal host from the internet.  I can get to it from the 64.1.1.0/27 subnet though.  The translation for 172.20.2.3 DOES work properly.  This has to be an issue with thar route map and that the ourbound traffic is trying to exit from Fa0/2.  Can you please assist?

NOTE:  10.x.x.x and 159.x.x.x are subnets at a busines partner connected via 172.20.15.1
interface FastEthernet0/0
 description B2B Connection
 ip address 172.20.15.2 255.255.255.0
!
interface FastEthernet0/1
 description LAN
 ip address 172.20.0.38 255.255.255.248
 ip nat inside
 ip policy route-map INTERNET_ACCESS
!
interface FastEthernet0/2
 description Carrier #2 6Mb to WWW
 ip address 64.1.1.2 255.255.255.224
 ip access-group 104 in
 ip nat outside
!
interface FastEthernet0/4
 description Carrier #1 3Mb to WWW
 ip address 206.1.1.2 255.255.255.224
 ip access-group 103 in
 ip nat outside
!
ip route 0.0.0.0 0.0.0.0 206.1.1.1
!
ip nat pool CARRIER1-POOL 206.1.1.10 206.1.1.12 netmask 255.255.255.224
ip nat pool CARRIER2-POOL 64.1.1.10 64.1.1.12 netmask 255.255.255.224
ip nat inside source route-map CARRIER2-MAP pool CARRIER2-POOL overload
ip nat inside source route-map CARRIER1-MAP pool CARRIER1-POOL overload
!
ip nat inside source static tcp 172.20.2.4 80 64.1.1.7 80 extendable
ip nat inside source static tcp 172.20.2.3 80 206.1.1.7 80 extendable
!
access-list 100 permit ip 172.20.0.0 0.0.255.255 any
access-list 103 permit icmp any any
access-list 103 permit tcp any host 206.0.0.7 eq www
access-list 104 permit icmp any any
access-list 104 permit tcp any host 64.1.1.7 eq www
access-list 110 deny   tcp host 172.20.2.4 any eq www
access-list 110 deny   tcp any host 170.20.2.4 eq www
access-list 110 deny   ip any 10.0.0.0 0.255.255.255
access-list 110 deny   ip any 159.0.0.0 0.0.255.255
access-list 120 permit tcp host 172.20.2.4 any eq www
access-list 120 permit tcp any host 172.20.2.4 eq www
access-list 130 permit ip any 10.0.0.0 0.255.255.255
access-list 130 permit ip any 159.0.0.0 0.0.255.255
!
route-map INTERNET_ACCESS permit 10
 match ip address 110
 set ip next-hop 206.1.1.1
!
route-map INTERNET_ACCESS permit 20
 match ip address 120
 set ip next-hop 64.1.1.1
!
route-map INTERNET_ACCESS permit 30
 match ip address 130
 set ip next-hop 172.20.15.1
!
route-map CARRIER1-MAP permit 10
 match ip address 100
 match interface Fa0/4
!
route-map CARRIER2-MAP permit 10
 match ip address 100
 match interface Fa0/2

Open in new window

0
Comment
Question by:David Blair
  • 5
  • 5
  • 3
  • +1
14 Comments
 
LVL 18

Expert Comment

by:jmeggers
Comment Utility
ACL 110 is all denies.  You need at least one permit statement.  In your case, it should just be a host (source) permit any.  The second ACL would be for the other host source address permit any.
0
 
LVL 1

Author Comment

by:David Blair
Comment Utility
Thanks for the reply.

ACL 110 identifies traffic heading out via Carrier 1, and I thought permit statements weren't necessary due to the default route for Carrier 1.

Are you suggesting I add a permit statement for 172.20.2.3 to ACL 110?  Please help me understand the reason for that.  Again, 172.20.2.3 is working fine; it's 172.20.2.4 that's giving me the trouble.

Don't the denies just push certain traffic down to the other entries in the route map.

Thanks,
0
 
LVL 26

Expert Comment

by:Soulja
Comment Utility
Yeah, as set in the config posted. ACL 110 is pretty much useless. The only thing you need to state in it a the traffic you want to permit. After that the implicit deny will take care of the other traffic.
0
 
LVL 26

Expert Comment

by:Soulja
Comment Utility
172.20.2.3 works because you permit it in ACL 100, but you explicitly deny 2.4 in acl 110. That is why 2.3 works and 2.4 doesn't
0
 
LVL 1

Author Comment

by:David Blair
Comment Utility
That starts to make sense...

But, if I permit 2.4 in ACL 110 won't it set next hop to 206.1.1.1 instead of 64.1.1.1?
0
 
LVL 26

Expert Comment

by:Soulja
Comment Utility
Hold on a sec, so currently. 2.3 is in fact being route mapped by which router map?
0
 
LVL 1

Author Comment

by:David Blair
Comment Utility
That traffic is taking the default route our carrier 1
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 26

Expert Comment

by:Soulja
Comment Utility
Oh okay, so it is working because it isn't using any router-maps.

route-map INTERNET_ACCESS permit 10    servers no purpose. I would remove it.

ACL 120 doesn't need this:

access-list 120 permit tcp any host 172.20.2.4 eq www

Otherwise, I don't see why ACL 120 wouldn't catch 2.4 and route it to 64.1.1.1
0
 
LVL 17

Expert Comment

by:rochey2009
Comment Utility
Hi,

Is 206.1.1.7 permitted for www in access-list 103?
0
 
LVL 1

Author Comment

by:David Blair
Comment Utility
Sorry, typo there in the config.  YES, it's in there.  Just didn't fix it properly when I was cleaning the config up for EE.
0
 
LVL 26

Expert Comment

by:Soulja
Comment Utility
Good catch rochey! Is that a typo author?
0
 
LVL 17

Accepted Solution

by:
rochey2009 earned 500 total points
Comment Utility

I think access-list 120 permit tcp host 172.20.2.4 any eq www is incorrect

and should read

access-list 120 permit tcp host 172.20.2.4 eq www any

since it's return traffic sourced by the web server 172.20.2.4


0
 
LVL 1

Author Closing Comment

by:David Blair
Comment Utility
That sure was the problem.  Good eye!
0
 
LVL 17

Expert Comment

by:rochey2009
Comment Utility
You're welcome.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Port forwarding in Cisco RV215w 2 30
Missing Crypto Commands 6 53
Cisco Switch Swap 1 55
Routing VLANs 5 44
I have seen some questions on problems with SSH/telnet access to Cisco routers that may occur despite the fact that from a PC connected to your LAN, Internet connectivity is in place and users can access Internet sites without any issues.  There are…
The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now