• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 246
  • Last Modified:

Trouble with NAT entries and route maps for multiple ISPs

Below is a very simplified config for my edge router.  We want one internal host to go out Carrier 1 and the other to go our Carrier 2.

The first translation for 172.20.2.4 does not work properly and users cannot access the internal host from the internet.  I can get to it from the 64.1.1.0/27 subnet though.  The translation for 172.20.2.3 DOES work properly.  This has to be an issue with thar route map and that the ourbound traffic is trying to exit from Fa0/2.  Can you please assist?

NOTE:  10.x.x.x and 159.x.x.x are subnets at a busines partner connected via 172.20.15.1
interface FastEthernet0/0
 description B2B Connection
 ip address 172.20.15.2 255.255.255.0
!
interface FastEthernet0/1
 description LAN
 ip address 172.20.0.38 255.255.255.248
 ip nat inside
 ip policy route-map INTERNET_ACCESS
!
interface FastEthernet0/2
 description Carrier #2 6Mb to WWW
 ip address 64.1.1.2 255.255.255.224
 ip access-group 104 in
 ip nat outside
!
interface FastEthernet0/4
 description Carrier #1 3Mb to WWW
 ip address 206.1.1.2 255.255.255.224
 ip access-group 103 in
 ip nat outside
!
ip route 0.0.0.0 0.0.0.0 206.1.1.1
!
ip nat pool CARRIER1-POOL 206.1.1.10 206.1.1.12 netmask 255.255.255.224
ip nat pool CARRIER2-POOL 64.1.1.10 64.1.1.12 netmask 255.255.255.224
ip nat inside source route-map CARRIER2-MAP pool CARRIER2-POOL overload
ip nat inside source route-map CARRIER1-MAP pool CARRIER1-POOL overload
!
ip nat inside source static tcp 172.20.2.4 80 64.1.1.7 80 extendable
ip nat inside source static tcp 172.20.2.3 80 206.1.1.7 80 extendable
!
access-list 100 permit ip 172.20.0.0 0.0.255.255 any
access-list 103 permit icmp any any
access-list 103 permit tcp any host 206.0.0.7 eq www
access-list 104 permit icmp any any
access-list 104 permit tcp any host 64.1.1.7 eq www
access-list 110 deny   tcp host 172.20.2.4 any eq www
access-list 110 deny   tcp any host 170.20.2.4 eq www
access-list 110 deny   ip any 10.0.0.0 0.255.255.255
access-list 110 deny   ip any 159.0.0.0 0.0.255.255
access-list 120 permit tcp host 172.20.2.4 any eq www
access-list 120 permit tcp any host 172.20.2.4 eq www
access-list 130 permit ip any 10.0.0.0 0.255.255.255
access-list 130 permit ip any 159.0.0.0 0.0.255.255
!
route-map INTERNET_ACCESS permit 10
 match ip address 110
 set ip next-hop 206.1.1.1
!
route-map INTERNET_ACCESS permit 20
 match ip address 120
 set ip next-hop 64.1.1.1
!
route-map INTERNET_ACCESS permit 30
 match ip address 130
 set ip next-hop 172.20.15.1
!
route-map CARRIER1-MAP permit 10
 match ip address 100
 match interface Fa0/4
!
route-map CARRIER2-MAP permit 10
 match ip address 100
 match interface Fa0/2

Open in new window

0
David Blair
Asked:
David Blair
  • 5
  • 5
  • 3
  • +1
1 Solution
 
John MeggersNetwork ArchitectCommented:
ACL 110 is all denies.  You need at least one permit statement.  In your case, it should just be a host (source) permit any.  The second ACL would be for the other host source address permit any.
0
 
David BlairAuthor Commented:
Thanks for the reply.

ACL 110 identifies traffic heading out via Carrier 1, and I thought permit statements weren't necessary due to the default route for Carrier 1.

Are you suggesting I add a permit statement for 172.20.2.3 to ACL 110?  Please help me understand the reason for that.  Again, 172.20.2.3 is working fine; it's 172.20.2.4 that's giving me the trouble.

Don't the denies just push certain traffic down to the other entries in the route map.

Thanks,
0
 
SouljaCommented:
Yeah, as set in the config posted. ACL 110 is pretty much useless. The only thing you need to state in it a the traffic you want to permit. After that the implicit deny will take care of the other traffic.
0
Cloud Class® Course: Certified Penetration Testing

This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.

 
SouljaCommented:
172.20.2.3 works because you permit it in ACL 100, but you explicitly deny 2.4 in acl 110. That is why 2.3 works and 2.4 doesn't
0
 
David BlairAuthor Commented:
That starts to make sense...

But, if I permit 2.4 in ACL 110 won't it set next hop to 206.1.1.1 instead of 64.1.1.1?
0
 
SouljaCommented:
Hold on a sec, so currently. 2.3 is in fact being route mapped by which router map?
0
 
David BlairAuthor Commented:
That traffic is taking the default route our carrier 1
0
 
SouljaCommented:
Oh okay, so it is working because it isn't using any router-maps.

route-map INTERNET_ACCESS permit 10    servers no purpose. I would remove it.

ACL 120 doesn't need this:

access-list 120 permit tcp any host 172.20.2.4 eq www

Otherwise, I don't see why ACL 120 wouldn't catch 2.4 and route it to 64.1.1.1
0
 
rochey2009Commented:
Hi,

Is 206.1.1.7 permitted for www in access-list 103?
0
 
David BlairAuthor Commented:
Sorry, typo there in the config.  YES, it's in there.  Just didn't fix it properly when I was cleaning the config up for EE.
0
 
SouljaCommented:
Good catch rochey! Is that a typo author?
0
 
rochey2009Commented:

I think access-list 120 permit tcp host 172.20.2.4 any eq www is incorrect

and should read

access-list 120 permit tcp host 172.20.2.4 eq www any

since it's return traffic sourced by the web server 172.20.2.4


0
 
David BlairAuthor Commented:
That sure was the problem.  Good eye!
0
 
rochey2009Commented:
You're welcome.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

  • 5
  • 5
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now