Solved

Trouble with NAT entries and route maps for multiple ISPs

Posted on 2011-09-30
14
221 Views
Last Modified: 2012-05-12
Below is a very simplified config for my edge router.  We want one internal host to go out Carrier 1 and the other to go our Carrier 2.

The first translation for 172.20.2.4 does not work properly and users cannot access the internal host from the internet.  I can get to it from the 64.1.1.0/27 subnet though.  The translation for 172.20.2.3 DOES work properly.  This has to be an issue with thar route map and that the ourbound traffic is trying to exit from Fa0/2.  Can you please assist?

NOTE:  10.x.x.x and 159.x.x.x are subnets at a busines partner connected via 172.20.15.1
interface FastEthernet0/0
 description B2B Connection
 ip address 172.20.15.2 255.255.255.0
!
interface FastEthernet0/1
 description LAN
 ip address 172.20.0.38 255.255.255.248
 ip nat inside
 ip policy route-map INTERNET_ACCESS
!
interface FastEthernet0/2
 description Carrier #2 6Mb to WWW
 ip address 64.1.1.2 255.255.255.224
 ip access-group 104 in
 ip nat outside
!
interface FastEthernet0/4
 description Carrier #1 3Mb to WWW
 ip address 206.1.1.2 255.255.255.224
 ip access-group 103 in
 ip nat outside
!
ip route 0.0.0.0 0.0.0.0 206.1.1.1
!
ip nat pool CARRIER1-POOL 206.1.1.10 206.1.1.12 netmask 255.255.255.224
ip nat pool CARRIER2-POOL 64.1.1.10 64.1.1.12 netmask 255.255.255.224
ip nat inside source route-map CARRIER2-MAP pool CARRIER2-POOL overload
ip nat inside source route-map CARRIER1-MAP pool CARRIER1-POOL overload
!
ip nat inside source static tcp 172.20.2.4 80 64.1.1.7 80 extendable
ip nat inside source static tcp 172.20.2.3 80 206.1.1.7 80 extendable
!
access-list 100 permit ip 172.20.0.0 0.0.255.255 any
access-list 103 permit icmp any any
access-list 103 permit tcp any host 206.0.0.7 eq www
access-list 104 permit icmp any any
access-list 104 permit tcp any host 64.1.1.7 eq www
access-list 110 deny   tcp host 172.20.2.4 any eq www
access-list 110 deny   tcp any host 170.20.2.4 eq www
access-list 110 deny   ip any 10.0.0.0 0.255.255.255
access-list 110 deny   ip any 159.0.0.0 0.0.255.255
access-list 120 permit tcp host 172.20.2.4 any eq www
access-list 120 permit tcp any host 172.20.2.4 eq www
access-list 130 permit ip any 10.0.0.0 0.255.255.255
access-list 130 permit ip any 159.0.0.0 0.0.255.255
!
route-map INTERNET_ACCESS permit 10
 match ip address 110
 set ip next-hop 206.1.1.1
!
route-map INTERNET_ACCESS permit 20
 match ip address 120
 set ip next-hop 64.1.1.1
!
route-map INTERNET_ACCESS permit 30
 match ip address 130
 set ip next-hop 172.20.15.1
!
route-map CARRIER1-MAP permit 10
 match ip address 100
 match interface Fa0/4
!
route-map CARRIER2-MAP permit 10
 match ip address 100
 match interface Fa0/2

Open in new window

0
Comment
Question by:David Blair
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
  • 3
  • +1
14 Comments
 
LVL 18

Expert Comment

by:jmeggers
ID: 36892903
ACL 110 is all denies.  You need at least one permit statement.  In your case, it should just be a host (source) permit any.  The second ACL would be for the other host source address permit any.
0
 
LVL 1

Author Comment

by:David Blair
ID: 36892976
Thanks for the reply.

ACL 110 identifies traffic heading out via Carrier 1, and I thought permit statements weren't necessary due to the default route for Carrier 1.

Are you suggesting I add a permit statement for 172.20.2.3 to ACL 110?  Please help me understand the reason for that.  Again, 172.20.2.3 is working fine; it's 172.20.2.4 that's giving me the trouble.

Don't the denies just push certain traffic down to the other entries in the route map.

Thanks,
0
 
LVL 26

Expert Comment

by:Soulja
ID: 36893226
Yeah, as set in the config posted. ACL 110 is pretty much useless. The only thing you need to state in it a the traffic you want to permit. After that the implicit deny will take care of the other traffic.
0
Building an interactive eFuture classroom

Watch and learn how ATEN provided a total control system solution including seamless switching matrix switch, HDBaseT extenders, PDU, lighting control to build an interactive eFuture classroom.

 
LVL 26

Expert Comment

by:Soulja
ID: 36893254
172.20.2.3 works because you permit it in ACL 100, but you explicitly deny 2.4 in acl 110. That is why 2.3 works and 2.4 doesn't
0
 
LVL 1

Author Comment

by:David Blair
ID: 36893327
That starts to make sense...

But, if I permit 2.4 in ACL 110 won't it set next hop to 206.1.1.1 instead of 64.1.1.1?
0
 
LVL 26

Expert Comment

by:Soulja
ID: 36893443
Hold on a sec, so currently. 2.3 is in fact being route mapped by which router map?
0
 
LVL 1

Author Comment

by:David Blair
ID: 36893466
That traffic is taking the default route our carrier 1
0
 
LVL 26

Expert Comment

by:Soulja
ID: 36893813
Oh okay, so it is working because it isn't using any router-maps.

route-map INTERNET_ACCESS permit 10    servers no purpose. I would remove it.

ACL 120 doesn't need this:

access-list 120 permit tcp any host 172.20.2.4 eq www

Otherwise, I don't see why ACL 120 wouldn't catch 2.4 and route it to 64.1.1.1
0
 
LVL 17

Expert Comment

by:rochey2009
ID: 36893833
Hi,

Is 206.1.1.7 permitted for www in access-list 103?
0
 
LVL 1

Author Comment

by:David Blair
ID: 36893850
Sorry, typo there in the config.  YES, it's in there.  Just didn't fix it properly when I was cleaning the config up for EE.
0
 
LVL 26

Expert Comment

by:Soulja
ID: 36893859
Good catch rochey! Is that a typo author?
0
 
LVL 17

Accepted Solution

by:
rochey2009 earned 500 total points
ID: 36894094

I think access-list 120 permit tcp host 172.20.2.4 any eq www is incorrect

and should read

access-list 120 permit tcp host 172.20.2.4 eq www any

since it's return traffic sourced by the web server 172.20.2.4


0
 
LVL 1

Author Closing Comment

by:David Blair
ID: 36911799
That sure was the problem.  Good eye!
0
 
LVL 17

Expert Comment

by:rochey2009
ID: 36911901
You're welcome.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

While it is possible to put two routes in place with the secondary having a higher metric, this may not always work. In the event of a failure that does not bring down the physical interface on the router the primary route is not removed. There is a…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question